feat(auth): configurable OpenID4VCI request profiles with built-in AET profile

[reinkrul]

Implements #4338.

What

Adds named request profiles. A profile is a curated bundle of request parameters selected by name, so callers (EHRs) don't have to spell out issuer-specific parameters themselves.

• New optional profile field on the requestCredential body.
• Config: auth.experimental.profile.<name>.authrequest (map[string][]string) sets authorization request parameters.
• Built-in aet profile (AET UZI smartcard issuer) is provided via DefaultConfig(): auth_method=SmartCard, scope="openid profile api". Operator config under the same name is layered over the default by normal config loading.

auth:
  experimental:
    profile:
      aet:
        authrequest:
          auth_method: [SmartCard]
          scope: ["openid profile api"]

{
  "issuer": "https://issuer.example.com/oauth",
  "wallet_did": "did:web:example.com",
  "authorization_details": [ { "type": "openid_credential", "credential_configuration_id": "..." } ],
  "redirect_uri": "https://example.com/oauth2/org1/callback",
  "profile": "aet"
}

-> redirect: .../authorize?...&auth_method=SmartCard&scope=openid+profile+api.

Behavior

• Apply order on the authorization request: node parameters -> profile authrequest (trusted config; may override node parameters, multi-valued) -> authorization_request_params (may only add; still cannot override node parameters).
• Unknown profile name -> 400.
• authrequest is map[string][]string -> a single value renders as one query parameter; multiple values render as repeated parameters.
• Omitted profile -> unchanged behavior. Fully additive.

Changes

• auth/config.go: ExperimentalConfig.Profiles + ProfileConfig; built-in aet in DefaultConfig.
• auth/auth.go + auth/interface.go (+ regenerated mocks): AuthorizationRequestProfile lookup.
• docs/_static/auth/v2.yaml + make gen-api: profile request field.
• auth/api/iam/openid4vci.go: resolve + apply the profile (multi-value query) in RequestOpenid4VCICredentialIssuance.
• Tests: accessor (auth), handler (auth/api/iam: profile applied, unknown profile rejected).

Notes

• EXPERIMENTAL: config is under auth.experimental; subject to change.
• Builds on authorization_request_params (feat(auth): add authorization_request_params to OpenID4VCI requestCredential API #4333, merged) and keeps it as the low-level escape hatch.
• Also running on project-gf-pilot (where it sits on top of the client-auth work).
• Commit history on the branch is messy ("wip"); will be squashed at merge.

🤖 Assisted by AI

[reinkrul]

We should consider moving the authorization request initiator code to the OAuth2 client, because there's too much coupling between API and module now.

[qltysh]

Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.02%.

Modified Files with Diff Coverage (3)

Rating	File	% Diff	Uncovered Line #s
	auth/auth.go	100.0%
	auth/config.go	100.0%
	auth/api/iam/openid4vci.go	100.0%
	Total	100.0%

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.