Clarify use of "authorization credential"

[jimfenton]

(Submitted by MITRE)

In 800-63C, Section 6, seventh paragraph:

"The RP MAY fetch additional identity attributes from the IdP in one or more separate transactions using an authorization credential issued alongside the original assertion." Since "authorization credential" is not defined and used but twice in the document, what does it mean? Is the IdP issuing a credential to the RP that it has no direct contact with?

Suggest: Delete the phrase "using an authorization credential issued alongside the original assertion." The issuer is explicitly declared in the assertion, allowing any RP the opportunity to validate the assertion or request additional attributes. Also address reference in Section 7.1.

[jricher]

We should define "authorization credential" explicitly within the document, but we should not delete the phrase as suggested. A real-world example: and OIDC ID Token is the federation assertion, but the access token issued along side it is the authorization credential allowing the RP to fetch attributes separately from the assertion itself. The goal of the current language was to not tie the requirements to specific technology stacks.