Add separate configuration for OpenID4VCI authorization endpoint

[Copilot]

The existing auth.authorizationendpoint.enabled flag controls both OpenID4VP and OpenID4VCI flows. This adds auth.openid4vci.enabled to enable them independently.

Changes

• New configuration: auth.openid4vci.enabled flag and OpenID4VCIConfig struct
• Authorization endpoint logic:
  • response_type=vp_token: requires auth.authorizationendpoint.enabled (OpenID4VP only)
  • response_type=code: requires either flag enabled (used by both regular auth flow and OpenID4VCI issuance)
• Metadata endpoint: exposes authorization_endpoint if either config is enabled
• Callback endpoint: accessible if either config is enabled

Behavior Matrix

OpenID4VP	OpenID4VCI	response_type=vp_token	response_type=code
false	false	❌ disabled	❌ disabled
true	false	✅ enabled	✅ enabled
false	true	❌ disabled	✅ enabled
true	true	✅ enabled	✅ enabled

Interface Change

Added OpenID4VCIAuthorizationEndpointEnabled() bool to AuthenticationServices interface.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Introduce configuration option to only enable OpenID4VCI</issue_title>
<issue_description>Current NUTS_AUTH_AUTHORIZATIONENDPOINT_ENABLED enables both OpenID4VP and OpenID4VCI, but I don't feel like OpenID4VP is ready to enable, while OpenID4VCI is.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Introduce configuration option to only enable OpenID4VCI #3976

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[reinkrul]

@copilot
Call it

OpenID4VCI.Enabled.

[qltysh]

Coverage Impact

This PR will not change total coverage.

Modified Files with Diff Coverage (3)

Rating	File	% Diff	Uncovered Line #s
	auth/auth.go	0.0%	97-99
	auth/cmd/cmd.go	100.0%
	auth/api/iam/api.go	74.1%	491-497
	Total	70.6%

🤖 Increase coverage with AI coding...

In the `copilot/introduce-openid4vci-config` branch, add test coverage for this new code:

- `auth/api/iam/api.go` -- Line 491-497
- `auth/auth.go` -- Line 97-99

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

[Copilot]

@copilot
Call it

...

Done in commit 95788bf. Renamed OpenID4VCIAuthorizationEndpoint to OpenID4VCI.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /tmp/go-build1215061387/b903/iam.test /tmp/go-build1215061387/b903/iam.test -test.testlogfile=/tmp/go-build1215061387/b903/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.short=true 1.75.0/peer/peer-errorsas mpile ux-amd64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 l/linux_amd64/cg-bool ux-amd64/pkg/too-buildtags -qui�� @v5.2.2/chain.go-errorsas @v5.2.2/chi.go ux-amd64/pkg/tool/linux_amd64/vet . -imultiarch mpile ux-amd64/pkg/too-buildtags (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)