Clarify what absence of scope from credential_configurations_supported means

[jogu]

Some people are apparently pushing the interpretation that the optional "scope" element being missing from https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-16.html#section-11.2.4 means that the credential configuration id should be used as the scope instead.

I believe the correct interpretation is that RAR must be used. We should add a sentence like:

If not present, the credential can only be requested using authorization_details

[jogu]

This is kind of mentioned in https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-16.html#section-3.3.4 but also isn't really clear there.

[Sakurann]

if no scope, RAR, given there is authorization_details_types_supported AS metadata parameter present;
if both scope and authorization_details_types_supported is absent, invalid AS/issuer metadata.

[Sakurann]

@lchacha to do a PR