Attestation-Based Client Authentication should support use of keys that are stored non-locally

[15characterlimi]

Right now, eudi-lib-jvm-openid4vci-kt (“VCI library”) supports OAuth 2.0 Attestation-Based Client Authentication (docs), with is done by passing a custom Signer<JWK> instance as part of OpenId4VCIConfig.

However, eudi-lib-android-wallet-core (“core library”) does not currently support combining this with the custom Secure Area feature (EudiWallet.secureAreas). Specifically, DPoPSigner hard-codes local construction of keys, rather than using the SecureArea.

Could you please fix this, so that applications building on top of the core library can use Attestation-Based Client Authentication combined with using their custom implementations of SecureArea?

[15characterlimi]

P.S. I'm still ramping up on this space, sorry for having gotten the terminology wrong: I now learned that attestation-based client authentication is not what the Signer (and its implementation, DPoPSigner) is used for. My main point however is that DPoPSigner should use the SecureArea abstraction rather than hard-coding the key to be stored in keystore, and I believe this point stands.