Necessity of dpop_bound_access_tokens_required parameter #63
Description
It seems to me that I can infer that DPoP is supported by presence of a nonempty dpop_signing_alg_values_supported. Likewise, I can infer that bearer tokens are not supported by presence of an empty bearer_methods_supported array.
So I'm left to wonder: what additional utility does dpop_bound_access_tokens_required give anyone? And, in particular, I'm worried that its semantics will just result in confusion as additional methods are added. Let's say we have a NewSuperAuthMethod, and the endpoint declares support for it, but also declares "dpop_bound_access_tokens_required": true; does that mean it's actually not supported? I have to include a DPoP proof JWT alongside NewSuperAuthMethod?
So I don't think the metadata value provides any value here and just sews confusion and should be removed.