Like there can be OpenID GET/POST and Artifact Binding for CX, there can be WRAP binding as well. It is fairly trivial, arguably more trivial than to define OpenID bindings.
- Send CX proposal as an additional parameter on the Verification Code Request. Use wrap_client_id as the proposer’s identifier.
- On the PoP verification page, display the terms and conditions included in the proposal.
- Create the Verification code from the signature of the proposal and some nonce and random.
- Web App Client sends the proposal again as an additional parameter on Access Token Request.
- Sign the proposal to create the contract, serialize it with Base64 without line end, and return it as the access token on Access Token Response.