RP.ID is set one time, and can not be changed. It must be carefully considered, and is integral part of the access control for the authenticat

For jans, this is how we should be doing it:

RP.ID must always be set
RP.ID must be set separately from ORIGINS
RP.ID must be just the HOST part, or FQDN
RP.ID need to have a clear documentation
Origins are a list of origins (protocol + host + port), that must specified by the user separately

TODOs:

1. Replace requestedParties with rpId, and origin
2. Check ClientDataJson (contain origin)
   if origin returned in ClientDataJson is in the list of allowed origins, then pass
   Your origins can be, https://bank.com/ https://auth.bank.com/ https://internal.bank.com/

Origins can be a set, and can change