now my question;
Since the authorizations array in the response is not in any way related/linked with the identifiers array,
How is a client supposed to now which authorization url(from the authorizations array) is linked to which domain name (from the identifiers array)?
For example in the above case, which authorization url belongs to www.example.com and which belongs to example.com
Your client needs to GET each of the authorization URLs to find out more about the authorization. Each authorization will have its own singular identifier field that will correspond to one of the plural identifiers from the order.
The only complication is that a wildcard identifier in an order is allowed to have the value "*.whatever.com", but the identifier in the corresponding authorization is not allowed to have the *. prefix, so its identifier value will be whatever.com. The way you can tell that this is actually an authorization for a wildcard identifier is that the authorization will also have a wildcard: true field.
I hope that helps explain things. The wildcard bit is a little confusing but that's the way the working group consensus went
If a client wants to request certificates for example.com and *.example.com
will the DNS records for both be: _acme-challenge.example.com or should the wildcard have a different record?
@komuw, you would need two TXT records for _acme-challenge.example.com, with different challenge values; one for example.com and one for *.example.com.
