Hi, Since the "authorization_details" parameter is newly introduced I feel it would be better to show how this is used with the existing authorization request at the beginning of the specification. Maybe a small sample of the complete authorization request in the "introduction" section.
Also, in the "Security Considerations" section it says Authorization details are sent through the user agent in case of an OAuth authorization request, which makes them vulnerable to modifications by the *user*. Do we really need to worry that the "authorization_details" could be manipulated by the user(Resource Owner) as the client is trying to access the users' resources which the user is giving consent to? Also, the resulting token will contain the given permissions as well. Best Regards, Janak Amarasena On Sat, Sep 21, 2019 at 11:21 PM Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > Hi all, > > I just published a draft about “OAuth 2.0 Rich Authorization Requests” > (formerly known as “structured scopes”). > > https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02 > > It specifies a new parameter “authorization_details" that is used to carry > fine grained authorization data in the OAuth authorization request. This > mechanisms was designed based on experiences gathered in the field of open > banking, e.g. PSD2, and is intended to make the implementation of rich and > transaction oriented authorization requests much easier than with current > OAuth 2.0. > > I’m happy that Justin Richer and Brian Campbell joined me as authors of > this draft. We would would like to thank Daniel Fett, Sebastian Ebling, > Dave Tonge, Mike Jones, Nat Sakimura, and Rob Otto for their valuable > feedback during the preparation of this draft. > > We look forward to getting your feedback. > > kind regards, > Torsten. > > Begin forwarded message: > > *From: *internet-dra...@ietf.org > *Subject: **New Version Notification for > draft-lodderstedt-oauth-rar-02.txt* > *Date: *21. September 2019 at 16:10:48 CEST > *To: *"Justin Richer" <i...@justin.richer.org>, "Torsten Lodderstedt" < > tors...@lodderstedt.net>, "Brian Campbell" <bcampb...@pingidentity.com> > > > A new version of I-D, draft-lodderstedt-oauth-rar-02.txt > has been successfully submitted by Torsten Lodderstedt and posted to the > IETF repository. > > Name: draft-lodderstedt-oauth-rar > Revision: 02 > Title: OAuth 2.0 Rich Authorization Requests > Document date: 2019-09-20 > Group: Individual Submission > Pages: 16 > URL: > https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-rar-02.txt > Status: > https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ > Htmlized: https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-rar > Diff: > https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-rar-02 > > Abstract: > This document specifies a new parameter "authorization_details" that > is used to carry fine grained authorization data in the OAuth > authorization request. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
