Hi, In the privacy considerations section of the RAR specification (https://www.ietf.org/archive/id/draft-ietf-oauth-rar-21.html#name-privacy-considerationsit) it is stated:
“The AS needs to take into consideration the privacy implications when sharing authorization_details with the client or resource servers. The AS should share this data with those parties on a "need to know" basis as determined by local policy.“ The proposed standard recommends to embedd the authorization_details in the JWT-based Access Token "filtered to the specific audience". I assume audience restricted ATs are meant here. My concern is that there can be multiple RS which the client intents to use the AT for. Even with audience restricted ATs, it may be the case that personal information being part of the authorization_details should only be visible to one of the AS and not the others. I don't really see how the Authorization Server is able to craft ATs which can be used for all of the given audience while only one or some ought to be able to read the authorization_details. Even if the AS is able to enforce a policy to allow only one audience with the authorization request, it does not prevent the client from accidentally misusing the issued AT with another RS for which it was not intended and thus leaking personal information to that RS. I think that in order to prevent authorization_details to be accessible by multiple RS, Token Introspection should still be used to validate JWT-based ATs and only include the authorization_details in the Token introspection response which the RS need to know. Another approach would be to have an authorization_details section encrypted asymmetrically for each audience separately so that each RS can only extract the authorization_details it needs. That could mean JWTs inside of JWTs. I think it would help to add more details to the privacy considerations or even describe how exactly this can be achieved. Best regards, Kai _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
