> On 2 Jun 2023, at 14:10, Oliva Fernandez, Jorge > <Jorge.OlivaFernandez=40santander.co...@dmarc.ietf.org> wrote: > > Hi, > > Reviewing the just releases RFC there are a couple of examples that seems > incorrect or maybe I’m missing something, in section 9.1 and 9.2 appear a > field “debtorAccount” outside the “authorization_details” object and in > section 9.1 specify: > > “debtorAccount: > API-specific field containing the debtor account. In the example, this > account was not passed in the authorization_details but was selected by the > user during the authorization process. The field user_role conveys the role > the user has with respect to this particular account. In this case, they are > the owner. This data is used for access control at the payment API (the RS). > ” > > If this “debtorAccount” is the result of an “Enriched Authorization Details“ > should not follow what is described in section 7.1 and be returned inside the > “authorization_details” Object?
I would tend to agree with you that this looks like an error in the examples, or at least is confusing. If the intent of the authorization_detail field is to convey exactly what has been authorized, then it seems essential that all relevant fields are included in it. Otherwise, it is quite likely that downstream security checks may miss this important information. The debtorAccount certainly sounds like something that is pretty essential to the authorization of the transaction. -- Neil
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
