I have submitted a new draft:
https://datatracker.ietf.org/doc/html/draft-cecchetti-oauth-rar-cedar This is intended to be a profile of RFC 9396 OAuth 2.0 Rich Authorization Requests (OAuth RAR). OAuth RAR defines an authorization_details parameter, but leaves the format of the parameter open. This profile defines a rarFormat parameter to further constrain authorization_details to use a specific format called "cedar." The use case for this draft is the same as the OAuth RAR use case - i.e. open banking specifically, and fine-grained authorization generally. The intent is to make the standard more interoperable by specifying the policy language which will be used to communicate the authorization request and response. The language used in these examples is Cedar, an open-source policy language - https://www.cedarpolicy.com/en. Putting Cedar policy sets within an OAuth token enables the client and RS to conduct transactions which conform to specific fine-grained policies which have been blessed(signed) by the AS. Open Questions: 1. Should we create a separate informational draft defining the Cedar language itself within the universe of the IETF? Or is it fine to leave that undefined? 2. Is rarFormat the right name for this parameter? 3. Should policySet be required? 4. I tried to keep this draft fairly simple and duplicate examples in the OAuth RAR RFC without redundantly stating what is already defined there. Did I include too little? Too much? This is my first draft submission, so any and all feedback is welcome, and apologies if my xml is incorrectly formatted. I'm ignorant about many things in the standards process. :) Sarah Cecchetti
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
