Yes, RAR can definitely be layered onto this flow. Section 3 of RAR says "The authorization_details authorization request parameter can be used to specify authorization requirements in all places where the scope parameter is used for the same purpose" https://datatracker.ietf.org/doc/html/rfc9396#section-3
It's not strictly necessary to list authorization_details as a supported parameter in the Token Exchange request and in the ID-JAG claims in order to use it in those places, as they are already extensible. However if you think it would be helpful to have an explicit pointer to RAR I can definitely add it. Aaron On Fri, Dec 5, 2025 at 12:26 AM Judith Kahrer <judith.kahrer= [email protected]> wrote: > Hi, > > I have another thought about processing the ID-JAG... The ID-JAG is a > grant. As such, shouldn't it support RAR (RFC 9396 > <https://datatracker.ietf.org/doc/html/rfc9396#name-authorization-request> > )? > For example, add authorization_details as an optional claim in the list > of claims in section 3 and as a parameter to the relevant request and > responses. > > Best regards, > Judith > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
