Agree with Aaron's perspective here. But it might be useful to have a small note saying as much. I wonder if we should also consider describe/define using the authorization_details claim in the ID-JAG similar to scope?
On Fri, Dec 5, 2025 at 9:24 AM Aaron Parecki <aaron= [email protected]> wrote: > Yes, RAR can definitely be layered onto this flow. Section 3 of RAR says > "The authorization_details authorization request parameter can be used to > specify authorization requirements in all places where the scope parameter > is used for the same purpose" > https://datatracker.ietf.org/doc/html/rfc9396#section-3 > > It's not strictly necessary to list authorization_details as a supported > parameter in the Token Exchange request and in the ID-JAG claims in order > to use it in those places, as they are already extensible. However if you > think it would be helpful to have an explicit pointer to RAR I can > definitely add it. > > Aaron > > > On Fri, Dec 5, 2025 at 12:26 AM Judith Kahrer <judith.kahrer= > [email protected]> wrote: > >> Hi, >> >> I have another thought about processing the ID-JAG... The ID-JAG is a >> grant. As such, shouldn't it support RAR (RFC 9396 >> <https://datatracker.ietf.org/doc/html/rfc9396#name-authorization-request> >> )? >> For example, add authorization_details as an optional claim in the list >> of claims in section 3 and as a parameter to the relevant request and >> responses. >> >> Best regards, >> Judith >> _______________________________________________ >> OAuth mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
