Reviewer: Thomas Fossati
Review result: Ready
This document defines an OAuth parameter ("authorization_details") to
carry fine-grained authorization data in OAuth messages. This allows
APIs to customise their authorization requests and has applicability in
a number of scenarios, e.g.: banking, e-health, accessing tax data, etc.
The document also defines a base vocabulary for expressing common
semantics, which grants consistency in an otherwise completely open
space.
It is a very well written document and was a pleasure to read.
It has a clearly defined goal and well designed mechanisms.
The examples (both JSON and HTTP) are many, very well crafted, and
syntactically impeccable -- apart from a couple of stray ellipses in the
JSON examples of §10, and the snippet in Figure 16, which were the only
alerts I got from my linter.
The IANA requests are in good shape (with only a tiny typo issue, see
below.)
Here a couple of very minor reference suggestions:
* §2, when JSON is first mentioned, you could add a pointer to RFC7493
* §2.1, when ASCII is mentioned, you could add a pointer to RFC0020
Please fix these:
* §2.2: "[...] the permissions the client requests is" should be "[...]
the permissions the client requests are"
* §3: "[...] to improve to security" should be "[...] to improve the
security"
* §15.6: "[...] authorization_details_parameterto" should be
"[...] authorization_details parameters to" (I think)
Other than that, ship it!
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
