Hello Vladimir,
The problem with "insufficient_scope" is that it refers not to the abstract
scope, but to the concrete "scope" token claim. The "scope" claim might be
fine, but the token might lack the necessary RAR authorization_details. And
yes, there is currently no way for the RS to communicate the requirements
on authorization_details. What I'm thinking of is the following:
HTTP/1.1 403 Forbidden
WWW-Authenticate: Bearer realm="example",
error="insufficient_authorization",
error_description="The access token is lacking
permissions",
authorization_details="..."
Dmitry
On Fri, Jan 17, 2025 at 7:32 AM Vladimir Dzhuvinov / Connect2id <
vladi...@connect2id.com> wrote:
> insufficient_scope
> The request requires higher privileges than provided by the
> access token. The resource server SHOULD respond with the HTTP
> 403 (Forbidden) status code and MAY include the "scope"
> attribute with the scope necessary to access the protected
> resource.
>
> "insufficient_scope" should be perfectly fine for "RAR-red" tokens.
>
> The error description is the token not having enough privileges, in the
> general sense.
>
> Do you need to communicate additional error info back from the resource?
>
> Vladimir Dzhuvinov
>
> On 17/01/2025 07:21, Dmitry Telegin wrote:
>
> RAR does not define it's equivalent of RFC 6750's "insufficient_scope"
> error response (could be "insufficient_authorization", for example). Is
> this intentional? If not, would it make sense to define it in a separate
> document?
>
> Dmitry
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-le...@ietf.org
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-le...@ietf.org
>
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
