Hi, we are considering usign RAR to have a fine-grained authorization mechanism with additional user interactins during the authentication/authorization steps based on the authorization requested by the client.
Our main concern is how the client would know when it needs access tokens with specific RAR content and when it can simply use standard scope based access tokens. We thought about using a similar method as is described in the Step Up Auth Challenge Protocol. When requesting a specific resource, a resource server could use this protocol to tell the client that it needs an access token with specific authorization_details which the client can then obtain before requesting the resource again. Another option would be to use something based on Protected Resource Metadata. However, here the Resource Server cannot craft a specific authorization_details it needs for a specific resource as it this usually depends on the request data which is not available at this point. Is there something defined to close this gap which we are just not aware of? Best regards, kai
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
