Hi Kai, I recently saw a proposal to extend the Step-Up mechanism by returning a body with the WWW-Authenticate header. This could work for what you are looking to do in returning a RAR authorization_details JSON object that the client can then pass to the AS. My only concern with this is whether most clients will know to look for a body with a WWW-Authenticate header and whether the browser will make the body available to a browser based client.
I agree that Step-Up flows need more options than max_age, scope and acr_values. Thanks, George -- George Fletcher Practical Identity LLC > On Mar 18, 2025, at 4:59 AM, Kai Lehmann > <kai.lehmann=401und1...@dmarc.ietf.org> wrote: > > > Hi, > > we are considering usign RAR to have a fine-grained authorization mechanism > with additional user interactins during the authentication/authorization > steps based on the authorization requested by the client. > > Our main concern is how the client would know when it needs access tokens > with specific RAR content and when it can simply use standard scope based > access tokens. We thought about using a similar method as is described in the > Step Up Auth Challenge Protocol. When requesting a specific resource, a > resource server could use this protocol to tell the client that it needs an > access token with specific authorization_details which the client can then > obtain before requesting the resource again. > > Another option would be to use something based on Protected Resource > Metadata. However, here the Resource Server cannot craft a specific > authorization_details it needs for a specific resource as it this usually > depends on the request data which is not available at this point. > > Is there something defined to close this gap which we are just not aware of? > > Best regards, > kai > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
