Dears,
In preparation to IETF 125, I would like to share and socialize this draft:
https://datatracker.ietf.org/doc/draft-zehavi-oauth-rar-metadata/
It deals with metadata for RAR (RFC 9396) authorization_details types, a topic
not in scope of RFC 9396.
The mechanisms proposed in the draft are:
1. Client obtains metadata describing valid authorization details objects, from
a new authorization server endpoint. Also resource server's protected resource
metadata response (RFC 9728) is extended to guide client as to which
authorization_details types the resource expects / requires.
2. Client obtains a WWW-Authenticate header with a new normative error code:
insufficient_authorization_details, guiding the client as to the reason of
failure being insufficient RAR.
3. An optional informative HTTP body alongside the WWW-Authenticate header
provides client with actionable authorization details objects, whose inclusion
in a subsequent OAuth request shall result in an access token satisfying the
resource endpoint's requirements.
The 1st and 2nd mechanisms have drawn interest from Norway's Healthcare
platform HelseID, which has contributed metadata examples to the draft.
The 3rd mechanism is used by us (Raiffeisen) in banking use cases.
MCP Fine Grained Authorization working group has also expressed interest in the
draft.
Feedback welcome
Regards,
Yaron Zehavi
This message and any attachment ("the Message") are confidential. If you have
received the Message in error, please notify the sender immediately and delete
the Message from your system, any use of the Message is forbidden.
Correspondence via e-mail is primarily for information purposes. RBI neither
makes nor accepts legally binding statements via e-mail unless explicitly
agreed otherwise. Information pursuant to ? 14 Austrian Companies Code:
Raiffeisen Bank International AG; Registered Office: Am Stadtpark 9, 1030
Vienna, Austria; Company Register Number: FN 122119m at the Commercial Court of
Vienna (Handelsgericht Wien).
Classification: GENERAL
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
