This is a fair point... The privacy and security considerations talk about this
a bit as I recall, but likely need to in more depth and specificity. This is an
intentional message channel to the client from the AS, but if the AS is blindly
sending all information it might be saying more than it
Hi all,
I have a question about section 7.0 and 7.1 in draft-ietf-oauth-rar-05 that
describes the token response.
The authorization_details values could be sensitive in their nature. The
example in section 7.1 highlights this nicely. The accounts array is empty
when the client requests it, but is
