Hi Yaron! I'll have a look and get back to you with some thoughts. From what you write in your mail and from what I have heard, it sounds like an interesting draft indeed! I look forward to studying it in more detail.
Best regards, Judith On Wed, Jun 3, 2026, 22:37 Yaron ZEHAVI <yaron.zehavi= [email protected]> wrote: > Dear OAuth Working Group, > > I would like to request your review and feedback for this draft: > > https://datatracker.ietf.org/doc/draft-zehavi-oauth-rar-metadata/ > > > > The document addresses a practical interoperability challenge around Rich > Authorization Requests (RAR): discovery of metadata for authorization > details types, allowing clients dynamic discovery rather than relying on > out-of-band agreements. It also standardizes error signaling in case > insufficient RAR was provided and offers structured ways of remediation. > > > > The draft was presented at IETF 125 and OAuth Security Workshop (OSW) > 2026, where it generated valuable discussion and received positive > feedback, which has been incorporated into the latest revision of the draft. > > > > Importantly, the draft is already seeing interest and adoption across > real-world deployments, including: > > - Norway's HelseID healthcare identity platform > - Raiffeisen Bank Romania > - The Model Context Protocol (MCP) Fine-Grained Authorization Working > Group (see SEP-2643 > <https://github.com/modelcontextprotocol/modelcontextprotocol/pull/2643> > ) > > > > These deployments and positive feedback demonstrate the need for a > standardized mechanism for RAR capability discovery and metadata > publication. > > Given the willingness to adopt the proposal and positive feedback from the > community, we’d like to ask the Working Group to consider its adoption. > > We would greatly appreciate additional review, feedback, and discussion > from OAuth WG participants. > > > > Thank you for your consideration. > > > > Best regards, > > Yaron Zehavi > This message and any attachment ("the Message") are confidential. If you > have received the Message in error, please notify the sender immediately > and delete the Message from your system, any use of the Message is > forbidden. Correspondence via e-mail is primarily for information purposes. > RBI neither makes nor accepts legally binding statements via e-mail unless > explicitly agreed otherwise. Information pursuant to § 14 Austrian > Companies Code: Raiffeisen Bank International AG; Registered Office: Am > Stadtpark 9, 1030 Vienna, Austria; Company Register Number: FN 122119m at > the Commercial Court of Vienna (Handelsgericht Wien). > > Classification: GENERAL > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
