Hi all, in the recent RAR session, we started a discussion about an authorization_details token request parameter.
This parameter would allow us to solve several outstanding topics: - Let the client determine what privileges to assign to the first access token issued in exchange for an authorisation code - Downscoping privileges of pre-existing grant (code, refresh token, CIBA, device) - Request access tokens with client credentials We also discussed the challenge of comparing requested and already granted authorization details and how this relates to the way application/API specific logic might be integrated into an AS. In order to continue the discussion, we would like to share the following PR with you for discussion: https://github.com/oauthstuff/draft-oauth-rar/pull/66 It introduces the authorization_details token request parameter and gives examples of how comparison could be performed in this context. Please give us feedback on the PR to drive the discussion. best regards, Torsten. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth