Download as PDF, PPTX
![authorization_details (where to use)
The request parameter can be used anywhere where the "scope" parameter is
used, e.g:
● Authorization requests as specified in [RFC6749],
● Request objects as specified in [I-D.ietf-oauth-jwsreq],
● Device Authorization Request as specified in [RFC8628].
It is also used in the “resources” element in OAuth.xyz.](https://image.slidesharecdn.com/richauthorizationrequests-191002183906/85/Rich-Authorization-Requests-9-320.jpg)
More Related Content
![[OPD 2019] Attacking JWT tokens](https://cdn.slidesharecdn.com/ss_thumbnails/attackingjwttokens-191021171156-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Rich Authorization Requests
Rich Authorization Requests
- 1. Rich Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-rar JustinRicher, Bespoke Engineering Torsten Lodderstedt, yes.com
- 2. Problem Statement ● Expressivenessof scopes is not sufficient for emerging OAuth scenarios, e.g. open banking ● Allocation of requested permissions to resource server specific access tokens is hard (despite resource indicators)
- 3. Example: Authorization inFinancial APIs
- 4. ® Requirements from PSD2regulation ● Consent: customer consent is required, either for individual requests or as mandate for designated payment accounts and associated payment transactions ● Dynamic Linking: payment initiation requests must must be bound to amount and payee as approved by the customer
- 5. Authorization Information { "instructedAmount":{ "currency":"EUR", "amount":"123.50" }, "debtorAccount":{ "iban":"DE40100100103307118608" }, "creditorName":"Merchant123", "creditorAccount":{ "iban":"DE02100100109307118603" }, "remittanceInformationUnstructured":"Ref NumberMerchant" } Challenge: More dynamic and complex than currently supported by OAuth through scopes
- 6. ® (Selected) Solutions inthe PSD2 Wild ● NextGenPSD2 ○ external resource (payment or consent) ○ reference in (dynamic) scope value, e.g., “pis:12345678” ● UK OB ○ external resource (payment or consent) ○ reference in consent_id claim in claims parameter in signed request object ● Polish API ○ static scope values + JSON-based scope_details request parameter ○ OAuth authorization request as HTTP POST to AS, which returns transaction redirect URL (PL)
- 7. Time for somethingmore suitable ...
- 8. authorization_details ● JSON arraycontaining API-specific authorization objects ● Draft introduces a set of common data type fields for use across different APIs, e.g. type, locations, actions ● Based on work in the FAPI WG and on OAuth XYZ ● Authors: ○ Justin Richer ○ Brian Campbell ○ Torsten Lodderstedt
- 9. authorization_details (where touse) The request parameter can be used anywhere where the "scope" parameter is used, e.g: ● Authorization requests as specified in [RFC6749], ● Request objects as specified in [I-D.ietf-oauth-jwsreq], ● Device Authorization Request as specified in [RFC8628]. It is also used in the “resources” element in OAuth.xyz.
- 10.
- 11. Processing ● AS rendersuser consent based on rich authorization data ● Authorization details need to be passed to RSs (via AT or Introspection) ● Resource indicator is used by client to obtain RS-specific AT associated with the RS-specific authorization only.
- 12.