Rich Authorization Requests allows clients to pass fine grained authorization data in the OAuth authorization request. It's been developed based on experiences in open banking and other security sensitive areas.

1. Rich Authorization Requests
https://tools.ietf.org/html/draft-lodderstedt-oauth-rar
Justin Richer, Bespoke Engineering
Torsten Lodderstedt, yes.com

2. Problem Statement
● Expressiveness of scopes is not sufficient for emerging OAuth scenarios, e.g.
open banking
● Allocation of requested permissions to resource server specific access tokens
is hard (despite resource indicators)

3. Example: Authorization in Financial APIs

4. ®
Requirements from PSD2 regulation
● Consent: customer consent is required, either for individual requests
or as mandate for designated payment accounts and associated
payment transactions
● Dynamic Linking: payment initiation requests must must be bound to
amount and payee as approved by the customer

5. Authorization Information
{
"instructedAmount":{
"currency":"EUR",
"amount":"123.50"
},
"debtorAccount":{
"iban":"DE40100100103307118608"
},
"creditorName":"Merchant123",
"creditorAccount":{
"iban":"DE02100100109307118603"
},
"remittanceInformationUnstructured":"Ref Number Merchant"
}
Challenge:
More dynamic and complex than currently supported by OAuth through scopes

6. ®
(Selected) Solutions in the PSD2 Wild
● NextGenPSD2
○ external resource (payment or consent)
○ reference in (dynamic) scope value, e.g., “pis:12345678”
● UK OB
○ external resource (payment or consent)
○ reference in consent_id claim in claims parameter in signed request
object
● Polish API
○ static scope values + JSON-based scope_details request parameter
○ OAuth authorization request as HTTP POST to AS, which returns
transaction redirect URL (PL)

7. Time for something more suitable ...

8. authorization_details
● JSON array containing
API-specific authorization objects
● Draft introduces a set of common
data type fields for use across
different APIs, e.g. type, locations,
actions
● Based on work in the FAPI WG
and on OAuth XYZ
● Authors:
○ Justin Richer
○ Brian Campbell
○ Torsten Lodderstedt

9. authorization_details (where to use)
The request parameter can be used anywhere where the "scope" parameter is
used, e.g:
● Authorization requests as specified in [RFC6749],
● Request objects as specified in [I-D.ietf-oauth-jwsreq],
● Device Authorization Request as specified in [RFC8628].
It is also used in the “resources” element in OAuth.xyz.

10. authorization_details (Examples)

11. Processing
● AS renders user consent based on rich authorization data
● Authorization details need to be passed to RSs (via AT or Introspection)
● Resource indicator is used by client to obtain RS-specific AT associated with
the RS-specific authorization only.

12. Q & A