[OAUTH-WG] Protocol Action: 'OAuth 2.0 Rich Authorization Requests' to Proposed Standard (draft-ietf-oauth-rar-22.txt)
The IESG <iesg-secretary@ietf.org> Thu, 29 December 2022 16:06 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 79ED1C1524AE; Thu, 29 Dec 2022 08:06:14 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 9.4.0
Auto-Submitted: auto-generated
Precedence: bulk
Cc: Hannes.Tschofenig@gmx.net, The IESG <iesg@ietf.org>, draft-ietf-oauth-rar@ietf.org, hannes.tschofenig@arm.com, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Message-ID: <167232997449.28771.5561039361935950835@ietfa.amsl.com>
Date: Thu, 29 Dec 2022 08:06:14 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/z8mp2LvFYPevhhOG4M4IfUH0opE>
Subject: [OAUTH-WG] Protocol Action: 'OAuth 2.0 Rich Authorization Requests' to Proposed Standard (draft-ietf-oauth-rar-22.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2022 16:06:14 -0000
The IESG has approved the following document: - 'OAuth 2.0 Rich Authorization Requests' (draft-ietf-oauth-rar-22.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Paul Wouters and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ Technical Summary The OAuth 2.0 authorization framework [RFC6749] defines the parameter scope that allows OAuth clients to specify the requested scope, i.e., the permission, of an access token. This mechanism is sufficient to implement static scenarios and coarse-grained authorization requests, such as "give me read access to the resource owner's profile" but it is not sufficient to specify fine-grained authorization requirements, such as "please let me transfer an amount of 45 Euros to Merchant A" or "please give me read access to folder A and write access to file X". This specification introduces a new parameter authorization_details that allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures. Working Group Summary There were no controversial discussions related to this document. A few key changes were made based on GENART review. Document Quality There are several implementations and deployments of this specification available, such as - the Yes banking ecosystem (with ~1200 IDPs) uses RAR for authorising payment initiation and qualified electronic signatures. - ConnectID product implementation, see https://connect2id.com/products/server/docs/datasheet#rar - Authlete supports RAR since version 2.2 and it is confirmed that at least one of their customers is operating a commercial service that utilizes RAR with CIBA as of April, 2022. Additionally, other organizations use this specification as a foundation for their work. For example: - The Cloud Signature Consortium included RAR as means to authorise electronic signature to the v 2.0 of its API for remote signature creation (https://cloudsignatureconsortium.org/resources/ <https://cloudsignatureconsortium.org/resources/>). - OpenID Foundation’s FAPI working group added RAR support to the FAPI 2 baseline profile (https://openid.net/specs/fapi-2_0-baseline-01.html <https://openid.net/specs/fapi-2_0-baseline-01.html>). Personnel Document Shepherd = Hannes Tschofenig Responsible AD = Roman Danyliw