Support Rich Authorization Requests (RAR) - RFC 9396
Issue #424
resolved
As raw JSON object parameters, and possibly as type-safe AuthorizationDetails object.
Comments (11)
-
-
Hi Bryan,
Thanks a lot of this offer! Is your RAR implementation open source or available to be read?
-
Our implementation is not open source, but it’s reasonably simple. I think the core thing we have found valuable is having an AuthorizationDetail class (or similar name) which makes it easy to determine the type as well as to get the full set of json properties in the object, e.g.
class AuthorizationDetail {
public String getType();
public JSONObject getJSONObject();
}This is really just a convenience wrapper on JSONObject but ‘type’ is a core property of RAR so we have found it beneficial to provide a getter for this rather than just passing around JSONObjects.
We dispatch handling of objects depending on type. The handler consumes the JSONObject, reading the fields expected for the given type.
Though we don’t use them, since they are standard properties, it could also potentially be useful to expose getters for the standard properties in the RFC: locations, actions, datatypes, identifier, and privileges, e.g.
class AuthorizationDetail {
public String getType();
public JSONObject getJSONObject();
public List<String> getLocations();
public List<String> getActions();
public List<String> getDatatypes();
public String getIdentifier();
public List<String> getPrivileges();
}Happy to answer other questions if you have any. Thanks again.
-
Thanks Bryan. This looks good. We may additionally make the “location”, “action”, etc typesafe, rather than use Strings.
-
Yes, that makes great sense. We have appreciated the type safety Nimbus provides generally.
-
reporter
- changed status to open
-
reporter
Here we have the type-safe authZ detail class, in a new
rarpackage:6b3c9d61607e7121b06e6b9bbeda14ba09ba23d1The next step is to add
authorization_detailsto the various requests, the token response, etc. -
reporter
On Maven Central now:
version 10.12 (2023-07-31)
* Adds OAuth 2.0 Rich Authorization Requests (RAR) (RFC 9396) support.
* AuthorizationRequest receives authorization_details (RAR) support.
* AuthenticationRequest receives authorization_details (RAR) support.
* TokenRequest receives authorization_details (RAR) support.
* The Bearer and DPoP AccessToken classes receive authorization_details
(RAR) support.
* The AccessTokenResponse receives authorization_details (RAR) support.
* The TokenIntrospectionSuccessResponse receives authorization_details
(RAR) support.
* AuthorizationServerMetadata and OIDCProviderMetadata receive
authorization_details_types_supported (RAR) support.
* ClientMetadata and OIDCClientMetadata receive
authorization_details_types_supported (RAR) support.
* Adds OAuth2Error.INVALID_AUTHORIZATION_DETAILS constant for RAR.
* Identifier.toStringList(Collection) must omit null items (iss#430).happy coding
-
reporter
The online docs have a page on RAR now:
https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/oauth/rar
-
reporter
RAR remains to be added to CIBA requests.
-
reporter
- changed status to resolved
CIBA done: 63c9caa4579c6effaff37f4de03f81722d7ea382
- Log in to comment
Our team has implemented rich authorization support atop Nimbus OAuth SDK (thank you for the SDK!), for the token endpoint (we do not currently have a need to support it for the authorization endpoint). Our implementation is in Scala, so it wouldn’t make sense to contribute to the open source project, but we’d be happy to work with you on defining the API the SDK exposes to clients if that would be helpful.
Thanks again for the SDK. It has worked really well for us.