FAPI 2 Baseline: shall support authorization details if scope is not expressive enough needs enhancement to cover standard oidc claims.
FAPI 2 Baseline requires implementers adopt RAR if scope is not sufficient to convey the intent behind the resource sharing request. The claims parameter can also be used to indicate what identity information should be shared from the user info endpoint or id_token both of which are resources. Therefor an interpretation could be made that the absence of the inclusion of both ‘scopes and/or claims’ being viable mechanisms for data sharing prevents the use of the claims parameter for requesting granular identity information which is not the intent behind this clause.
shall support the `authorization_details` parameter according to
[@!I-D.ietf-oauth-rar] to convey the authorization clients want to obtain if
the `scope` parameter is not expressive enough for that purpose
Perhaps the wording should be adjusted to rule out protected resources served by the authorisation server / connect.
Comments (6)
-
-
I think this overlaps with https://bitbucket.org/openid/fapi/issues/416/rar-if-scope-and-claims-param-not
-
-
- changed component to FAPI2: Advanced Authorization
-
-
- changed status to resolved
PR merged
- Log in to comment
Perhaps we need a note to explain scope vs RAR vs OIDC claims and why we suggest that OIDC for identity, scope for simple, and RAR for complex…