authorization_ details
Registry Context
A JWT access token can include `authorization_details` as a top-level claim, filtered for the token's specific audience, so the resource server can enforce the approved authorization details.
Technical Summary
RFC 9396 requires the authorization server to make approved authorization-details data available to the resource server. It may include the `authorization_details` field in JWT access tokens or token introspection responses. For JWT access tokens, adding the audience-filtered authorization details object as a top-level claim is recommended.
When Used
When an authorization server conveys rich authorization details to a resource server in a JWT access token.
Normative Requirements
AS
RFC 9396 - Section 9
make the approved authorization-details data available to the RS..
Condition: to enable the RS to enforce the authorization details approved during the authorization process
AS MUST make this data available to the RS
RFC 9396 - Section 9.1
add the authorization details object, filtered to the specific audience, as a top-level claim..
Condition: if the access token is a JWT
AS is RECOMMENDED to add the authorization details object
RFC 9396 - Section 9
add the `authorization_details` field to JWT access tokens or token introspection responses..
AS MAY add the authorization_details field
Validation Guidance
Verify that the AS makes the approved authorization-details data available to the RS for enforcement.
If a JWT access token contains `authorization_details`, verify that it is a top-level claim.
Verify that the `authorization_details` object in a JWT access token is filtered to the token's specific audience.
The AS may convey `authorization_details` in either a JWT access token or a token introspection response.
Reference
Details
- Entry Id
authorization_details - Claim Name
authorization_details - Claim Description
The claim authorization_details contains a JSON array of JSON objects representing the rights of the access token. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. - Change Controller
IETF- Reference
RFC9396 - Section 9.1