oauth2.dev

authorization_details

IETF

Registry Context

A JWT access token can include `authorization_details` as a top-level claim, filtered for the token's specific audience, so the resource server can enforce the approved authorization details.

Technical Summary

RFC 9396 requires the authorization server to make approved authorization-details data available to the resource server. It may include the `authorization_details` field in JWT access tokens or token introspection responses. For JWT access tokens, adding the audience-filtered authorization details object as a top-level claim is recommended.

When Used

When an authorization server conveys rich authorization details to a resource server in a JWT access token.

Normative Requirements

AS

MUST
1
  1. RFC 9396 - Section 9

    make the approved authorization-details data available to the RS..

    Condition: to enable the RS to enforce the authorization details approved during the authorization process

    AS MUST make this data available to the RS

RECOMMENDED
1
  1. RFC 9396 - Section 9.1

    add the authorization details object, filtered to the specific audience, as a top-level claim..

    Condition: if the access token is a JWT

    AS is RECOMMENDED to add the authorization details object

MAY
1
  1. RFC 9396 - Section 9

    add the `authorization_details` field to JWT access tokens or token introspection responses..

    AS MAY add the authorization_details field

Validation Guidance

error

Verify that the AS makes the approved authorization-details data available to the RS for enforcement.

warning

If a JWT access token contains `authorization_details`, verify that it is a top-level claim.

warning

Verify that the `authorization_details` object in a JWT access token is filtered to the token's specific audience.

info

The AS may convey `authorization_details` in either a JWT access token or a token introspection response.

Reference

Details

Entry Id
authorization_details
Claim Name
authorization_details
Claim Description
The claim authorization_details contains a JSON array of JSON objects representing the rights of the access token. Each JSON object contains the data to specify the authorization requirements for a certain type of resource.
Change Controller
IETF
Reference
RFC9396 - Section 9.1