oauth2.dev

authorization_details

IETF

Registry Context

authorization_details carries a JSON array of authorization-detail objects. Each object has a required type field that determines its permitted contents. It is registered for authorization requests, token requests, and token responses.

Technical Summary

RFC 9396 defines authorization_details as a JSON array of objects describing authorization requirements. Each object's REQUIRED type string identifies its authorization-details type, determines the object's allowable contents, and is unique for the described API in the authorization server's context.

When Used

Authorization request, token request, token response

Normative Requirements

Clients

MUST
1
  1. RFC 9396 - Section 12

    protect authorization_details against tampering and swapping..

    Condition: If the integrity of authorization_details is a concern.

    "clients MUST protect authorization_details against tampering and swapping."

Responses

MUST
2
  1. RFC 9396 - Section 8

    conform to the authorization-error processing rules in Section 5..

    Condition: When processing authorization_details in a token request produces an error.

    "The Token Error Response MUST conform to the rules given in Section 5."

  2. RFC 9396 - Section 9.2

    use the structure defined in Section 2, potentially filtered and extended for the requesting resource server..

    Condition: When included in an introspection response.

    "The authorization_details member MUST contain the same structure defined in Section 2"

A given API

RECOMMENDED
1
  1. RFC 9396 - Section 3.1

    use only one authorization-requirement form: authorization_details or scope..

    Condition: When authorization_details and scope are supported.

    "It is RECOMMENDED that a given API use only one form of requirement specification."

An API

MAY
1
  1. RFC 9396 - Section 2.2

    define fields extending the common authorization-details data fields, subject to the object's type..

    "An API MAY define its own extensions, subject to the type of the respective authorization object."

An authorization_details array

MAY
1
  1. RFC 9396 - Section 2

    contain multiple entries of the same type..

    "An authorization_details array MAY contain multiple entries of the same type."

API designers

RECOMMENDED
2
  1. RFC 9396 - Section 2.1

    choose type values that are easily copied without ambiguity..

    "It is RECOMMENDED that API designers choose type values that are easily copied without ambiguity."

  2. RFC 9396 - Section 2.1

    use a collision-resistant namespace under their control, such as a URI they control..

    Condition: If an application or API is expected to be deployed across different servers.

    "the API designer is RECOMMENDED to use a collision-resistant namespace under their control"

Each authorization_details object

REQUIRED
1
  1. RFC 9396 - Section 2

    include a type field containing a string identifier for the authorization-details type..

    Condition: When an authorization_details array is used.

    "This field is REQUIRED."

Implementers

MAY
1
  1. RFC 9396 - Section 3

    consider using pushed authorization requests to improve flow security, privacy, and reliability..

    Condition: For authorization requests defined by RFC 6749.

    "implementers MAY consider using pushed authorization requests"

The authorization details attached to an access token

MAY
1
  1. RFC 9396 - Section 7.1

    differ from the authorization details requested by the client..

    Condition: As permitted by the applicable authorization-details type definition.

    "The authorization details attached to the access token MAY differ from what the client requests."

The authorization server

MUST
7
  1. RFC 9396 - Section 12

    properly sanitize and handle authorization_details data to prevent injection attacks..

    "The AS MUST properly sanitize and handle the data passed in the authorization_details in order to prevent injection attacks."

  2. RFC 9396 - Section 3.1

    process authorization_details and scope requirements in combination..

    Condition: When both parameters occur in the same authorization request.

    "The AS MUST process both sets of requirements in combination with each other"

  3. RFC 9396 - Section 3.1

    present the merged set of requirements represented by the authorization request..

    Condition: When gathering user consent.

    "the AS MUST present the merged set of requirements represented by the authorization request."

  4. RFC 9396 - Section 5

    refuse to process unknown authorization-details types or authorization details that do not conform to their type definitions..

    "The AS MUST refuse to process any unknown authorization details type or authorization details not conforming to the respective type definition."

  5. RFC 9396 - Section 5

    abort processing and return invalid_authorization_details when an object has an unknown type, unknown fields, incorrectly typed or invalid field values, or missing required fields..

    Condition: If any authorization_details object has one of the listed defects.

    "The AS MUST abort processing and respond with an error invalid_authorization_details"

  6. RFC 9396 - Section 7

    return the authorization_details granted by the resource owner and assigned to the respective access token..

    Condition: In addition to the token response parameters defined by RFC 6749.

    "the AS MUST also return the authorization_details as granted by the resource owner and assigned to the respective access token."

  7. RFC 9396 - Section 9.2

    convey authorization-detail information using authorization_details as a top-level member of the introspection response JSON object..

    Condition: If authorization-detail information for the token is included in an introspection response.

    "the information MUST be conveyed with authorization_details as a top-level member"

MAY
1
  1. RFC 9396 - Section 7

    omit values from the authorization_details returned to the client..

    Condition: When returning a token response.

    "The AS MAY omit values in the authorization_details to the client."

Validation Guidance

error

Ensure authorization_details is a JSON array of objects and every object contains a string type field.

info

Accept multiple authorization_details objects with the same type.

warning

Flag ambiguous type identifiers and, for APIs deployed across different servers, identifiers lacking a collision-resistant namespace.

info

Allow type-specific extension fields only when the applicable authorization-details type permits them.

error

When scope and authorization_details occur together, ensure the authorization server processes both and presents their merged requirements for consent.

error

Reject unknown types, unknown fields, incorrectly typed or invalid values, and missing type-specific required fields with invalid_authorization_details.

error

Ensure token responses return the authorization details assigned to the access token; permit omitted values and type-defined enrichment or reduction.

error

Ensure introspection responses place authorization_details at the top level and preserve the Section 2 structure, allowing resource-server-specific filtering and extension.

error

Protect authorization_details from tampering when integrity matters and sanitize its contents against injection attacks.

info

Compare string values according to RFC 8259 without additional transformation or normalization.

Security Notes

RFC 9396 - Section 12

Authorization details sent through a user agent can be modified by the user; signed request objects or pushed authorization requests can provide integrity protection.

RFC 9396 - Section 12

String equivalence is evaluated according to RFC 8259 without additional transformation or normalization.

RFC 9396 - Section 12

The locations field can restrict authorization to particular resource servers and reduce unintended authorization across multiple resource servers.

Reference

Details

Entry Id
authorization_details
Name
authorization_details
Parameter Usage Location
authorization request, token request, token response
Change Controller
IETF
Reference
RFC9396