features.richAuthorizationRequests

This content is for v8.x. Switch to the latest version for up-to-date documentation.

RFC9396 - OAuth 2.0 Rich Authorization Requests

Enables the use of authorization_details parameter for the authorization and token endpoints to enable issuing Access Tokens with fine-grained authorization data.

default value:

{
  ack: undefined,
  enabled: false,
  rarForAuthorizationCode: [Function: rarForAuthorizationCode], // see expanded details below
  rarForCodeResponse: [Function: rarForCodeResponse], // see expanded details below
  rarForIntrospectionResponse: [Function: rarForIntrospectionResponse], // see expanded details below
  rarForRefreshTokenResponse: [Function: rarForRefreshTokenResponse], // see expanded details below
  types: {}
}

(Click to expand) features.richAuthorizationRequests options details

rarForAuthorizationCode

Function used to transform the requested and granted RAR details that are then stored in the authorization code. Return array of details or undefined.

default value:

rarForAuthorizationCode(ctx) {
  // decision points:
  // - ctx.oidc.client
  // - ctx.oidc.resourceServers
  // - ctx.oidc.params.authorization_details (unparsed authorization_details from the authorization request)
  // - ctx.oidc.grant.rar (authorization_details granted)
  throw new Error('features.richAuthorizationRequests.rarForAuthorizationCode not implemented');
}

rarForCodeResponse

Function used to transform transform the requested and granted RAR details to be returned in the Access Token Response as authorization_details as well as assigned to the issued Access Token. Return array of details or undefined.

default value:

rarForCodeResponse(ctx, resourceServer) {
  // decision points:
  // - ctx.oidc.client
  // - resourceServer
  // - ctx.oidc.authorizationCode.rar (previously returned from rarForAuthorizationCode)
  // - ctx.oidc.params.authorization_details (unparsed authorization_details from the body params in the Access Token Request)
  // - ctx.oidc.grant.rar (authorization_details granted)
  throw new Error('features.richAuthorizationRequests.rarForCodeResponse not implemented');
}

rarForIntrospectionResponse

default value:

rarForIntrospectionResponse(ctx, token) {
  // decision points:
  // - ctx.oidc.client
  // - token.kind
  // - token.rar
  // - ctx.oidc.grant.rar
  throw new Error('features.richAuthorizationRequests.rarForIntrospectionResponse not implemented');
}

rarForRefreshTokenResponse

default value:

rarForRefreshTokenResponse(ctx, resourceServer) {
  // decision points:
  // - ctx.oidc.client
  // - resourceServer
  // - ctx.oidc.refreshToken.rar (previously returned from rarForAuthorizationCode and later assigned to the refresh token)
  // - ctx.oidc.params.authorization_details (unparsed authorization_details from the body params in the Access Token Request)
  // - ctx.oidc.grant.rar
  throw new Error('features.richAuthorizationRequests.rarForRefreshTokenResponse not implemented');
}

types

Supported authorization details type identifiers.

default value:

{}

(Click to expand) https://www.rfc-editor.org/rfc/rfc9396.html#appendix-A.3

import { z } from 'zod';
const TaxData = z
  .object({
    duration_of_access: z.number().int().positive(),
    locations: z.array(z.literal('https://taxservice.govehub.no.example.com')).length(1),
    actions: z.array(z.literal('read_tax_declaration')).length(1),
    periods: z
      .array(
        z.coerce
          .number()
          .max(new Date().getFullYear() - 1)
          .min(1997)
      )
      .min(1),
    tax_payer_id: z.string().min(1),
  })
  .strict();
const configuration = {
  features: {
    richAuthorizationRequests: {
      enabled: true,
      // ...
      types: {
        tax_data: {
          validate(ctx, detail, client) {
            const { success: valid, error } = TaxData.parse(detail);
            if (!valid) {
              throw new InvalidAuthorizationDetails()
            }
          }
        }
      }
    }
  }
}