OAuth 2.0 Rich Authorization Requests
draft-ietf-oauth-rar-23

Thank you for the work on this document.

Many thanks to Thomas Fossati for his ART ART review: https://mailarchive.ietf.org/arch/msg/art/EckO_3zF-gnI83Q_HmO5xREursI/ and thanks to the authors for addressing Thomas' comments.

No other comments from me, just a note: I was wondering if it wouldn't have made sense to informally reference and discuss in a short paragraph RFC9237 and its applicability to OAuth given its content - I will accept that it might not be the case since 9237 is really intended for Ace and IoT but the similarities made me question it.

Francesca

Thanks for the work put into this.  Seems like it's in good shape.

Thank you to Thomas Fossati for the ARTART review.

"MUST consider" in Section 3.1 is curious.  How does an implementation comply with something like "consider"?

Why is the "RECOMMENDED" in Section 9.1 not a MUST?  The text in Section 9 just above it suggest something stronger.

In Section 7.1, I can't understand what's meant by "This mechanic ...".

# Éric Vyncke, INT AD, comments for draft-ietf-oauth-rar-19
CC @evyncke

Thank you for the work put into this document. It is very easy to read and quite powerful.

Please find below one non-blocking COMMENT point (rather a suggestion).

Special thanks to Hannes Tschofenig for the shepherd's detailed write-up including the WG consensus ***but*** missing the justification of the intended status. 

I hope that this review helps to improve the document,

Regards,

-éric

## COMMENTS

### Section 1

I like the use of EUR rather than USD ;-) 

Suggest to also add "bic" in addition to "iban" to be consistent with https://en.wikipedia.org/wiki/Single_Euro_Payments_Area 

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. 

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments

The datatracker page should indicate that this document replaces draft-lodderstedt-oauth-rar.

# GEN AD review of draft-ietf-oauth-rar-18

CC @larseggert

Thanks to Robert Sparks for the General Area Review Team (Gen-ART) review
(https://mailarchive.ietf.org/arch/msg/gen-art/shFcI11Wajhydi8wJuFM3VaVfkI).

## Comments

### Inclusive language

Found terminology that should be reviewed for inclusivity; see
https://www.rfc-editor.org/part2/#inclusive_language for background and more
guidance:

 * Terms `her` and `his`; alternatives might be `they`, `them`, `their`

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### URLs

These URLs in the document did not return content:

 * https://taxservice.govehub.no
 * http://hl7.org/fhir/organization-type
 * http://example.info/claims/groups

I guess these are supposed to be example URLs. Please use the
designated example domain names for this.

### Grammar/style

#### Section 2.1, paragraph 1
```
fication does not require the use of any of these common fields by an API def
                                  ^^^^^^^^^
```
Consider simply using "of" instead.

#### Section 3, paragraph 6
```
 if any of the following are true of any of the objects in authorization_deta
                                  ^^^^^^^^^
```
Consider simply using "of" instead.

#### Section 3, paragraph 10
```
ke security decisions based on whether or not the request is asking for "mor
                               ^^^^^^^^^^^^^^
```
Consider shortening this phrase to just "whether". It is correct though if you
mean "regardless of whether".

#### Section 7, paragraph 6
```
 Token Error Response MUST conform the the rules given in Section 5. 9. Reso
                                   ^^^^^^^
```
Possible typo: you repeated a word.

#### Section 16, paragraph 7
```
* tax_payer_id: identifier of the tax payer (if known to the client) A.4. eH
                                  ^^^^^^^^^
```
This word is normally spelled as one.

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT].

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments
[IRT]: https://github.com/larseggert/ietf-reviewtool

Hi,

Apologies, but I was a bit short of time this week, and this is somewhat out of my area, so I've only reviewed this as a light level.

I did have one question regarding the security considerations.  Are these JSON structures potentially susceptible to injection attacks if user input isn't properly sanitized and handled, and if so, should there be any text in the security section to warn of this?

Regards,
Rob