Skip to main content

Last Call Review of draft-ietf-oauth-rar-14

Request Review of draft-ietf-oauth-rar
Requested revision No specific revision (document currently at 23)
Type Last Call Review
Team ART Area Review Team (artart)
Deadline 2022-11-17
Requested 2022-10-27
Authors Torsten Lodderstedt , Justin Richer , Brian Campbell
I-D last updated 2022-11-04
Completed reviews Genart Last Call review of -15 by Robert Sparks (diff)
Secdir Last Call review of -15 by Carl Wallace (diff)
Artart Last Call review of -14 by Thomas Fossati (diff)
Opsdir Last Call review of -23 by Qin Wu
Assignment Reviewer Thomas Fossati
State Completed
Request Last Call review on draft-ietf-oauth-rar by ART Area Review Team Assigned
Posted at
Reviewed revision 14 (document currently at 23)
Result Ready
Completed 2022-11-04
This document defines an OAuth parameter ("authorization_details") to
carry fine-grained authorization data in OAuth messages. This allows
APIs to customise their authorization requests and has applicability in
a number of scenarios, e.g.: banking, e-health, accessing tax data, etc.
The document also defines a base vocabulary for expressing common
semantics, which grants consistency in an otherwise completely open

It is a very well written document and was a pleasure to read.

It has a clearly defined goal and well designed mechanisms.

The examples (both JSON and HTTP) are many, very well crafted, and
syntactically impeccable -- apart from a couple of stray ellipses in the
JSON examples of §10, and the snippet in Figure 16, which were the only
alerts I got from my linter.

The IANA requests are in good shape (with only a tiny typo issue, see

Here a couple of very minor reference suggestions:
* §2, when JSON is first mentioned, you could add a pointer to RFC7493
* §2.1, when ASCII is mentioned, you could add a pointer to RFC0020

Please fix these:
* §2.2: "[...] the permissions the client requests is" should be "[...]
  the permissions the client requests are"
* §3: "[...] to improve to security" should be "[...] to improve the
* §15.6: "[...] authorization_details_parameterto" should be
  "[...] authorization_details parameters to" (I think)

Other than that, ship it!