Difference between revisions of "Authorization Request"

Latest revision as of 10:32, 25 March 2021

Full Title or Meme

Simply put the Authorization Request is sent from one service to another to request for access to a protected resource.

Context

• In the context of Identity Management the Authorization Request is sent by the Relying Party (RP) to an Authorization Endpoint to acquire sufficient information about the user to establish an authenticated communication session.
• The Authorization Request was formally described in OAuth 2.0 to be a collection of query parameters to be added to a URL for exmaple /Auhtorize?parm1=value1& other clam ins as appropriate.

Problems

There are multiple limitations that have been discovered with OAuth 2.,0 since it was created.

1. The number of services involved in an Authorization Request have increased substantially over the 2 service model in OAuth 2.,0
2. TLS not use
3. Browsers were not secure
4. The simple design cannot cope with complex requests. Scopes have been overloaded to solve some of these limitations. For example in the FAPI spec.

Solutions

• A series of RFCs on extensions to the Authorization Request were developed during 2020. These are well describe in a presentation for Auth0.

RAR

The Rich Authorization Request (RAR) brings more expressive power to the Authorization Request. In RAR an Authorization Details structure is added to allow rich expressive power.

JAR

The JWT Authorization Request (JAR) adds the json structure that can be signed and encrypted for better security.

PAR

The Pushed Authorization Request (PAR) enables a large RAR to be sent directly between servers rather than use the URL method of OAuth 2.0.PAR defines the Pushed Authorization Endpoint as the destination of the RAR.

References