OAuth Rich Authorization Requests (RAR)
SecureAuth supports OAuth 2.0 Rich Authorization Requests (RAR), which enable fine-grained authorization by letting you specify exactly what permissions you're requesting. Instead of generic scopes like read or write, RAR lets you request specific details: exact amounts for bank transfers, which medical records you're accessing, or which files you can share. This gives users transparency and organizations control over high-risk transactions and sensitive data access.
What Rich Authorization Requests (RAR) are
OAuth 2.0 Rich Authorization Requests (RAR) lets you request more specific permissions than standard OAuth scopes allow. Instead of just read or write, RAR lets you specify exactly what data, how much, and from where.
Rich Authorization Requests (RAR) example
Here's a real example: a payment authorization request that includes the exact amount, currency, and recipient account details.
{
"type": "payment_initiation",
"locations": [
"https://example.com/payments"
],
"instructedAmount": {
"currency": "EUR",
"amount": "123.50"
},
"creditorName": "Merchant A",
"creditorAccount": {
"bic":"ABCIDEFFXXX",
"iban": "DE02100100109307118603"
},
"remittanceInformationUnstructured": "Ref Number Merchant"
}
This example shows every detail the user needs to approve: the exact amount ($123.50 EUR), who gets paid (Merchant A), and their account details. The authorization server and resource server work together to enforce what the user approved.
Rich Authorization Requests (RAR) structure
RAR uses an authorization_details parameter that contains a JSON array of objects. Each object needs a type field (required) that determines what information the object contains.
The RFC 9396 standard defines common fields you can include in these objects:
-
locations - URLs where the resource is located.
-
actions - What you can do with the resource (for example, read, write, deposit, withdraw).
-
datatypes - What kind of data you're requesting (for example, files, photos, contacts).
-
identifier - A specific resource (for example, account-123, patient-987).
-
privileges - Your access level (for example, admin).
These fields are optional. You only include the ones your use case needs. Your type defines which fields you can use.
Rich Authorization Requests (RAR) use case
When you need RAR
Use RAR when standard OAuth scopes aren't detailed enough to describe what you're authorizing. Common scenarios include:
- Bank transfers - You need to specify the exact amount, currency, recipient account, and whether the user can initiate single or recurring transfers.
- Medical data access - You need to specify which medical records, which time period, and which types of providers can access them.
- File sharing - You need to specify which files, folders, or document types, and whether access is read-only or read-write.
Why standard scopes fall short
Standard OAuth scopes like read and write are generic. They don't let you express the fine-grained details users need to understand and approve. For example:
- A bank app can request
payment_writescope, but the user can't see they're authorizing a $5,000 EUR transfer to a specific account. - A healthcare app can request
medical_records_readscope, but the user can't see which medical records or which time period.
How RAR solves it
RAR lets you include all the specific details in the authorization request itself. The user sees exactly what they're approving, and the authorization server can enforce those specific permissions. This gives users transparency and control, and lets organizations implement precise authorization rules.