Re: RAR resources? from Justin Richer on 2021-07-12 (public-credentials@w3.org from July 2021)

From: Justin Richer <jricher@mit.edu>
Date: Mon, 12 Jul 2021 14:06:44 -0400
To: Brian Richter <brian@aviary.tech>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-Id: <F44FED68-3760-452D-B725-C5564A1FAB52@mit.edu>

RAR has been implemented and is available in Authlete (and supporting libraries):

https://www.authlete.com/developers/relnotes/2.2.8/ <https://www.authlete.com/developers/relnotes/2.2.8/>

And in Connect2ID (and supporting libraries):

https://connect2id.com/blog/connect2id-server-12 <https://connect2id.com/blog/connect2id-server-12>

I know there are others out there, too, but these I’ve worked with.

But ultimately I think the “newness” argument is red herring here from a spect that is, itself, much newer than RAR, and I would argue more narrowly focused as well.

Interoperability would not be hindered by its adoption for one simple reason: interoperability (at the same level) will be completely undefined without it, as every implementation would need to come up with its own set of scopes, RAR types, or other methods to describe access.

 — Justin

> On Jul 12, 2021, at 1:50 PM, Brian Richter <brian@aviary.tech> wrote:
> 
> Hello list,
> 
> As I've been digging into RAR a little bit and trying to see how it might fit within the VC-HTTP-API work I have found some great resources speaking about what RAR, PAR and JAR are.
> https://medium.com/oauth-2/rich-oauth-2-0-authorization-requests-87870e263ecb
>  <https://medium.com/oauth-2/rich-oauth-2-0-authorization-requests-87870e263ecb>
> https://pt.slideshare.net/TorstenLodderstedt/rich-authorization-requests
>  <https://pt.slideshare.net/TorstenLodderstedt/rich-authorization-requests>
> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-rar
>  <https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-rar>
> https://youtu.be/g_aVPdwBTfw?t=1240 <https://youtu.be/g_aVPdwBTfw?t=1240>
> It seems like these have yet to make it into anything available from Auth0 or Okta and I have not found anything available on github..
> 
> I was wondering if anybody knows of any open source implementations out there or are these things simply too new? RAR does instinctively feel like a good fit for the work in question however I share the concerns Orie and others do regarding including something that nobody has experience with..
> 
> Doing so would likely hinder widespread interoperability.
> 
> If anybody can speak to some real world implementations I would love to hear about it.
> 
> Thanks,
> Brian

Received on Monday, 12 July 2021 18:06:59 UTC