Presentation of RAR to VC HTTP API group

Hi Justin,

Thank you for volunteering to walk the VC HTTP API group through the potential
application of Rich Authorization Requests to the VC HTTP API.

You had mentioned that you might be able to present something by next Tuesdays
call (but assuming your current workload is high, the following week would be
fine too -- up to you to determine where this is on your list of priorities).

You had requested the current VC HTTP API documentation in order to understand
the endpoints that need authorization protection. The current documentation is

I'm not including the holder APIs because they're still a bit green and
haven't received a lot of group review yet.

At this point, demonstrating and/or answering at least the following questions
would probably be useful:

* A concrete life cycle example of RAR as applied to the
  VC HTTP API. How do you get the token with RAR stuff
  inside of it? What do you put in the RAR section? How
  does the server process the token? How does one deploy
  this today? The /verify endpoint would most likely be
  the simplest example.

* Where is RAR deployed today and is it supported by
  the big vendors (Auth0, Okta, Ping, Cognito, etc.).
  How many software libraries support RAR today?

* When will RAR be a standard? Are there any RFC
  challenges that you can see at this point?

* Are there other things you need on top of RAR to do
  things like delegation or attenuated delegation? If so,
  are these solutions standardized (or on their way to

... and, of course, anything else you feel relevant. If you could plan for a
15 minute presentation followed by at least 15-30 minutes of discussion, that
would probably be a good target.

-- manu

Manu Sporny -
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)

Received on Thursday, 24 June 2021 16:21:39 UTC