Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] [Phase-1] Enhance access control with Rich Authorization Requests (RFC 9396) #22409

Open
7 tasks
VimukthiRajapaksha opened this issue Jan 24, 2025 · 0 comments
Open
7 tasks

[Feature] [Phase-1] Enhance access control with Rich Authorization Requests (RFC 9396) #22409

VimukthiRajapaksha opened this issue Jan 24, 2025 · 0 comments
Assignees
@VimukthiRajapaksha

Comments

@VimukthiRajapaksha
Copy link
Contributor

Description

Traditional OAuth 2.0 requires third-party applications to request broad permissions to access protected resources. This leads to:

  • Unnecessary Data Access: Applications may access data and resources that they do not need, increasing the risk of privacy breaches and data misuse.
  • Limited User Control: Users may not be aware of the extent of permissions they grant, limiting their control over data usage.

For example imagine a third-party fitness app that nudges you to take breaks during your workday. To track your activity and remind you to move, it wants to access your smartwatch's health data. The app requests a broad "health_data:read" scope. You have no choice but to grant access to everything, including sensitive data like heart rate, blood pressure, and sleep patterns, even if the app only needs your step count during the office hours.

Third-party applications accessing more data than necessary increases the risk of privacy breaches and unauthorized data use, potentially compromising sensitive information like health records or financial data.

Intended audience for this feature

External

Release note for the intended audience

Strengthens the security of OAuth 2.0-based integrations by adopting granular permissions aligned with the RFC 9396 specification. Key benefits include:

  • Reduced Data Exposure: Clients can now request specific data permissions instead of broad scopes, minimizing the amount of user data accessible.
  • Improved User Control: Granular permissions empower users to grant applications access to only the data they deem necessary.
  • Enhanced Compliance: Adherence to RFC 9396 standards ensures compatibility with other compliant systems and promotes industry best practices in data security.

Delivery

  • Architecture group discussion

    • Mail: [Architecture] Rich Authorization Requests (RAR) for Fine-Grained Access Control in OAuth 2.0

  • Architecture review

    • < TODO: link to review 1 >

  • Code review

    • < TODO: link to review 1 >

  • Test coverage

  • Documentation

    • TODO: Link the overall document containing comprehensive details about the document

  • Demo Recording

    • TODO: Link the recodring of final demo on the complete delivery

  • QA verification
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VimukthiRajapaksha VimukthiRajapaksha

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VimukthiRajapaksha