Configure Rich Authorization Requests (RAR)

Using Rich Authorization Requests (RAR), clients can request and obtain fine-grained authorization data from resource owners, such as end users, during the Authorization Code Flow and Client-Initiated Backchannel Authentication Flow.

In a Rich Authorization Request, the authorization_details parameter is a JSON array of objects. You can render the authorization_details, containing transaction details, in a consent prompt to the user in Multi-factor Authentication challenges. 

To configure Rich Authorization Requests for a resource server, you must: 

  1. Configure the consent policy for the resource server. 

  2. Register authorization_details types for the resource server.

  3. Configure the resource server to accept Rich Authorization Requests.

Configure consent policy for the resource server

The resource server’s consent policy determines when and how Auth0 renders the Rich Authorization Request and shows the consent prompt to the user. 

The table below summarizes Auth0's standard consent policy behavior for a resource server that accepts Rich Authorization Requests:

Is it a Rich Authorization Request? MFA Required? Consent policy is standard or undefined
No No Standard consent is shown unless there is a grant that includes the requested access.
Yes No Customized consent is shown.
Yes Yes, with an authentication factor that is not a push notification Authorization request is rejected with invalid_request.
Yes Yes, with a push notification factor Customized consent is shown after the user fulfills the MFA challenge.
Yes Yes, with a push notification factor No consent is shown. The consent is handled in the mobile application that receives the push notification challenge.

Set the consent policy in your API settings using the Auth0 Dashboard.

  1. Navigate to Auth0 Dashboard > Applications > APIs.

  2. Select the Settings tab.

  3. Under Access Settings, choose the Standard consent policy.

  4. Save your changes.

Dashboard > Applications > APIs > Settings > Access Settings

Register authorization_details types

The type field determines the customizable object fields. An authorization_details array may contain multiple entries of the same type

You must register authorization_details types for a resource server, which is similar to registering allowed scopes. The authorization_details types must follow these requirements: 

  • Maximum 5Kb

  • Must be valid JSON

  • Must be an array of objects

  • Maximum of 5 entries in the array

  • Every object must have a type property (that is pre-registered on the API)

  • Maximum of 10 properties per object

  • Maximum length of property names is 255

  • Maximum length of property value is 255

  • Maximum of 5 levels of nested objects

  • Property names can only contain the following characters: a-zA-Z0-9_.-

You can register authorization_details types with the Auth0 Dashboard or Management API.

You can add authorization_details in the Auth0 Dashboard.

  1. Navigate to Auth0 Dashboard > Applications > APIs.

  2. Select the Permissions tab.

  3. Under Add an Authorization Details type, add payment_initiation. Select the +Add option. Add money_transfer and select the +Add option.

Create a new resource server with authorization_details types

The following POST request creates a new resource server with authorization_details type payment_initiation:

curl --location --request POST 'https://$tenant/api/v2/resource-servers' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
  "name": "Payments API",
  "identifier": "https://payments.api/",
  "consent_policy": "standard",
  "authorization_details": [{"type": "payment_initiation"}]
  }'

Was this helpful?

/