Expressing policies in capability systems

[Alan Karp]

Rich Authorization Request extension to OAuth 2 is a way to express access policies in a capability system.  The article at

https://justinsecurity.medium.com/applying-rar-in-oauth-2-and-gnap-76a7bae442da

gives a nice description, but I believe it has one significant omission.  

It says, "During the delegation process, the AS often needs to prompt the resource owner to see if they’re OK with what’s being delegated."  This important feature allows the resource owner to prevent inadvertent violations of the resource owner's policies.  However, I think the article should note that the delegator can always work around any such restriction by sharing credentials with the delagatee.

--------------
Alan Karp