Expressing policies in capability systems

Skip to first unread message

Alan Karp

Feb 26, 2024, 1:45:59 PMFeb 26
to <>,
Rich Authorization Request extension to OAuth 2 is a way to express access policies in a capability system.  The article at

gives a nice description, but I believe it has one significant omission.  

It says, "During the delegation process, the AS often needs to prompt the resource owner to see if they’re OK with what’s being delegated."  This important feature allows the resource owner to prevent inadvertent violations of the resource owner's policies.  However, I think the article should note that the delegator can always work around any such restriction by sharing credentials with the delagatee.

Alan Karp
Reply all
Reply to author
0 new messages