Skip to main content
To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.
Using Rich Authorization Requests (RAR), clients can request and obtain data from , such as end users.  Clients can pass RAR data to the Pushed Authorization Request (PAR) endpoint as part of the Authorization Code Flow. To learn more, read Configure Pushed Authorization Requests. In a traditional flow, when a client requests access to a using scopes, the resource owner grants the client access to those resources. In a Rich Authorization Request, clients can pass an authorization_details parameter to the /par endpoint to request more granular permissions than those requested in scopes. This allows for more fine-grained control over resource access for both clients and resource owners, mitigating security risks associated with over-provisioning access. Because Auth0 only supports validating authorization_details types, you must implement validation for the JSON objects in authorization_details. To learn more, read Configure Rich Authorization Requests.

How it works

In a Rich Authorization Request, the authorization_details parameter is a JSON array of objects, each of which must include a type field represented as a string. The type field determines the customizable object fields. An authorization_details array may contain multiple entries of the same type. To learn more about how to register authorization_details types, read Configure Rich Authorization Requests. Auth0 presents the authorization_details to the user to authorize in a custom consent screen. To learn more, read Set customized consent prompt. You must pass the authorization_details parameter to the /par endpoint, which enables the Auth0 to perform early validation of the type. The /par endpoint passes authorization requests on the back channel to avoid sensitive data leaking in the front channel, such as the browser. Once you’ve passed the authorization request to the /par endpoint, the application will redirect to the /authorize endpoint and then proceed with the Authorization Code Flow. To learn more, read Authorization Code Flow with PAR. To complete the Authorization Code Flow, exchange the authorization code at the /oauth/token endpoint, as in the following example: 
POST https://$tenant/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=[CLIENT_ID]&client_secret=[CLIENT_SECRET]&code=[AUTHZ_CODE]&redirect_uri=https://jwt.io
When successful, you should receive a response with the and authorization_details array: 
{
  "access_token": "ey...ZQ",
  "expires_in": 86400,
  "authorization_details": [
{
  "type": "money_transfer", 
  "instructedAmount": {"amount": 2500, "currency": "USD"},   
  "sourceAccount": "xxxxxxxxxxx1234", 
  "destinationAccount": "xxxxxxxxxxx9876", 
  "beneficiary": "Hanna Herwitz", 
  "subject": "A Lannister Always Pays His Debts"
}
  ],
  "token_type": "Bearer"
}
As part of JWT best practices, the client can use authorization_details to understand the scope of the authorization granted to it without having to inspect the access token. If the requested is an API that requires JWE access tokens, the /oauth/tokenendpoint returns a response that omits all object fields except for type from authorization_details. Access token claims are unaffected in the response. 
{
  "iss": "https://my_tenant.auth0.com/",
  "sub": "auth0|me",
  "aud": "https://myapi.authzero.com",
  "iat": 1683661385,
  "exp": 1683747785,
  "azp": "my_client",
  "authorization_details": [
{
  "type": "money_transfer", 
  "instructedAmount": {"amount": 2500, "currency": "USD"},   
  "sourceAccount": "xxxxxxxxxxx1234", 
  "destinationAccount": "xxxxxxxxxxx9876", 
  "beneficiary": "Hanna Herwitz", 
  "subject": "A Lannister Always Pays His Debts"
}
  ]
}

Configure RAR for the Authorization Code Flow

Before configuring Rich Authorization Requests for the Authorization Code Flow, you must: To configure RAR for the Authorization Code Flow, you need to:
  • Register authorization_details types for a resource server.
  • Set the customized consent prompt.
To learn more, read Configure Rich Authorization Requests.

Access authorization_details in Actions

Auth0 does not support updating RAR using Actions.
Auth0 exposes the authorization_details parameter in the post-login Action via the event.transaction.requested_authorization_details property. You can reference this property in an Action to show transaction details to the user in an MFA challenge.

What doesn’t Auth0 support?

Auth0 doesn’t support:
  • Updating RAR using Actions.
  • Advertising RAR types for clients to discover.
  • Validating RAR objects beyond checking that they have a type property that matches allowed types for the API. For more information, see Configure RAR.

Learn more