fix: improvements to the descriptions around RAR and CIBA#615
Merged
lrzhou25 merged 7 commits intoauth0:mainfrom Feb 19, 2026
Merged
fix: improvements to the descriptions around RAR and CIBA#615lrzhou25 merged 7 commits intoauth0:mainfrom
lrzhou25 merged 7 commits intoauth0:mainfrom
Conversation
cgcladeraokta
previously approved these changes
Feb 18, 2026
cgcladeraokta
left a comment
cgcladeraokta
left a comment
There was a problem hiding this comment.
Changes LGTM. I checked, and they are consistent with other HRI articles in the docs.
avanscoy
reviewed
Feb 18, 2026
| <ul> | ||
| <li><code>oidc-basic-profile</code> — Most used, web-based login.</li> | ||
| <li><code>oidc-ciba</code> — Client-Initiated Backchannel Authentication.</li> | ||
| <li><code>oidc-ciba-web-link</code> — Client-Initiated Backchannel Authentication, executing during once the user has logged into the verification web link.</li> |
Contributor
There was a problem hiding this comment.
Awkward syntax. Suggestion: Client-Initiated Backchannel Authentication, executes once the end user has logged into the verification web link.
avanscoy
reviewed
Feb 18, 2026
| Using [Rich Authorization Requests (RAR)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar), clients can request and obtain <Tooltip tip="Fine-grained Authorization (FGA): Auth0 product allowing individual users access to specific objects or resources." cta="View Glossary" href="/docs/glossary?term=fine-grained+authorization">fine-grained authorization</Tooltip> data from <Tooltip tip="Resource Owner: Entity (such as a user or application) capable of granting access to a protected resource." cta="View Glossary" href="/docs/glossary?term=resource+owners">resource owners</Tooltip>, such as end users, during the [Authorization Code Flow with Pushed Authorization Requests (PAR)](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par) and [Client-Initiated Backchannel Authentication Flow](/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow). | ||
|
|
||
| In a Rich Authorization Request, the `authorization_details` parameter is a JSON array of objects. You can render the `authorization_details`, containing transaction details, in a consent prompt to the user in <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=Multi-factor+Authentication">Multi-factor Authentication</Tooltip> challenges. | ||
| A Rich Authorization request is one that uses the `authorization_details` parameter. This parameter accepts a JSON array of objects. Allowing more flexibility and structure than the `scope` parameter, `authorization_details` can include detailed information about the authorization being requested, such as the specific resources or actions the client wants to access on behalf of the user. |
Contributor
There was a problem hiding this comment.
Rich Authorization requests use the authorization_details parameter. This parameter accepts a JSON array of objects including detailed information about the authorization being requested, such as the specific resources or actions the client wants to access on behalf of the user.
Contributor
Author
There was a problem hiding this comment.
I modified your proposal by adding "a JSON array of objects which may include detailed information"
avanscoy
reviewed
Feb 18, 2026
| You can render the requested `authorization_details` to the user using either: | ||
|
|
||
| * The browser, by using the Customized Consent Prompt | ||
| * A mobile application when using push notifications with the [Auth0 Guardian SDK or Guardian app](/docs/secure/multi-factor-authentication/auth0-guardian). |
Contributor
There was a problem hiding this comment.
Remove ending punctuation
avanscoy
reviewed
Feb 18, 2026
avanscoy
reviewed
Feb 18, 2026
| <tr> | ||
| <td><code>instruction</code></td> | ||
| <td>A human-readable message to the user approving the request.</td> | ||
| <td><code>Please approve the request</code></td> |
Contributor
There was a problem hiding this comment.
Ending punctuation, line 49
avanscoy
reviewed
Feb 18, 2026
| ### Other notification channels | ||
|
|
||
| If you’re not using the Auth0 Guardian app, then the `authorization_details` types does not need to use the Auth0 schema. Instead, they must follow these requirements: | ||
| If you're not using the Auth0 Guardian app displaying the `authorization_details` using the Customized Consent Prompt or your own custom mobile app using the Auth0 Guardian SDK, then the `authorization_details` types does not need to use the Auth0 schema. Instead, they must only follow these requirements: |
Contributor
There was a problem hiding this comment.
This sentence is hard to parse, try:
The authorization_details type does not need to use the Auth0 schema if you aren't using the Auth0 Guardian app with Customize Consent Prompt displaying authorization_details or your own custom mobile app with the Auth0 Guardian SDK.
Contributor
Author
There was a problem hiding this comment.
I've not gone with your proposal exactly here, let me know what you think?
avanscoy
reviewed
Feb 18, 2026
| [API Access Policies for Applications](/docs/get-started/apis/api-access-policies-for-applications) control what applications can access your APIs and what scopes or `authorization_details` types they are allowed to access. | ||
|
|
||
| </Tab></Tabs> | ||
| You can check your API's current policy using the management API. Make a `GET` request to the [Get a resource server](https://auth0.com/docs/api/management/v2/resource-servers/get-resource-servers-by-id) endpoint and check the `subject_type_authorization` property in the response: |
avanscoy
reviewed
Feb 18, 2026
| --header 'Content-Type: application/json' | ||
| ``` | ||
|
|
||
| The `subject_type_authorization` property will have values for `client.policy` and `user.policy`. If the policy value is `allow_all` then applications or users can request all `authorization_details` types registered for the API. If the policy value is `require_client_grant`, then each type of `authorization_details` must be explicitly allowed by the client grant for that application. If the policy value is `deny_all`, then no application or user can request any of the `authorization_details` types registered for the API. See [Application Access to APIs: Client Grants](/docs/get-started/applications/application-access-to-apis-client-grants) for more information on how to manage client grants for applications. |
Contributor
There was a problem hiding this comment.
Tense.
The subject_type_authorization property has values for...
Inclusive language.
See Application Access to APIs: Client Grants for more information on how to manage client grants for applications.
To learn more on how to manage client grants for applications, read Application Access to APIs: Client Grants.
avanscoy
reviewed
Feb 18, 2026
|
|
||
| ## Optional: Configure consent policy for the resource server | ||
|
|
||
| The resource server's consent policy determines whether Auth0 stores the `authorization_details` values and makes them available to mobile applications when a push notificaiton is sent. |
avanscoy
reviewed
Feb 18, 2026
|
|
||
| The resource server's consent policy determines whether Auth0 stores the `authorization_details` values and makes them available to mobile applications when a push notificaiton is sent. | ||
|
|
||
| The table below summarizes Auth0's standard consent policy behavior for a request containing `authorization_details`: |
Contributor
There was a problem hiding this comment.
Review Auth0's standard consent policy behavior for a request containing authorization_details:
avanscoy
reviewed
Feb 18, 2026
| <table class="table"><thead> | ||
| <tr> | ||
| <th><strong>Flow</strong></th> | ||
| <th><strong>Push notification sent?</strong></th> |
Contributor
There was a problem hiding this comment.
Should there be a question mark ^
avanscoy
reviewed
Feb 18, 2026
...tion-flow/client-initiated-backchannel-authentication-flow/email-notifications-with-ciba.mdx
Show resolved
Hide resolved
lrzhou25
reviewed
Feb 18, 2026
...actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-event-object.mdx
Outdated
Show resolved
Hide resolved
main/docs/get-started/apis/configure-rich-authorization-requests.mdx
Outdated
Show resolved
Hide resolved
main/docs/get-started/apis/configure-rich-authorization-requests.mdx
Outdated
Show resolved
Hide resolved
main/docs/get-started/apis/configure-rich-authorization-requests.mdx
Outdated
Show resolved
Hide resolved
...tion-flow/client-initiated-backchannel-authentication-flow/email-notifications-with-ciba.mdx
Outdated
Show resolved
Hide resolved
main/docs/get-started/apis/configure-rich-authorization-requests.mdx
Outdated
Show resolved
Hide resolved
main/docs/get-started/apis/configure-rich-authorization-requests.mdx
Outdated
Show resolved
Hide resolved
main/docs/get-started/apis/configure-rich-authorization-requests.mdx
Outdated
Show resolved
Hide resolved
main/docs/get-started/apis/configure-rich-authorization-requests.mdx
Outdated
Show resolved
Hide resolved
main/docs/get-started/apis/configure-rich-authorization-requests.mdx
Outdated
Show resolved
Hide resolved
lrzhou25
approved these changes
Feb 19, 2026
d4nt
force-pushed
the
rar-and-ciba-improvements
branch
from
b0682aa to
ac4d1b9
Compare
Co-authored-by: Lucy Zhou <141781699+lrzhou25@users.noreply.github.com>
d4nt
force-pushed
the
rar-and-ciba-improvements
branch
from
a5ea667 to
e2212c2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds additional details regarding CIBA and RAR, and how consent approval works with push notifications in both PAR and CIBA flows.
References
https://auth0team.atlassian.net/browse/FGI-1851
Testing
Checklist
CONTRIBUTING.md.