In practice, only rights are supported but attributes should also be supported

[Denisthemalice]

In an access control model, the RO may be associated either with an AS or with the RS.

In the first case, the AS includes capabilities (i.e. a right on a resource) into an access token while
in the second case it includes user's attributes.

However, the document is currently allowing only the support of capabilities.

On page 25, the text states:

access (array of objects/strings) Describes the rights that the client instance is requesting for one or more access tokens to be used at RS’s. This field is REQUIRED.

flags is defined as a et of flags that indicate desired attributes or behavior to be attached to the access token by the AS.

However, in practice, flags it only indicate some desired behavior to be attached to the access token.
This means that a model where ACLs only would be used cannot be supported.

An additional field, called "attributes", should be supported, where types and optionally values of attributes can be specified.

[jricher]

The flags field is not for determining access.

Attributes can already be supported by the access structure.

Closing this issue as it has been discussed many times.