13. Privacy Considerations

It is especially important for implementers to design and use authorization details in a privacy-preserving manner. Any sensitive personal data included in authorization_details must be prevented from leaking, e.g., through referrer headers. Implementation options include encrypted request objects as defined in [RFC9101] or transmission of authorization_details via end-to-end encrypted connections between client and AS by utilizing [RFC9126] and the request_uri authorization request parameter as defined in [RFC9101]. The latter does not require application-level encryption, but it requires another message exchange between the client and the AS.

Even if the request data is encrypted, an attacker could use the AS to learn the user's data by injecting the encrypted request data into an authorization request on a device under their control and use the AS's user consent screens to show the (decrypted) user data in the clear. Implementations need to consider this attack vector and implement appropriate countermeasures, e.g., by only showing portions of the data or, if possible, determining whether the assumed user context is still the same (after user authentication).

The AS needs to take into consideration the privacy implications when sharing authorization_details with the client or RSs. The AS should share this data with those parties on a "need to know" basis as determined by local policy.