12. Security Considerations

The authorization_details parameter is sent through the user agent in case of an OAuth authorization request, which makes them vulnerable to modifications by the user. If the integrity of the authorization_details is a concern, clients MUST protect authorization_details against tampering and swapping. This can be achieved by signing the request using signed request objects as defined in [RFC9101] or using the request_uri authorization request parameter as defined in [RFC9101] in conjunction with [RFC9126] to pass the URI of the request object to the AS.

All string comparisons in an authorization_details parameter are to be done as defined by [RFC8259]. No additional transformation or normalization is to be done in evaluating equivalence of string values.

The common data field locations allows a client to specify where it intends to use a certain authorization, i.e., it is possible to unambiguously assign permissions to RSs. In situations with multiple RSs, this prevents unintended client authorizations (e.g., a read scope value potentially applicable for an email as well as a cloud service) through audience restriction.

The AS MUST properly sanitize and handle the data passed in the authorization_details in order to prevent injection attacks.

The Security Considerations of [RFC6749], [RFC7662], and [RFC8414] also apply.