6. Token Request

The authorization_details token request parameter can be used to specify the authorization details that a client wants the AS to assign to an access token. The AS checks whether the underlying grant (in case of grant types authorization_code, refresh_token, etc.) or the client's policy (in case of grant type client_credentials) allows the issuance of an access token with the requested authorization details. Otherwise, the AS refuses the request with the error code invalid_authorization_details (similar to invalid_scope).

6.1. Comparing Authorization Details

Many actions in the OAuth protocol allow the AS and RS to make security decisions based on whether the request is asking for "more" or "less" than a previous, existing request. For example, upon refreshing a token, the client can ask for a new access token with "fewer permissions" than had been previously authorized by the resource owner. The requested access token will convey the reduced permissions, but the resource owner's previous authorization is unchanged by such requests.

Since the semantics of the fields in the authorization_details will be implementation specific to a given API or set of APIs, there is no standardized mechanism to compare two arbitrary authorization detail requests. An AS should not rely on simple object comparison in most cases, as the intersection of some fields within a request could have side effects on the access rights granted, depending on how the API has been designed and deployed. This is a similar effect to the scope values used with some APIs.

When comparing a new request to an existing request, an AS can use the same processing techniques as used in granting the request in the first place to determine if a resource owner needs to authorize the request. The details of this comparison are dependent on the definition of the type of authorization request and outside the scope of this specification, but common patterns can be applied.