7. Token Response

In addition to the token response parameters as defined in [RFC6749], the AS MUST also return the authorization_details as granted by the resource owner and assigned to the respective access token. The authorization details assigned to the access token issued in a token response are determined by the authorization_details parameter of the corresponding token request. If the client does not specify the authorization_details token request parameters, the AS determines the resulting authorization_details at its discretion.

The AS MAY omit values in the authorization_details to the client.

7.1. Enriched Authorization Details in Token Response

The authorization details attached to the access token MAY differ from what the client requests. In addition to the user authorizing less than what the client requested, there are some use cases where the AS enriches the data in an authorization details object. Whether enrichment is allowed and specifics of how it works are necessarily part of the definition of the respective authorization details type.

As one example, a client may ask for access to account information but leave the decision about the specific accounts it will be able to access to the user. During the course of the authorization process, the user would select the subset of their accounts that they want to allow the client to access. As one design option to convey the selected accounts, the AS could add this information to the respective authorization details object.

Note: The client needs to be aware upfront of the possibility that a certain authorization details object can be enriched. It is assumed that this property is part of the definition of the respective authorization details type.