Reverse Authorization Push (RAP)

# Reverse Authorization Push (RAP) This proposal introduces grant notifications, pushed from the AS to the RqP's Client, for [UMA Grant](https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html). Possibly using [RAR](https://datatracker.ietf.org/doc/html/rfc9396). It is inspired on [Open Cloud Mesh](https://cs3org.github.io/OCM-API/docs.html?branch=new-multi&repo=OCM-API&user=cs3org#/paths/~1shares/post) ## Use cases * social web: requesting party received a federated @-mention * collaborative editing: requesting party was invited to co-edit some resource * Sharing Intents: like on mobile OS, when RP=RO, * select a photo from camera app * select chat app and give it access to it, * redirect to chat app, post the photo in some channel ## How it works A HTTP POST Notification to the client, informing that it is affected by some new UMA policy conditions. ``` requesting authorization resource resource party client server server owner | | | | | | | |Set policy| | | | |conditions (anytime)| | | |<- - - - - - - - - -| | | NOTIFY (UMA-RAR-PUSH) | | | | |<--------------------------| | | | |Resource request (no access token) | | | |------------------------------------->| | | | | | | [Etc., rest of UMA Grant] ``` # Issues * `shareWith`: How to point the Client to the RqP(s) (OCM uses`RqP@client.com` with type 'user' or 'group' but this feels too rigid) * bilateral agreement between AS and Client? * format for `owner` and `sender` (`RO@AS.com`) * bilateral agreement between AS and Client? * `resourceType` and `protocol` -> this is basically client config. * Does it fit into RAR? * Do we need RAR or is `code` enough? * Require `code` and make RAR optional? sender verification access token not sending access tokens unsolicited (confusing client to use a stolen access token?) [ciba push mode ciba-fapi: should not](https://openid.net/specs/openid-financial-api-ciba.html) send a shortlived thing first "start a transaction, use this identifier when you do"; no other details. specify a specific API [Directed Access Tokens](https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/69) (early GNAP)