<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-zehavi-oauth-rar-metadata-05" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="OAuth 2.0 RAR Metadata and Error Remediation">OAuth 2.0 RAR Metadata and Error Remediation</title>
    <seriesInfo name="Internet-Draft" value="draft-zehavi-oauth-rar-metadata-05"/>
    <author fullname="Yaron Zehavi">
      <organization>Raiffeisen Bank International</organization>
      <address>
        <email>yaron.zehavi@rbinternational.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="04"/>
    <area>Security</area>
    <workgroup>Web Authorization Protocol</workgroup>
    <keyword>RAR</keyword>
    <keyword>Step-up</keyword>
    <keyword>oauth</keyword>
    <abstract>
      <?line 50?>

<t>OAuth 2.0 Rich Authorization Requests (RAR) <xref target="RFC9396"/> standardizes the exchange and processing of authorization details but does not define metadata for describing authorization details types.</t>
      <t>In addition, no interoperable guidance is offered to clients, to remediate failures by resource servers due to insufficient authorization details.</t>
      <t>This document addresses this interoperability challenge, allowing clients to dynamically discover metadata instead of relying on out-of-band agreements, as well as standardizes failure signaling including interoperable remediation when insufficient authorization details are the cause of failure.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://yaron-zehavi.github.io/oauth-rich-authorization-requests-metadata/draft-zehavi-oauth-rar-metadata.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-zehavi-oauth-rar-metadata/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Web Authorization Protocol Working Group mailing list (<eref target="mailto:oauth@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/oauth/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/oauth/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/yaron-zehavi/oauth-rich-authorization-requests-metadata"/>.</t>
    </note>
  </front>
  <middle>
    <?line 58?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>OAuth 2.0 Rich Authorization Requests (RAR) <xref target="RFC9396"/> allows OAuth clients to request detailed and structured authorization, enabling advanced authorization models across domains such as banking and healthcare.</t>
      <t>However, RAR <xref target="RFC9396"/> does not specify how clients discover metadata describing valid authorization details objects. Such metadata and documentation are obtained out-of-band.</t>
      <t>This document defines:</t>
      <ul spacing="normal">
        <li>
          <t>A new authorization server endpoint: <tt>authorization_details_types_metadata_endpoint</tt>, providing authorization details type metadata, including documentation and JSON Schema definitions <xref target="JSON.Schema"/>.</t>
        </li>
        <li>
          <t>A new normative OAuth 2.0 WWW-Authenticate Error Code, for resource servers to indicate <tt>insufficient_authorization</tt> as the cause of the error.</t>
        </li>
        <li>
          <t>A new OAuth 2.0 WWW-Authenticate response parameter, <tt>authorization_remediation</tt>, which contains actionable authorization details objects, to be used directly for remediation in a follow-up OAuth request.</t>
        </li>
        <li>
          <t>Authorization server considerations for when RAR authorization details objects should perhaps be omitted from JWT access tokens and provided instead through token instrospection.</t>
        </li>
      </ul>
      <t>Providing clients with actionable authorization details objects enables:</t>
      <ul spacing="normal">
        <li>
          <t>Interoperability benefit as clients can simply and directly proceed to remediate, without first learning how to construct valid authorization details objects.</t>
        </li>
        <li>
          <t>Support for ephemeral, interaction-specific attributes included by the resource server, such as a risk profile or an internal interaction identifier, guiding authorization servers on the required authentication strength and consent flows.</t>
        </li>
      </ul>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="protocol-overview">
      <name>Protocol Overview</name>
      <t>Client remediates using actionable authorization details objects provided by resource server:</t>
      <artwork type="ascii-art"><![CDATA[
                                                +--------------------+
             +----------+ (B) API Request       |                    |
             |          |---------------------->|      Resource      |
(A) User +---|          |                       |       Server       |
   Starts|   |          |<----------------------|                    |
   Flow  +-->|  Client  | (C) 401 Unauthorized     +--------------------+
             |          |     WWW-Authenticate: Bearer
             |          |     error="insufficient_authorization",
             |          |     error_description=[human readable message],
             |          |     authorization_remediation=[required
             |          |     authorization_details]
             |          |        :
             |          |        :              +--------------------+
             |          |        :              |   Authorization    |
             |          | (D) Authorization     |      Server        |
             |          |     Request + RAR     |+------------------+|
             |          |---------------------->||                  ||
             |          |                       ||  Authorization   ||
             |          |<----------------------||    Endpoint      ||
             |          | (E) Authorization Code||                  ||
             |          |        :              |+------------------+|
             |          |        :              |                    |
             |          | (F) Token Request     |+------------------+|
             |          |---------------------->||                  ||
             |          |                       || Token Endpoint   ||
             |          |<----------------------||                  ||
             |          | (G) Access Token      |+------------------+|
             |          |        :              +--------------------+
             |          |        :
             |          |        :
             |          | (H) Retry API Call    +--------------------+
             |          |     with Token        |                    |
             |          |---------------------->|      Resource      |
             |          |                       |       Server       |
             |          |<----------------------|                    |
             |          | (I) 200 OK + Resource +--------------------+
             |          |
             +----------+
]]></artwork>
      <t>Figure: Client remediates using actionable authorization details objects provided by resource server</t>
      <ul spacing="normal">
        <li>
          <t>(A) The user starts the flow.</t>
        </li>
        <li>
          <t>(B) The client calls an API with an access token.</t>
        </li>
        <li>
          <t>(C) Resource server returns HTTP 401 with a WWW-Authenticate header with error code <tt>insufficient_authorization</tt> and in <tt>authorization_remediation</tt> the <strong>required authorization details objects</strong>.</t>
        </li>
        <li>
          <t>(D) The client uses the provided authorization details objects in a new OAuth + RAR <xref target="RFC9396"/> request.</t>
        </li>
        <li>
          <t>(E) Authorization server returns authorization code.</t>
        </li>
        <li>
          <t>(F-G) The client exchanges authorization code for access token.</t>
        </li>
        <li>
          <t>(H) The client makes an API request with the (RAR) access token.</t>
        </li>
        <li>
          <t>(I) Resource server validates access token and returns successful response.</t>
        </li>
      </ul>
    </section>
    <section anchor="remediation-of-failures-due-to-insufficient-authorization">
      <name>Remediation of failures due to insufficient authorization</name>
      <t>This document defines:</t>
      <ul spacing="normal">
        <li>
          <t>The authentication error code <tt>insufficient_authorization</tt> for the <tt>WWW-Authenticate</tt> header. Resource servers <bcp14>SHOULD</bcp14> return <tt>insufficient_authorization</tt> when access is denied due to missing or insufficient authorization details.</t>
        </li>
        <li>
          <t>The <tt>authorization_remediation</tt> error parameter, which contains a base64url-encoded JSON object guiding the client on remediating the error. Its attributes are:  </t>
          <ul spacing="normal">
            <li>
              <t><tt>authorization_details</tt>: <bcp14>REQUIRED</bcp14>. Array of actionable authorization details objects, matching the format specified in RAR <xref target="RFC9396"/> for the <tt>authorization_details</tt> request parameter, built using the failed resource request. Their inclusion in successful new OAuth grant <bcp14>SHALL</bcp14> satisfy the resource's requirements and remediate the failure.</t>
            </li>
            <li>
              <t><tt>authorization_reference</tt>: <bcp14>RECOMMENDED</bcp14>. An opaque string generated by the resource server to enable the client to select an existing access token associated with equivalent authorization details, without requiring the client to understand the semantics of the authorization details object:      </t>
              <ul spacing="normal">
                <li>
                  <t>Resource server <bcp14>SHOULD</bcp14> generate the <tt>authorization_reference</tt> by canonicalizing and hashing the authorization_details object or an equivalent stable representation, so that the same or semantically equivalent authorization details produce the same authorization_reference value.</t>
                </li>
                <li>
                  <t>The value <bcp14>MUST NOT</bcp14> reveal any sensitive or private information.</t>
                </li>
                <li>
                  <t>Clients <bcp14>MUST</bcp14> treat this value as opaque and <bcp14>MUST NOT</bcp14> attempt to interpret or derive meaning from it.</t>
                </li>
                <li>
                  <t>Returning stable <tt>authorization_reference</tt> values enables clients to reliably match existing tokens to incoming <tt>authorization_remediation</tt> responses, to avoid requesting new tokens when a matching token is already in their possession.</t>
                </li>
                <li>
                  <t>The resource server <bcp14>SHALL NOT</bcp14> include this attribute when tokens issued for the provided <tt>authorization_details</tt> are intended for single-use only.</t>
                </li>
              </ul>
            </li>
          </ul>
        </li>
      </ul>
      <t>Notes:</t>
      <ul spacing="normal">
        <li>
          <t>The <tt>error_description</tt> parameter <bcp14>MAY</bcp14> be included to provide a human-readable description.</t>
        </li>
        <li>
          <t>The provided <tt>authorization_details</tt> are intended to be interoperable with all OAuth specifications and usable in any grant flow supporting RAR.</t>
        </li>
      </ul>
      <t>Example HTTP response from a direct debit resource:</t>
      <artwork><![CDATA[
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error="insufficient_authorization",
error_description="Additional authorization is required",
authorization_remediation=eyJhdXRob3JpemF0aW9uX2RldGFpbHMiOlt7InR5cGUiOiJkaX...
]]></artwork>
      <t>The decoded <tt>authorization_remediation</tt> contents in this example are:</t>
      <artwork><![CDATA[
{
    "authorization_details": [{
            "type": "direct_debit_mandate",
            "DebtorAccount": {
                "SchemeName": "UK.OBIE.SortCodeAccountNumber",
                "Identification": "08080021325698",
                "Name": "JohnDoe"
            },
            "CreditorAgent": {
                "SchemeName": "UK.OBIE.BICFI",
                "Identification": "NWBKGB22"
            },
            "CreditorAccount": {
                "SchemeName": "UK.OBIE.SortCodeAccountNumber",
                "Identification": "08080021325698",
                "Name": "ACMECorp"
            },
            "MandateStatus": "Active",
            "CreationDateTime": "2026-06-01T09:00:00+00:00"
        }
    ],
    "authorization_reference": "Yb7q3AC5d"
}
]]></artwork>
      <t>Example HTTP response from a payment initiation resource:</t>
      <artwork><![CDATA[
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error="insufficient_authorization",
error_description="Additional authorization is required",
authorization_remediation=eyJhdXRob3JpemF0aW9uX2RldGFpbHMiOlt7InR5cGUiOiJkaX...
]]></artwork>
      <t>The decoded <tt>authorization_remediation</tt> contents in this example are:</t>
      <artwork><![CDATA[
{
    "authorization_details": [{
           "type": "payment_initiation",
           "instructed_amount": {
              "currency": "EUR",
              "amount": "100.00"
           },
           "creditor_account": {
              "iban": "DE02120300000000202051"
           }
       }
   ]
}
]]></artwork>
    </section>
    <section anchor="authorization-details-types-metadata-endpoint">
      <name>Authorization Details Types Metadata Endpoint</name>
      <t>The following authorization server metadata <xref target="RFC8414"/> parameter is introduced to indicate the server's support for Authorization Details Types Metadata:</t>
      <dl>
        <dt>"authorization_details_types_metadata_endpoint":</dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>.  The URL of the Authorization Details Types Metadata endpoint.</t>
        </dd>
      </dl>
      <t>The Authorization Details Types Metadata endpoint is called with HTTP GET and responds with Content-Type <tt>application/json</tt> and a JSON object whose members are authorization details type identifiers.</t>
      <t>Each member value is an object describing a single authorization details type.</t>
      <artwork><![CDATA[
{
  "type": {
    "version": "...",
    "description": "...",
    "documentation_uri": "...",
    "schema": { },
    "schema_uri": "...",
    "examples": [ ]
  }
}
]]></artwork>
      <t>Attribute definition:</t>
      <dl>
        <dt>"version":</dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. String identifying the version of the authorization details type definition. The value is informational and does not imply semantic version negotiation.</t>
        </dd>
        <dt>"description":</dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. String containing a description of the authorization details type. Clients <bcp14>MUST NOT</bcp14> rely on this value for authorization or validation decisions.</t>
        </dd>
        <dt>"documentation_uri":</dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. URI referencing external documentation describing the authorization details type.</t>
        </dd>
        <dt>"schema":</dt>
        <dd>
          <t>The <tt>schema</tt> attribute contains a JSON Schema document <xref target="JSON.Schema"/> that describes a single authorization details object. The schema <bcp14>MUST</bcp14> validate exactly one authorization details object and <bcp14>MUST</bcp14> restrict the <tt>type</tt> attribute to the corresponding authorization details type identifier. This attribute is <bcp14>REQUIRED</bcp14> unless <tt>schema_uri</tt> is specified. If present, <tt>schema_uri</tt> <bcp14>MUST NOT</bcp14> be included.</t>
        </dd>
        <dt>"schema_uri":</dt>
        <dd>
          <t>The <tt>schema_uri</tt> attribute is an absolute URI, as defined by RFC 3986 <xref target="RFC3986"/>, referencing a JSON Schema document describing a single authorization details object. The referenced schema <bcp14>MUST</bcp14> satisfy the same requirements as the <tt>schema</tt> attribute. This attribute is <bcp14>REQUIRED</bcp14> unless <tt>schema</tt> is specified. If this attribute is present, <tt>schema</tt> <bcp14>MUST NOT</bcp14> be present.</t>
        </dd>
        <dt>"examples":</dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. An array of example authorization details objects. Examples are non-normative.</t>
        </dd>
      </dl>
      <t>See Examples <xref target="metadata-examples"/> for non-normative response example.</t>
    </section>
    <section anchor="rar-objects-in-jwt-access-tokens">
      <name>RAR objects in JWT access tokens</name>
      <t>Pursuant with RAR <xref target="RFC9396"/> section 9, authorization servers <bcp14>MUST</bcp14> provide approved RAR objects to resource servers for enforcement. The authorization server <bcp14>MAY</bcp14> add the <tt>authorization_details</tt> attribute to access tokens in JSON Web Token (JWT) format or to token introspection responses.</t>
      <t>There may however be cases, where due to various considerations such as token size or information privacy, including approved RAR objects in JWT access tokens would be advised against.</t>
      <t>It is <bcp14>RECOMMENDED</bcp14> that when an authorization server issues JWT access tokens, it should consider the size, sensitivity, and privacy implications of including the authorization_details attribute. Where appropriate, the authorization server <bcp14>SHOULD</bcp14> omit this attribute from JWT tokens and instead provide the approved RAR objects to resource servers via the token introspection endpoint. This endpoint <bcp14>SHOULD</bcp14> use appropriate client authentication methods to prevent unauthorized access, in case of token leakage.</t>
    </section>
    <section anchor="processing-rules">
      <name>Processing Rules</name>
      <section anchor="client-processing-rules">
        <name>Client Processing Rules</name>
        <ul spacing="normal">
          <li>
            <t>When receiving an <tt>insufficient_authorization</tt> error, if the <tt>authorization_remediation</tt> parameter contains an <tt>authorization_reference</tt> attribute that matches a valid token in the client's possession, the client <bcp14>MAY</bcp14> retry the failing request using the matching token.</t>
          </li>
          <li>
            <t>If the <tt>authorization_remediation</tt> parameter contains an <tt>authorization_details</tt> attribute, the client <bcp14>MAY</bcp14> include it in a subsequent OAuth request to obtain a token for retrying the failing endpoint.</t>
          </li>
          <li>
            <t>If the authorization server used so far by the client does not support the required authorization details types, the client <bcp14>MAY</bcp14> use Protected Resource Metadata <xref target="RFC9728"/> to discover additional <tt>authorization_servers</tt> supported by the resource, and attempt remediation through them.</t>
          </li>
          <li>
            <t>Clients <bcp14>MAY</bcp14> ignore authorization_reference if they do not support token reuse or caching.</t>
          </li>
        </ul>
      </section>
      <section anchor="resource-server-processing-rules">
        <name>Resource Server Processing Rules</name>
        <ul spacing="normal">
          <li>
            <t>Verify access token validity.</t>
          </li>
          <li>
            <t>Verify required authorization details are provided, by JWT token contents or through token introspection <xref target="RFC7662"/>.</t>
          </li>
          <li>
            <t>If authorization details are missing or insufficient, return HTTP 401 with WWW-Authenticate: Bearer error="insufficient_authorization" including the <tt>authorization_remediation</tt> parameter which provides actionable <tt>authorization_details</tt> objects constructed from the failing request's input.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="confidentiality-of-resource-server-provided-authorizationdetails">
        <name>Confidentiality of resource server provided authorization_details</name>
        <t>Resource servers when providing actionable <tt>authorization_details</tt> <bcp14>SHOULD NOT</bcp14> include sensitive data in those objects. This is consistent with RAR <xref target="RFC9396"/> <tt>authorization_details</tt> OAuth request parameter, representing <strong>request</strong> semantics.</t>
        <t>Confidentiality-preserving <tt>authorization_details</tt> types <bcp14>SHOULD NOT</bcp14> include sensitive data. Instead, the end-user <bcp14>SHOULD</bcp14> provide such information when interacting with the authorization server.</t>
        <t>Alternatively, <tt>authorization_details</tt> <bcp14>MAY</bcp14> refer to specific end-user resources using opaque reference handles (e.g., "account_1a" instead of using explicit IBAN).</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="oauth-20-www-authenticate-error-code-registry">
        <name>OAuth 2.0 WWW-Authenticate Error Code Registry</name>
        <table>
          <thead>
            <tr>
              <th align="left">Error Code</th>
              <th align="left">Error Usage Location</th>
              <th align="left">Change Controller</th>
              <th align="left">Specification Document</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">insufficient_authorization</td>
              <td align="left">Resource access error response</td>
              <td align="left">IETF</td>
              <td align="left">RFC XXXX, Section X</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="oauth-authorization-server-metadata-registry">
        <name>OAuth Authorization Server Metadata Registry</name>
        <t>This specification registers the following authorization server metadata parameter in the OAuth Authorization Server Metadata registry:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Metadata Name</th>
              <th align="left">Metadata Description</th>
              <th align="left">Change Controller</th>
              <th align="left">Specification Document</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">authorization_details_types_metadata_endpoint</td>
              <td align="left">URL of the Authorization Details Types Metadata endpoint</td>
              <td align="left">IETF</td>
              <td align="left">RFC XXXX, Section X</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="RFC3986">
        <front>
          <title>Uniform Resource Identifier (URI): Generic Syntax</title>
          <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
          <author fullname="R. Fielding" initials="R." surname="Fielding"/>
          <author fullname="L. Masinter" initials="L." surname="Masinter"/>
          <date month="January" year="2005"/>
          <abstract>
            <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="STD" value="66"/>
        <seriesInfo name="RFC" value="3986"/>
        <seriesInfo name="DOI" value="10.17487/RFC3986"/>
      </reference>
      <reference anchor="RFC6750">
        <front>
          <title>The OAuth 2.0 Authorization Framework: Bearer Token Usage</title>
          <author fullname="M. Jones" initials="M." surname="Jones"/>
          <author fullname="D. Hardt" initials="D." surname="Hardt"/>
          <date month="October" year="2012"/>
          <abstract>
            <t>This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6750"/>
        <seriesInfo name="DOI" value="10.17487/RFC6750"/>
      </reference>
      <reference anchor="RFC7662">
        <front>
          <title>OAuth 2.0 Token Introspection</title>
          <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
          <date month="October" year="2015"/>
          <abstract>
            <t>This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="7662"/>
        <seriesInfo name="DOI" value="10.17487/RFC7662"/>
      </reference>
      <reference anchor="RFC8414">
        <front>
          <title>OAuth 2.0 Authorization Server Metadata</title>
          <author fullname="M. Jones" initials="M." surname="Jones"/>
          <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
          <author fullname="J. Bradley" initials="J." surname="Bradley"/>
          <date month="June" year="2018"/>
          <abstract>
            <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8414"/>
        <seriesInfo name="DOI" value="10.17487/RFC8414"/>
      </reference>
      <reference anchor="RFC9396">
        <front>
          <title>OAuth 2.0 Rich Authorization Requests</title>
          <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
          <author fullname="J. Richer" initials="J." surname="Richer"/>
          <author fullname="B. Campbell" initials="B." surname="Campbell"/>
          <date month="May" year="2023"/>
          <abstract>
            <t>This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9396"/>
        <seriesInfo name="DOI" value="10.17487/RFC9396"/>
      </reference>
      <reference anchor="RFC9728">
        <front>
          <title>OAuth 2.0 Protected Resource Metadata</title>
          <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
          <author fullname="P. Hunt" initials="P." surname="Hunt"/>
          <author fullname="A. Parecki" initials="A." surname="Parecki"/>
          <date month="April" year="2025"/>
          <abstract>
            <t>This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9728"/>
        <seriesInfo name="DOI" value="10.17487/RFC9728"/>
      </reference>
      <reference anchor="IANA.oauth-parameters" target="https://www.iana.org/assignments/oauth-parameters">
        <front>
          <title>OAuth Parameters</title>
          <author>
            <organization>IANA</organization>
          </author>
        </front>
      </reference>
      <reference anchor="JSON.Schema" target="https://json-schema.org/draft/2020-12/json-schema-core">
        <front>
          <title>JSON Schema: A Media Type for Describing JSON Documents</title>
          <author initials="A." surname="Wright, Ed">
            <organization/>
          </author>
          <author initials="H." surname="Andrews, Ed">
            <organization/>
          </author>
          <author initials="B." surname="Hutton, Ed">
            <organization/>
          </author>
          <author initials="G." surname="Dennis">
            <organization/>
          </author>
          <date year="2022" month="June"/>
        </front>
      </reference>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
    </references>
    <?line 326?>

<section anchor="examples">
      <name>Examples</name>
      <t>This section provides non-normative examples of how this specification may be used to support specific use cases.</t>
      <section anchor="metadata-examples">
        <name>Authorization Server Metadata Examples</name>
        <section anchor="example-authorizationdetailstypesmetadataendpoint-response-with-payment-initiation">
          <name>Example authorization_details_types_metadata_endpoint response with Payment Initiation</name>
          <artwork><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/json

{
    "payment_initiation": {
        "version": "1.0",
        "description": "Authorization to initiate a single payment from a payer account to a creditor account.",
        "documentation_uri": "https://example.com/docs/payment-initiation",
        "schema": {
            "$schema": "https://json-schema.org/draft/2020-12/schema",
            "title": "Payment Initiation Authorization Detail",
            "type": "object",
            "required": [
                "type",
                "instructed_amount",
                "creditor_account"
            ],
            "properties": {
                "type": {
                    "const": "payment_initiation",
                    "description": "Authorization details type identifier."
                },
                "actions": {
                    "type": "array",
                    "description": "Permitted actions for this authorization.",
                    "items": {
                        "type": "string",
                        "enum": ["initiate"]
                    },
                    "minItems": 1,
                    "uniqueItems": true
                },
                "instructed_amount": {
                    "type": "object",
                    "description": "Amount and currency of the payment to be initiated.",
                    "required": ["currency", "amount"],
                    "properties": {
                        "currency": {
                            "type": "string",
                            "description": "ISO 4217 currency code.",
                            "pattern": "^[A-Z]{3}$"
                        },
                        "amount": {
                            "type": "string",
                            "description": "Decimal monetary amount represented as a string.",
                            "pattern": "^[0-9]+(\\.[0-9]{1,2})?$"
                        }
                    }
                },
                "creditor_account": {
                    "type": "object",
                    "description": "Account to which the payment will be credited.",
                    "required": ["iban"],
                    "properties": {
                        "iban": {
                            "type": "string",
                            "description": "International Bank Account Number (IBAN).",
                            "pattern": "^[A-Z0-9]{15,34}$"
                        }
                    }
                },
                "remittance_information": {
                    "type": "string",
                    "description": "Unstructured remittance information for the payment.",
                    "maxLength": 140
                }
            }
        }
    }
}
]]></artwork>
        </section>
        <section anchor="example-authorizationdetailstypesmetadataendpoint-response-for-the-norwegian-health-sector-helseid">
          <name>Example authorization_details_types_metadata_endpoint response for the Norwegian Health Sector (HelseID)</name>
          <artwork><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/json

{

    "helseid_authorization": {
        "version": "1.0",
        "description": "Allows the OAuth client to pass organization information to HelseID.",
        "documentation_uri": "https://utviklerportal.nhn.no/informasjonstjenester/helseid/bruksmoenstre-og-eksempelkode/bruk-av-helseid/docs/tekniske-mekanismer/organisasjonsnumre_enmd",
        "schema": {
            "$schema": "http://json-schema.org/draft-07/schema#",
            "title": "Organization numbers for a multi-tenant client",
            "type": "object",
            "properties": {
                "type": {
                    "type": "string",
                    "const": "helseid_autorization"
                },
                "practitioner_role": {
                    "type": "object",
                    "properties": {
                        "organization": {
                            "type": "object",
                            "properties": {
                                "identifier": {
                                    "type": "object",
                                    "properties": {
                                        "system": {
                                            "type": "string"
                                        },
                                        "type": {
                                            "type": "string"
                                        },
                                        "value": {
                                            "type": "string"
                                        }
                                    },
                                    "required": [
                                        "system",
                                        "type",
                                        "value"
                                    ]
                                }
                            },
                            "required": [
                                "identifier"
                            ]
                        }
                    },
                    "required": [
                        "organization"
                    ]
                }
            },
            "required": [
                "type",
                "practitioner_role"
            ]
        }
    },
    "helseid_trust_framework": {
        "version": "1.0",
        "description": "HelseID Trust Framework Information",
        "documentation_uri": "https://utviklerportal.nhn.no/informasjonstjenester/helseid/bruksmoenstre-og-eksempelkode/bruk-av-helseid/docs/tekniske-mekanismer/trust-framework",
        "schema": {
            "$schema": "http://json-schema.org/draft-07/schema#",
            "description": "Complete Trust Framework structure",
            "documentation_uri": "https://utviklerportal.nhn.no/informasjonstjenester/helseid/bruksmoenstre-og-eksempelkode/bruk-av-helseid/docs/tillitsrammeverk/profil_for_tillitsrammeverkmd",
            "type": "object",
            "properties": {
                "type": {
                    "type": "string",
                    "const": "nhn:tillitsrammeverk:parameters"
                },
                "practitioner": {
                    "type": "object",
                    "properties": {
                        "authorization": {
                            "type": "object",
                            "properties": {
                                "code": {
                                    "type": "string"
                                },
                                "system": {
                                    "type": "string"
                                }
                            },
                            "required": [
                                "code",
                                "system"
                            ]
                        },
                        "legal_entity": {
                            "type": "object",
                            "properties": {
                                "id": {
                                    "type": "string"
                                },
                                "system": {
                                    "type": "string"
                                }
                            },
                            "required": [
                                "id",
                                "system"
                            ]
                        },
                        "point_of_care": {
                            "type": "object",
                            "properties": {
                                "id": {
                                    "type": "string"
                                },
                                "system": {
                                    "type": "string"
                                }
                            },
                            "required": [
                                "id",
                                "system"
                            ]
                        },
                        "department": {
                            "type": "object",
                            "properties": {
                                "id": {
                                    "type": "string"
                                },
                                "system": {
                                    "type": "string"
                                }
                            },
                            "required": [
                                "id",
                                "system"
                            ]
                        }
                    },
                    "required": [
                        "authorization",
                        "legal_entity",
                        "point_of_care",
                        "department"
                    ]
                },
                "care_relationship": {
                    "type": "object",
                    "properties": {
                        "healthcare_service": {
                            "type": "object",
                            "properties": {
                                "code": {
                                    "type": "string"
                                },
                                "system": {
                                    "type": "string"
                                }
                            },
                            "required": [
                                "code",
                                "system"
                            ]
                        },
                        "purpose_of_use": {
                            "type": "object",
                            "properties": {
                                "code": {
                                    "type": "string"
                                },
                                "system": {
                                    "type": "string"
                                }
                            },
                            "required": [
                                "code",
                                "system"
                            ]
                        },
                        "purpose_of_use_details": {
                            "type": "object",
                            "properties": {
                                "code": {
                                    "type": "string"
                                },
                                "system": {
                                    "type": "string"
                                }
                            },
                            "required": [
                                "code",
                                "system"
                            ]
                        },
                        "decision_ref": {
                            "type": "object",
                            "properties": {
                                "id": {
                                    "type": "string"
                                },
                                "user_selected": {
                                    "type": "boolean"
                                }
                            },
                            "required": [
                                "id",
                                "user_selected"
                            ]
                        }
                    },
                    "required": [
                        "healthcare_service",
                        "purpose_of_use",
                        "purpose_of_use_details",
                        "decision_ref"
                    ]
                },
                "patients": {
                    "type": "array",
                    "items": {
                        "type": "object",
                        "properties": {
                            "point_of_care": {
                                "type": "object",
                                "properties": {
                                    "id": {
                                        "type": "string"
                                    },
                                    "system": {
                                        "type": "string"
                                    }
                                },
                                "required": [
                                    "id",
                                    "system"
                                ]
                            },
                            "department": {
                                "type": "object",
                                "properties": {
                                    "id": {
                                        "type": "string"
                                    },
                                    "system": {
                                        "type": "string"
                                    }
                                },
                                "required": [
                                    "id",
                                    "system"
                                ]
                            }
                        },
                        "required": [
                            "point_of_care",
                            "department"
                        ]
                    }
                }
            },
            "required": [
                "type",
                "practitioner",
                "care_relationship",
                "patients"
            ]
        }
    }
}
]]></artwork>
        </section>
      </section>
    </section>
    <section anchor="document-history">
      <name>Document History</name>
      <t>-05</t>
      <ul spacing="normal">
        <li>
          <t>Removed required authorization details types.</t>
        </li>
        <li>
          <t>Changed from HTTP 403 to 401.</t>
        </li>
        <li>
          <t>Moved resource servers response from body to WWW-Authenticate header.</t>
        </li>
        <li>
          <t>Renamed authorization_hint to authorization_reference and clarified its usage.</t>
        </li>
        <li>
          <t>Clarified authorization server broader considerations on omitting RAR from JWT access tokens.</t>
        </li>
        <li>
          <t>Clarified document's interoperability with any OAuth rfc and any grant that supports RAR.</t>
        </li>
      </ul>
      <t>-04</t>
      <ul spacing="normal">
        <li>
          <t>Moved required authorization details types from resource metadata to resource server's response.</t>
        </li>
        <li>
          <t>Adapted resource server processing rules to reflect error signaling and handling of large RAR payloads.</t>
        </li>
      </ul>
      <t>-03</t>
      <ul spacing="normal">
        <li>
          <t>Added authorization_reference to guide client on token selection and updated client processing rules accordingly</t>
        </li>
        <li>
          <t>Added security consideration on confidentiality of RS-provided authorization_details</t>
        </li>
        <li>
          <t>Added authorization server considerations for handling large RAR objects in JWT access tokens</t>
        </li>
      </ul>
      <t>-02</t>
      <ul spacing="normal">
        <li>
          <t>Defined the required types expression</t>
        </li>
        <li>
          <t>Added Protected Resource Metadata examples</t>
        </li>
      </ul>
      <t>-01</t>
      <ul spacing="normal">
        <li>
          <t>Authorization details moved to HTTP body and made <bcp14>OPTIONAL</bcp14></t>
        </li>
        <li>
          <t>Metadata pointer from resource metadata url, full authorization details types metadata on authorization server new endpoint</t>
        </li>
      </ul>
      <t>-00</t>
      <ul spacing="normal">
        <li>
          <t>Document creation</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank the following individuals who contributed ideas, feedback, and wording that helped shape the final specification: Rune Grimstad.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+09aXcTSZLf9StyxbzXBlSybG6/7pkRtgExgFnbLN3Tw9qp
qpRU7VKVpg4bNbh/y/yW/WUbEXlU1qUL6GbeoJnXyFV5RERGRMaVKcdxWqmf
BmKPtY/6WTphu90eO+4fs5ci5R5POeOhxw7jOIrZsZgKz+epH4XtFh8OY3G5
djeXp2IcxfM9lqReq+VFbsinMLsX81Hq/Com/NJ3Ig5DOjGPnakazundayXZ
cOonCQyTzmfQZXB4+qQVZtOhiPda0EjstdwoTESYZMkeS+NMtAC+Oy0eCw5w
ngg3i/103m5dRfHFOI6yGTx9K4YMEYhi/1cCkb2OozRyo6DduhBzaOrttZiD
uOE/J6mYOdkMvxKQrUsRZjAxY6sMyJiEvP0WIPDDMXuKnfD5lPsBPKcx/+qL
dNSN4jG+4LE7gReTNJ0le9vb2A4f+Zeiq5tt44PtYRxdJWKbRtjGnmM/nWRD
6DvncRQq0m4r0vruxOE2lE4s/pmJJE0MyXGMAKiapNb89lhdOUPXj9YYdXvJ
Qncn6RQo1ZLDIOkBDMZGWRBIRvkJIWB/p/70CijAQzXfHjvm/mgkfOAC9piH
F2wQpiIO6SUPqL2QtCZMuhKOv8ZD327XdaNpqxVG8RQeXNLyHj/Zv/Po4X31
9f6Dez319cH9+7vq68O7O3fV10d3Hum2jx7sPsSvg/6rflciPOMx4AITJvji
+cnRq+6JOwHA9ghCLZD4gqkXrA+iBVLEToGD2AjE6kAkbuwPkY2o4UHkZlMR
pklbDsLjsYCl0yv3SwLLkdBgxDS0Dtu7vd2es7Nrv3XcKBY0BMkUe56Fgu3c
7zBou0vPzdrQx2F+CPLW77K3sT+epB126HWL7551WT/0YnGV1Lx83GXPsjSN
wpp3T7uAZhj6SavlOA7jwySNuZu2WpbSAaYrCdyxYjq2BVJ7k334oBbk+hqU
DuglHnv+ryJh6UQw8d6d8HAsSF/N4sgVoGGApNGIFTiZecCgfpCwYZYyL4Le
YQRfxMgH6mjmpXXx8nWpHwF1QNJttQYh457n47sOjMaIBaOZiPkwEGyc+R4P
XcH8BIAZiVh4LI2YG/i4xh38HivFCvwAA2cxADWcw9MkymLomIj4EliMeZnA
1kDQbDTyXexfDxnAdDqB6TzFSQgejJYQqeC5BaAfgCZlQLogEEC9DoMv0RXi
rADEGb05iKzvwqs58/zEjQCcnFYATyq4h5SORTAnoocsylInGjlDXA4+joWY
SnR5wq5EEOC/hTVUmLPEH4Pg4iB+6AaZJ7/ZBI3zbYhdTUA/LCcIaF9BXOLy
LBEIqZquK/lx6nteIFqtG6hm4sjLXOy9OXcSERMmu1uEVFpUgQWMgNQBUYD5
MuSLAvAdJkJAmPjPu0QWKjVg08gTiJwbRwmuNijEEMiaAahAXiA97U04x0Tw
IJ24nDB+Fl0JWMEO7fM22EYckplw/dGcTaIrA3514S0BuYQlK0OnaR8NfxFu
mnTZCQI2te0KzaCyAy5SNIROIWBq8U+FnaW0gs5t3QJ1Goqr0sxSYIB83iwC
3tlj54X3ZwqyMxLgMw3RmW5/3kEFcul7i0XfoNKxWLWEEeBoKX8JOCmKBAhv
7RfX112Di9muWM5+b9++dfAPGNlHy0tZZPvAAB1SVhVlQYrCk43PbQk5K2B0
jpxSkAxSpjh6DtECOGDeGdpqzGyFnTK1LXkFyl5NUJLAvkuJWTlJGsn1Qu4h
PTkUDIAEtvFjeAbKSGKeqwMfSA4PUfrAuFNwK6EjdOrYBG1N3wPlItcFxyS1
gtKxECaWTKIsgN1GxBM+SxC8aOqnKUA4iqMpe/72FPDDjQiAvxCIrdybgLWg
jdab6QSMx/FEtqGnIM4ggDglsP5rw4paEq/AXFuZcFKJKGEZlBX/UITAkiky
gR7d5UAZfzoD8pKIalrTnir3LrNfdQgWEFU28mPQa4HgcYigouLATS4KpXZb
SUEAgCfZbBbFKS2CmIFkAKhBR24AEmNH6ibfZTxNQftkYNgq+QPgYNtE/i1J
Q8foRM5iP7lAXEagf8HkBByZMhkDexoGSwQ8PvKxN27hVV2gJQ2+yjn/mfla
iSv5oGZpDDsrrhhQU/o1gB/uD13ccPaj8BJbR4o9DnIVgWpPMHBeGHovCWu/
fHNy2u7If9mrI/p+fPjfbwbHhwf4/eRZ/8UL86WlWpw8O3rz4iD/lvfcP3r5
8vDVgewMT1nhUav9sv8TvEGo2kevTwdHr/ov2ihjadG4iIUSTqLfLBYoATxp
qf2BWJ093n/9f//auQtq779gw9nd2XkEG4784+HOg7vwBwqdnC0Kgd/kn0DK
eYvPZsBYJN1gObh85qc8kLYEiOBVCNsbbWy3fkbKvNtj3w/d2c7dP6sHiHDh
oaZZ4SHRrPqk0lkSseZRzTSGmoXnJUoX4e3/VPhb0916+P1fArRVnZ2Hf/lz
C1lI+6XsCPjx0hdXrdY+CXMuqAkoTuLgVbWG0VJVQxQ0yW+//QbEd33f4XGq
LP3VP7edms/tVlOb22zr8U3Wfz3QFpdq8rFu7I/FYaw2H+tmdZw/qybHGkk1
zFb/JnsDCBMkH2tHrJ3pRG4qFjQn4MGlyccSNN/Xg9OM1BNQGUQXhFitL4y4
tX+T3e3tsDehXlBYtBIFG6lcwau8v4NXB5In4iXdyF74od1sZoA2WWGEM6kx
Ztjjh58n2RSUcwxbJPHrFPZRPhbvlo3UaHz88LNW0WuNoCTj3ZJO8NlboUmh
xWZrVB0GnxdNG7ZQEtjWwc1qB92kwMELh8GPlsnbZC/R8xqsbm8glzWi8HEZ
NHVdqrRZNEyTXFKbQ+UhrADN1mGZxGisb4pUecHXJHHTMFVglvDNk5vslMxU
WxV/dQsuQbQWa+MFXwOaraew4NLal/PL559npTZWFJ/WZOvZTVjpNJ7T9ruP
1temwJDTYhHmS+/fS/EuT6z+re7f9cOsvX83QLM1uMl2ez129DdUoRqJdUnc
bDyhrdZ64o+zGDbzL2kWtloOQ6MJfZYMDaeE7B7yjdDd6eL7x/K99DUZRhTR
6yHukl5tWPCYqc/+zZwuymUHFyOLwWF6dnr6mqwf2bkanpiA9QDt6TWZGOCB
ecsCIiE5LAuiGITTrVsFj6+RZrduERYHBcyzRIWtDUEX050CG3ko5nYldGeC
HE7NzlOiWnEqJAh1e+I8LcCoI+p1HchBr6zUs0L/Kb8QZnV15JNWAhGXQdPK
EIPqYlPogJjVbk3LpDEC9x7fjLLABKTIubYyllbQd4VI+qKII6JY8vFXZS2k
GiJ/XmbUc8Wp3TL2CVPOpUR18fAUtlJEQuhF6GO0TCJLKVeMzccrZRAknouE
QCJtxf3KoT025Im4fzeLA0eESBwVDJVMbaIqac4yUZiH89QbGYpkAxACK+AD
PgmsBai6Ww2x3fM9pr38LuvHMZ9TJmjlaOOUp+5EwzCiiKyKivsynlEWQLO0
9eAYAbDoNcz8IFUamKaROQGjV7VM40r4sQxyJSrMaXF8rhbGMQciyrBFAvMn
o2I47LtER6koGaNESOeeNAiUFqkjbSwwexW6gohr4heYE2TRjAOwGOxCbMYi
xHhqY0AO+VHGJe3Vh4eJCJA1QGmI936Syr3JFvokiVyfRpY6HbAB/dDIx3mA
UiJe4jeYMQtB7CgTRS8SAU4nyGSiQ+GL+ESyIJGqrLSU1GpC1LFGTk6kksvD
KMQcm/+rSdrwxLBgLVdpSZJhTIsWgI/MlM2A8Dob0WFJBGMBIxOiwIXYUSNM
yb1l5MTtystckY/QgBIq7Ux0DXlQl9AjpgNyANyl4AEAPmdY6uFTxgMVSgwg
pBhMlGJHUXA9zr4KUtMoaSwIGVB1cmyeaD5E8pmZQG+I6SyVGl9FKBkleGOc
cyo4xawpZu+nXWtNUeXiK0XP5gWk+U2svZjyC3x4OJcaJWdrlREgmNxoio8W
KVu9rclECL+MfE/rB+yKOkCNKDcBS4HJtAJIe4CxlLkM4KJCmUWYEk4KBD6t
EVYTB9Vxdklzo47llGp62GUyTIAodWjsmya9iNFjXJXQU71QHQbCoWxUGMxh
H38VpdbWe14JFZ3nSpW97P8kI9EqIQDEUiAATSii5JiIkjWE3u/WA9eKepvs
tLREwVGSKllnK3ge4c8SaogmHfC+1NloIINOp+QHLhrsLoD44Xs+nUFTMnNN
po34lKvEDCAx9FOzZEojYYftne5OJTJIb5uCfCuH8arBunZfFUCgRBc0h2/2
HE/1bg7QifnziffjcTS883wmpk96/O2j7Mfd48B7+mQ2fPbSPwrSB4Pw+J77
9I1/5D+/4D92u12ZJfGENDAWyRBaJiSWOoUhFH2NNcE+GEeqXcsA7T3284ei
s4VtMR0Mr9pyTc5oTc6mWN2QinLoE9sfiGEaxX3XjbIwhY7VIakZ5YbFK2Bt
HPzN37pHjweH3RPgEYwlqe6vqHCuZhYaYqDSWJIBcZjeQ/hfb3fnzu69+48e
NvXTkz6PJuFBJNqVVtc1aO3DIvuIGGx7a6P1eLD/ZLA6Gq/ePv7b08e7u2tC
9m9A8v7+y8P9KJ6thtlLyWUnsMdnCXV3cSet47p93C8BpANof+rLyXZ7u/ed
Hvx/57T3aK/Xg//fpv8WZ782f1nx93bDdojj/jR88M87/f17nhzneokym/E5
+VmU+pSK45tK+wNVmtFoamHO8oWpclbbV1l+4Z3x6QL5artZjBwyx5EP3xzX
SkLbDNHe6fW6ZU5kdWLQdpV8n/GFAt72h5wk8uAQxHG3d6enPlg+eW+nOlOr
7o93mqVvlOIsB8pKxtLOJK+g1oFouayyPKWpnCCvjyLnEitRwbnM7RtZvSet
cK9Q5CO9Fxzju0SbEmRQrQIj8Eo9dzTVSLX3WhSi1vnpLiP76c3xC+04rUQa
PZxi+bX6IC3QbdG+ICmWp4enyq1FBeOpYpl9KSYO1dye89ksUNqZ6mVlyI8X
ghNXkyhB1wAVvSwfXFAIlteKYE3HIacyN+yp/BKfwmBqZLusVBm7C8buFoVY
y6Ul1BgkUvsMqA5LpNqWNqt7a1eqnWWxX9NGFhLjfLbQqccNfZQGIr3CdNb0
WotM3zgNeS0cMp/BAtgq56kTGU5Q9J1rZ1g1Xuyi08rkk3QtH5SEyHiX5IR6
efGjrH3SfrGZLBTjSKlAWJQiceuAVnEwuc5W6+VQd4turnSWAaQotJ1disAW
xohMrFSO6PoIeELQVhe7APObYwzRyv0bIRbvVUlUsZ7R4t0lKMCcmnlgIvLb
5N/nlt9ohQoLVZI66loqkZTBC11VlCwTHylvct3l3JKeOp6MeyVVtkXh4iHy
aAJoFYDdlRGUc0TURieNZGwpipX2WVI/mqsNBLLgUcMfOnzJsjDAANh5LnXn
+N5EI7tsMGIq0NMpNjP8Y7nE+dIYPrCWR/YrAII5mWESBfgn8AmVXcl4OIX3
YJdieKJCblj47fq6U2CmhtVdXRHaK2msTK+wqHa4kwJTxUCnTLZUWXANwtcQ
Pa30LS9DcQnUW1yBXEsW5LCPVdAqWG1MucVV1cqulptUGIWOqR+GeU6EyBt8
+GBOYenpVeC60C03zlUrmUrpH9vZqEpta6v1OouTDIMZtOWW4+OJLGhljzoN
ZZREKBOrmeE3WGN7WoqmlbIjVCiKutylpe6a7EzFsMLIEPe8hUH6giwXS3cR
Z+RiPBYm09hbQIObOjcQUUxbl/BaFbx55E7aOLBIU06V9ViDj1zhcgrrXdE7
lay55LEfZUm5NlmXscp5EnB/ZDrH7GUyeurO7ZL0WlrWLSG7onJmAIl7lz4W
WvMxqmdk2EEqRcNE/aUylsHGsJ7iFApMqvMAcKmundYISsEFhDomGuyn846q
mCacaGM2kTQQkBzF5gi5JelvicBEDRiRqperm1gxfI/l3GUpN6XdVk23LuXW
7EvjrsrClz6nDnXMY+xjqaeM6avgwyCphZBOa5SykyD1k8hLZCxUXFL+2a4W
lIuDLEO8SAYKwRIIfsHHUv5f50eqjjPQHPDshq4nqL67hdRG3ncFLCTlMxan
Lsn/BhBG9ZkSy+XNfaHcfKjJ1pvQvCXTyLEUFyfjQZaka6pbaSHwn/LQeMfO
F6EOiakeRifLEDed2sszecXgOwaXB58JsaqqqgCog/R+KssGkmyYIITwunAg
AvlBHreBRpIM8jwF4GenJMkeNH6aQaVWbuh4RhJBv1in/hRk+dki5ZpWauYb
DthV8EOmx5JngQGHPPH2suA442FNtBij/NwSz+M5JaIqSTzXsFXzllIR6USS
feTEnN6A7R6pY0x3XIkxbKrNOTLJ7HMgTZEwtBSxoAwIMAMnVuqSwBlsVZlS
neT9j4jx7FYhb0q8Dgq1m79fQnu0JnQ2pIPkMCovDzpRjqd4eMVWXrQQeKxW
nm4aNJ3ExKkaqhM6uu6hWOnzCeG+0q6xmkDKygZFjsKhpSbx1ArfnIDRh4Jq
FMd3uB3PspT0rD7djjELe+v/cCNRb5yiUXAtNXEUjqQ/welgDx3GLKbx6kuN
NMitVqXyhDZ36yTccqzzgxBGC+W5XXVYFCiAoRVjv9LG5itTJ0HGqjcgm+Ys
6jSrvMJkvxF4Wa0FLW7dynP8QPAS3RzqEl/WpGPNhKSVlqMKHoK0CqQCAw3q
UFmc6qhNBTLpbAtOHWlVJ5EADlMyVadxAYV+oE68X4pgXjl9Z8CWe9dIFl+Y
Q1QGLM0tuiRQJdJzbTUBDYhexJbojrsd1laR1rMd3raPAMve4j2aarADDR73
X90kxsZj8yWmJs5d6ZAjKL4xMEc8b7U+2o/1H2/waAB7ESmL5yPbl4fBMfAX
R0EACH5kJ3Yu1hyzZx9bhdLShjrTuscNTeEFQNmsgwAUI2tKS8taKuN4faQ7
MbAdONc/wqeDeoH6/gjw5mQrBkzVpmB2wpxoJGSFXDRMhi/pqOgaUWkrEi1N
plXgiBUce7h65inmu5j194EVI/uUBfyMa7hWSBwA3DT8vXTB6ZT6kLsXKEna
odfLqhqa7anozWtXHwGjY5lVVkCHVJ+tReWgDBGjJNASIS9VGiGLFzsPN9yo
hhuwv0FgTfIa6SCF+FplDAcmMVXKE8qianpmh//3WDn8X0mT1eS8yukkO+q+
0+2VElnlyHuRYJS0oZFFHvjSCdA8HyqowBZVLAUjmE5x6afdyqR1AX19a4gO
5bjRdBsaJttqQqcxsWcF/6up5D+Zl+3V7iVR7Wuy0nRJCg5UXdFaIaodQ2Ur
pVFR18IkbPfYz/XpdxqjITVfTXA2NKzkISvNyufXsNeMyodSn5ImDYUJlcRP
dW40NVfN2ebdFvJqU7y6ihd+auoTaAppOTYjZyPYpvjnGgC/FrE6dK+mUbVn
fqluvSwvhTF9cOwWw1eAUZa5LhiQWoswmyK/tbW4t981dmggHY0z9cOBgm9n
QbMs9MFi0y3p2qw1Zlo5ia+aLxU507LMYDS4PA2vygH0nqmVoK6rk1TzFq6c
Ldh5fUHHlBHUyJvpu4LcmbZW6cLilgXqrMQo1KNEpcHJEbu7u/MgpxGd01hl
pBmGKWIa5X9/7jt/f/fhzvWf6gVWfxZwHw25AkOYtp+M+gFYHVMesGkUgvaJ
50zOnvtzdLsAbp00w/o06TmP3t3e+sc/uvTtw05n9/rmX5ZRqFly15KyFQtV
VOvNhSy3HGTswhavKz8IKPFAsKwjX1Q+87kkStXi/C7SZF8KJ++T0xSStXxs
Szqqm8iXZKJ7nTt3l4rZZ2KiWOCOhzdCnVmRg9VYaSkNy7R7E1oXVOUzF2IW
ptpbcthChpry9y/oQhTczu726hGvlj42lCOawpLP4FdoLF5F8RV4rDxkz+ja
LHLF4N3WMxEkYnBw81M9jdzVmOCIvleKUX6ityEvH8ud8/ywy4wnSeGexcIq
QgOF4Xq+RZZe+hfgoaPTyINuOAm7YbStRk5+QbP0FxEKDDZsK4S3h3F2kUwj
gcwlnGjsiItETGciuIBtjt46/NLRrcljScVF6CcXwpmKC0AgmcJwEpdEzgLm
VixgXafeJ7gyTZ6M03ugnJgbC72YI5u68lJTaZFyNs2C1HeAPzBJLhdlM2fm
8/gLq2sE41lY7Jpz61qqa0ZRTewn4rM4ClaEcfkGuM7OY0vAejvQUjg2gcf0
yR2slftsBt2nQGn6JnOQ6Ona/QoQK95ba4AlxmrTXF85lFTU9weAuXLrNRBa
Hm1p7KmYapMl3ojgK/dpdt3tz3JyrkDG9clna46lHRZjssBGXdFLWEP3Njat
h7HGLPzsob7qBlUN4TXZolYVtN4pwXRO0rMRJk3wtvJPNO2UecZOcVT2RI/K
BpYX8G9iuRFhnJwwv7vFViLtfoSuQyoqtDXeT+0gXwN1wZ330wQAnmJJ4cW2
vN3yDKY5K7+rmMaExVdscQLR9spI7OXXrm9ufP4RdudiL+/TANkEINMHY4ub
mZzr2BwrWhCbGJabwfMHbdZE7fVo8amb+pL4biDGPDhDEyJdM8D9pR2ib1xZ
0+ILmZBfF09ScO4sGp3hrfXfmLJ+7G9MqVv+PkzpCbA90umi6w0K7b9x5BeD
5z+FI7+wP77wmuZy44KdsJb+Xl2u1o0JNCVaYdazWASy0nTiz/4Igz//2RU6
Y+C7X9VG9s3qb2jxH2L1z7J4FiUCZTRLvnFm49jfODNv+0dwpnVTzTcOrR37
G4fmbX8vR0DeroHH+b4mvvyaXAE8V3Qmb3QVG4I1jKJA8AWJogJcX71LUKTI
V+4Z1Biv6xkUmyn5dQTvM/kKM3AS6AdXP0+B+prF5CsphHWVwQbhs/WB2hQ4
029NbVWAcN1qh3XqFzYsbdkcts+qdzeqvlhdi1HrVXdZ/CwvnVhFL68ZeqM+
37iZfePmFVp/Zm7+JMtyLXzXirJRh1UibfhZcFSpfm+tPP2ytTmNJ/Aqcb9l
m37ldWN9T0v+t3UjP3v8zE/SCE9YO717ePnGsZjSpT+r3GxC14XQMWd1N4S6
5OIOVmLf7e3g+5dqtNLVDMX7c4eRN8c+DT9/0yW4Qj6t3P0w8dXp0oYbSuiQ
VsBj9asXKV4OQBcC4T0n+nHtgfFhHNEv75QusMJbCvEEgbrjvOF3covj6xqb
72p+uFz9aNBc3wIxcuVFLeZidbrzRx1oTtS16rBWd1sWbZevlITTrII5DV+9
zum7fG3oB4c9PkurC2j/QH2M97bIkUb04xfyLoD8d9DlT0GEXqB+zh4IMxZE
vRmfB0BmPJbt9O7Qr2F71Qs+8uWESfBHV+yfW1E3iZFL4qtfrM5mHv3ChmpV
gRWPLsV4JUgwN1Pqy0mKC87o54IqN5McnzhLLiOpxWTBDzYb+uTEWXxZndPb
RXodqHsMC5cRySUX7/G4GboaBppFtw4Jcyjf6e20Kr81rdlJagc8aYGyToKL
JJ+CsJhrAJE1zX0LEfF8EwNmcdBhoywoX1Fd5F7TPGq4qQ1/PkKYW4qdXo9o
o3Wcq+4Npx+b7bsXYXQVCG9MVyu2PuzJQw7C+6E94gG4fdfyLl85kb5ULvAv
1AWZePiqeOMEXmEMzJBBb7x3l+4XkndbeXjmmCeAohAeXn8g72G6kuwnhXsi
ghky4ITP1G/Y+HjIq3DDwR47zkLBnsb+NAFSdFv/DxhEO/IvhwAA

-->

</rfc>
