Support for OAuth RAR and GNAP

[jricher]

Apologies if this isn't the right forum to raise this, but I would like to see some newer technologies like OAuth's Rich Authorization Requests (RAR) and the Grant Negotiation and Authorization Protocol (GNAP) incorporated in an OpenAPI security object definitions. With RAR, it would be a way to get the RAR object type definitions and other details into an OAuth definition, in lieu of the scope value that's there already. With GNAP, it would be a new top-level object type akin to OAuth and OIDC, but with GNAP-specific details (grant request endpoint, RAR-like access objects, token presentation binding, etc). I'd also be interested to see how things like HTTP Message Signatures could be represented here.

I've read the proposed changes discussed here and I think it's in the right direction. One thing I think the use of a type parameter could potentially allow is an easier means of extending the security objects with new schemes that aren't included in the core OAS. I'm not enough of a JSON Schema expert to know how or if that's actually possible, but it seems like it would be possible to define, more than it currently is.

I'm not sure how best to contribute to the specification space and discussions, but I'd be happy to do so.