Access request, or authorization management is far from new. The classic use case is the use of a workflow process that, via approval, updates a profile or account with a persisted attribute/group/permission in a target system. At run time, when a user attempts to perform an action on the target system, the system locally checks the profile of the user and looks for particular attributes that have been persisted. A slight variation on this theme, is to provide a mechanism to alter (or at least request to alter) the persisted permissions at near run time. An example of this, is to leverage OAuth2 and use of a tokeninfo endpoint that can convert access_token scope data into scope values, that are used by resource server to handle local authorization. Dependent on the content of the scope values, the resource server could provide a route for those persisted entries to be updated - aka an access request. In the above example, we have a standard OAuth2 client-server relationship on the
Recipes for Digital Identity & Security