[OAUTH-WG] Re: OAuth Identity and Authorization Chaining Across Domains - Shepherd Write-up - Implementations
Thilina Senarath <thilinasenarath97@gmail.com> Thu, 05 February 2026 10:40 UTC
Return-Path: <thilinasenarath97@gmail.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EA7BFB233D64 for <oauth@mail2.ietf.org>; Thu, 5 Feb 2026 02:40:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L4Y5i037YaQQ for <oauth@mail2.ietf.org>; Thu, 5 Feb 2026 02:40:27 -0800 (PST)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 528DAB233D58 for <oauth@ietf.org>; Thu, 5 Feb 2026 02:40:27 -0800 (PST)
Received: by mail-qk1-x735.google.com with SMTP id af79cd13be357-8ca3807494eso48048385a.2 for <oauth@ietf.org>; Thu, 05 Feb 2026 02:40:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770288027; cv=none; d=google.com; s=arc-20240605; b=H5NospPpFiLj7/5weLQuaQzK6QMfCOEMtMY9kTBDc4H+fjXPZrYTSFkxbP6XDGIvt6 9oo1VIeXPl/LcocwnyDDOyqGjCHBjjSj+5Yyb+4fSb3pktxMViCv1Pzv3Hbe1j39bvVt +5xhHvLG6IHz/5mw1lW8VJ38Z/nYy0qZpevxkoo5C4pAyO9eLMHws9qmbAkvtd6FkhZ2 LIvHSAakuhPVivgZGuEDUxO1IodQzfZt/dNs7r50t8ER0jA7bkSdL4XfnLMmfkPC34fP EFBjkUb9vOgZUUm/d8/6ThFR3mmWGLuDHzudK28tuEUuXOZdY7w3uwRQN+2568Pj+ndl lh4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=TcCPiRalkxjwCuFpOoR1mBqnCMfY7ywi0931FLzWa4Y=; fh=oIBceW7D5jVL8m8zS/R9uLY/aJAAHMJRyxCPqM4E78I=; b=kIS0nG8Uln3Vlbi8xiFZSCCDz6ze+q3hHCLOzp5BpTIQZ0Z4Bkhj5eKEQWgSpZalar CBLBiqEmcRw3rcSuofAsNzFuKEfanE97JhQVK8r0XGIdxqo81aw1g3wrv6cZKIiWCx/c zDRRR/QlPeiqdP156kbN96yY5IsvBTMghhrfM+ExSTFH4J8QaaXVhubr3tbDyYcopYe7 RYdS2e64ZTnJU2PhmBYuoMUjjqGsDWOKlwfoX23mBx+ihRI0cQmvm+iyz/og71j0gjQb EGtGIH0mskmCxxkdp9U+z3QKdFEUPiK7OXwYr1uL9siSQpDxuTENedeN4CR3BD1u+OyH sj9Q==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770288027; x=1770892827; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TcCPiRalkxjwCuFpOoR1mBqnCMfY7ywi0931FLzWa4Y=; b=O3xN6ooFQ0izN3m/0I3paM7L52rEL/zRQeB3pXi8BvaKgDN3ebVfOxysYLUr7ozvAg +ABZRvQbAGvF2z+uAru4oYsTEJPnaIbpZrXtSaNf0FSy01wC/slCU3lobI5fdfOzjKmf YjUArY9yWX/uTfaOT6XHgW90+ofG5TTG1uO8dKWkh0sRXwdivNoqnwqHahkvRzCWJp+g xCuaAUN2ggqD5VWCKTmFrXsDXM3MyHMDNt+doG90hELcCUfwmncLvCF5gPGO6Dumcvly Hoeerd2itjJ24x9O3GV+1OGzSTC8PzGGm5VAyW/uBDX7iMJBuX50oI6NTAXD0Hy0JWNq n8Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770288027; x=1770892827; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=TcCPiRalkxjwCuFpOoR1mBqnCMfY7ywi0931FLzWa4Y=; b=E3OGrapkhpuXxRCVatn8Gj4lozvT24UO3SCkYgLGf8wlLalQSmkCkRgukB+0oL8WNR sEaTYqYuUXLP3QRqZ/YCD1tvM+zRKhCNYGF0G6iTMgOogjG1/5D0MphIj8dkDgikOAlo uxusKxbLxi2wOT8EPUk1lkQ0znmhSrLTZAgKbL4i81G/o1hIGjuz0jCmy7JLSX+apQC7 UNbVoEnfHwMFKhiaUSId6lyJbp1f91u2V92PdKHQ510mH/1Sx7/UjkdDYDybhXkpOOO2 5hZxJldRcxs6pP1SfuM0+0DVvYmvFDZ14vaNJNczUohq+p+YZ7w1xxMno649v8zCzuEK 3gRQ==
X-Forwarded-Encrypted: i=1; AJvYcCXfXaLLGoQe6sIZjrscPGwVlP9V3Q/0vqt0SbxciG0/CTqdO56NjZutz1+tcrmT1hDvLdFM0Q==@ietf.org
X-Gm-Message-State: AOJu0Yy8wagYwS7MtHUDFRosKXhAJtXrPndn+PDDybaE7Arupt8925vc aE6bqm4GQlup3AOuaqvvAKeR8fnGLzpU3ThklGMq4kGy7kexuWTvzxpovEEHP7iuSAHNtJSRYQr AYqYif/Zsk0F95CMazFp/6dgwLlphvxU=
X-Gm-Gg: AZuq6aIpSPDY8DeKWCtFTB2XdVForJulUMxBtVccp/A+BbkH3UTbalIOT/Cvf/o51h9 atK1vd6pMwVCsieCVXwIA2mSFHV1Yf/qtcf+eVI93ESUHr3vDMbp8xvGPhjmhNXZQqVwDxfAcUG NH80CygLp0oyc0loyYWCtFHoZShJ/e+DopJZWAM0Grt6r4aaGvMjAs5aO7hoNL8C1hT9kgpll9i gaBLB3RHXWXpJmplJ8Sa2f9b7EqLsDZkdLd2ywL3UMILx4W18n5fk7NUeL5bWXZSQKCXg==
X-Received: by 2002:a05:622a:1aa6:b0:501:5281:5388 with SMTP id d75a77b69052e-5061c19a754mr81403381cf.48.1770288026625; Thu, 05 Feb 2026 02:40:26 -0800 (PST)
MIME-Version: 1.0
References: <CADNypP_xnpJUcydo9zBk0L4AK=hHDyG1+t_o0MHSGd1EWyBP-w@mail.gmail.com> <CAGBSGjrY=gAtqTTMgcemimLsAP9er=BUskDAyGQZw_XF_oZabA@mail.gmail.com>
In-Reply-To: <CAGBSGjrY=gAtqTTMgcemimLsAP9er=BUskDAyGQZw_XF_oZabA@mail.gmail.com>
From: Thilina Senarath <thilinasenarath97@gmail.com>
Date: Thu, 05 Feb 2026 16:10:15 +0530
X-Gm-Features: AZwV_Qi17jhFONk1qKnGY0SCIaNrrUwiaofIwTjcNje8BlbfNAAev8etfyH2-Kg
Message-ID: <CAKASi+0exR+HsNpcLncVzqSJLZg5WqW-EsjSL3qJxM+rzCcOjA@mail.gmail.com>
To: Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fa2ab3064a114cc0"
Message-ID-Hash: PK2QJZN5TPVX7CRRK7HQVAPSZQ7SWAXW
X-Message-ID-Hash: PK2QJZN5TPVX7CRRK7HQVAPSZQ7SWAXW
X-MailFrom: thilinasenarath97@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: OAuth Identity and Authorization Chaining Across Domains - Shepherd Write-up - Implementations
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5HFbBbbYfdsY2yTqC6uoEZTui8g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
WSO2 Identity Server has related support that can be used to implement identity/authorization chaining use cases: - JWT Bearer Grant support: https://is.docs.wso2.com/en/latest/references/grant-types/#jwt-bearer-grant - Token Exchange grant support: https://is.docs.wso2.com/en/latest/references/grant-types/#token-exchange-grant These can be combined to support identity chaining scenarios across domains. On Fri, Jan 30, 2026 at 11:22 PM Aaron Parecki <aaron= 40parecki.com@dmarc.ietf.org> wrote: > Okta has an implementation of the "Authorization Server in Trust Domain A" > https://developer.okta.com/blog/2025/09/03/cross-app-access > > Auth0 has an implementation of the "Authorization Server in Trust Domain B" > https://auth0.com/docs/secure/call-apis-on-users-behalf/xaa > > We published an open source implementation of a "Client" and "AS in Trust > Domain B" that interoperates with Okta's implementation: > https://github.com/oktadev/okta-cross-app-access-mcp > > We have also published a standalone implementation of all 3 roles here: > https://xaa.dev > > I have a very barebones implementation of the "AS in Trust Domain B" and > "Protected Resource in Trust Domain B" here for testing: > https://motd.xaa.rocks > > (Note that these are all based on the more specific profile of Identity > Chaining: the Identity Assertion Authorization Grant) > > Aaron > > > On Fri, Jan 30, 2026 at 6:29 AM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > >> All, >> >> As part of the shepherd write-up for the *OAuth Identity and >> Authorization Chaining Across Domains *document, we are looking for >> information about *implementations* of this draft to support its >> publication. >> https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/ >> >> Please, reply to this email, on the mailing list, with any >> implementations that you are aware of to support this document. >> >> Regards, >> Rifaat >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-leave@ietf.org >> > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] Re: OAuth Identity and Authorization C… Dmitry Telegin
- [OAUTH-WG] OAuth Identity and Authorization Chain… Rifaat Shekh-Yusef
- [OAUTH-WG] Re: OAuth Identity and Authorization C… Brian Campbell
- [OAUTH-WG] Re: OAuth Identity and Authorization C… Aaron Parecki
- [OAUTH-WG] Re: OAuth Identity and Authorization C… Thilina Senarath