[OAUTH-WG] Re: New Draft: OAuth 2.0 External Assertion Authorization Grant
Warren Parad <wparad@rhosys.ch> Fri, 03 October 2025 13:12 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id F028E6CDD6BC for <oauth@mail2.ietf.org>; Fri, 3 Oct 2025 06:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V1yjdt-0YRws for <oauth@mail2.ietf.org>; Fri, 3 Oct 2025 06:12:50 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6FF8B6CDD6B0 for <oauth@ietf.org>; Fri, 3 Oct 2025 06:12:50 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-b07d4d24d09so395870466b.2 for <oauth@ietf.org>; Fri, 03 Oct 2025 06:12:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google2024; t=1759497169; x=1760101969; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7MRmmQtBwbQxwtV7ha+G95oJBB+5nVIh9zMLYZ2BY9A=; b=LM/0syNoN2fsKQ5pEzBPro8fMcUA7itWocRwXEJLlGqjiFL7XeoFGKuRwMmUtux6EY mbdfoobhp1rdo8lXvmR3Ip4MUyUlrWIO4Lv7SEjT4ipXAXhf/J9Eoa3F6NKgZeE4clDK aTNQClqevKwOGrg9zF1wXukBkziZfLMOLXULKdhxNlgsYi1zjJVGqnQBf0mhdFvt4oZf f6GAG7a5gA6nyEwTXl1tixTcfM8o1kLZ4k88lSdxK1bBk3ykCPN1y5n+1DLY8lRhR9gl nZK1ETKeFfSozQ6kj3x1R/I77J/3vTuFWBgFOugp9V9vJ5EwvuftObgAhg4ieYyYZOcj zuRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759497169; x=1760101969; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7MRmmQtBwbQxwtV7ha+G95oJBB+5nVIh9zMLYZ2BY9A=; b=Q01gQZyuMFgZgmA/hOd5e8syqSdwedFeQ2+M6Wp4CX/pUrLh+khX0HqfnQxC53ySR5 gISv7ivG0n2s2t3WQHa6fuJZtVg2IEsH3GPkHCs9ta/zaAL1RmregZ4ptY6DBoXhqGgx LMNexfv7rpMBS/pnrBvffeAbFGSjcjJgpUOWv60VlZnw3gFDY3quvTRa9H410h5lYxbj xwto3rGOO19SgN2LaeNEsLdORRGC9DBWFe6Izkd2SMJiWHkNc6bZQxr/BTv8/aUhphvB OX2JzoV/nGOlRFY17mVMjNXKHiTFoy/uVWFxz7lsHFi3ux6L02WuT6ag7U7TbPMIU0Sw h3ng==
X-Gm-Message-State: AOJu0YzThhz6msyuLs2hVZ96m7QMFvzfdTcxwSR21SZqDOVVLddWBerB o9yYpP3el4OQhLFifutJwvD4cJSx8OO5szOqnGX1vbXNi3YhWeYWtY4x5EjUCCuvZOdrXsJckOv b+hb2LyPio4b62nCdQzzYKBE+SIBvBRO7maRVZA6j
X-Gm-Gg: ASbGnctRaZoJJcXogE0OkPxwusSKZEMJ60pzI7H2WuTFiOLBz5oARGPxj68uJdxo1s8 LFE+rUuYUD+yTs/NdJ6SGeNM0qtCdK+6XqULhYTbWYXUuqJA/DP/bxwLENGj7yJMw7VvU8sLRAa dhzkXDiK2v0paiGYJtAYfTkYPVXuX1ct7pVVjw0KSWUJ0bKyAZAVmDMnv/RrCEW2x1M61QllzrC HapshW0GVmMRfchpYVVrEMlCeBy96JdwmlOZKKtpYLfbbce7Aa2Faum8nI9IfkiKPMlOOGJ2fQg Z4TD/6e1Y3saZaDX
X-Google-Smtp-Source: AGHT+IHbBgXGHyo0d1lAHtok/4yaTBH3qSCT4j1QOAH5ujD4RcOnO2JF5fPdrsok+wl2mDHY1IiGpbAMifQZmosjhjE=
X-Received: by 2002:a17:907:7213:b0:b29:c2ae:78f8 with SMTP id a640c23a62f3a-b49c3d66c4fmr381025866b.46.1759497169063; Fri, 03 Oct 2025 06:12:49 -0700 (PDT)
MIME-Version: 1.0
References: <DU0P190MB244842D6D7376CEB48208238F9E4A@DU0P190MB2448.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <DU0P190MB244842D6D7376CEB48208238F9E4A@DU0P190MB2448.EURP190.PROD.OUTLOOK.COM>
From: Warren Parad <wparad@rhosys.ch>
Date: Fri, 03 Oct 2025 15:12:36 +0200
X-Gm-Features: AS18NWBDN6By_pa6dq00xwfILfn3EDPLxlYHAQuTj9D6Slev3-bt2Ab0dJ61EOs
Message-ID: <CAJot-L0T8zQY-hHRagmpci5Baa69Wa8Kih7M9W-YWe+pFRockA@mail.gmail.com>
To: Jorge Turrado Ferrero <jorge_turrado@hotmail.es>
Content-Type: multipart/alternative; boundary="000000000000bee479064040dbc4"
Message-ID-Hash: LXKSEH4GBIL4FU74LFATARU7K2GMNCZM
X-Message-ID-Hash: LXKSEH4GBIL4FU74LFATARU7K2GMNCZM
X-MailFrom: wparad@rhosys.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>, "draft-external-assertion-oauth-grant@ietf.org" <draft-external-assertion-oauth-grant@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: New Draft: OAuth 2.0 External Assertion Authorization Grant
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/64LjdjPZKWlUj87YbSJU-ZFLWXc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
I would say I fundamentally disagree with the "difference from the existing jwt-bearer grant" that you've outlined. There is nothing that would prevent the jwt-bearer grant being used in the scenario you are talking about. The verification of those JWTs is outside of the scope of the RFC, so it already handles the core scenario of crossing trust boundaries. Even if someone could suggest that the jwt-bearer RFC doesn't handle your scenario, then surely RFC 8693 <https://datatracker.ietf.org/doc/html/rfc8693> does. That one contains explicit expectations for token exchanges generated by one authority for another. As such, there is no need for another standard unless we can outline what exactly cannot be done within the scope of these other RFCs. At the current time, the new draft doesn't include semantics to account for anything new as yet unaccounted for. On Fri, Oct 3, 2025 at 2:30 PM Jorge Turrado Ferrero < jorge_turrado@hotmail.es> wrote: > Hello, > > We submitted > https://datatracker.ietf.org/doc/draft-external-assertion-oauth-grant/ > > This draft introduces a new OAuth 2.0 authorization grant type, > "urn:ietf:params:oauth:grant-type:external-assertion", that allows a client > to obtain an access token from an Authorization Server by presenting a > verifiable assertion issued by a trusted external Identity Provider. > > The motivation is to support zero trust architectures in cloud and server > farm environments, where workloads and applications often authenticate with > different identity providers but must access shared resources under a > common authorization server. Today, each deployment implements its own > bespoke token exchange or local credential system, leading to fragmented > approaches and operational overhead. > > The External Assertion Grant standardizes this flow so that: > > - Workloads can present a JWT assertion from a trusted external IdP. > - Authorization Servers can validate and transform it into a short-lived > access token. > - Access can be consistently enforced without long-lived secrets or > provider-specific hacks. > > A key difference from the existing > "urn:ietf:params:oauth:grant-type:jwt-bearer" grant is the trust model: > - In the jwt-bearer grant, the client presents a JWT it has signed, and > the Authorization Server validates it using a public key that has been > pre-registered or exchanged. > - In the external-assertion grant, the JWT is issued by an external entity > the AS already trusts (for example, a federated IdP). The AS validates it > using that IdP’s keys and trust configuration, not a per-client key > exchange. > > This enables practical zero trust at scale: every request is authenticated > and authorized based on verifiable, short-lived identity tokens, even when > crossing trust boundaries between providers. > > Feedback from the WG is very welcome on scope, validation requirements, > and applicability to real-world multi-cloud and server farm scenarios. > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] New Draft: OAuth 2.0 External Assertio… Jorge Turrado Ferrero
- [OAUTH-WG] Re: New Draft: OAuth 2.0 External Asse… Warren Parad
- [OAUTH-WG] Re: New Draft: OAuth 2.0 External Asse… Aaron Parecki
- [OAUTH-WG] Re: New Draft: OAuth 2.0 External Asse… Jorge Turrado Ferrero
- [OAUTH-WG] Re: New Draft: OAuth 2.0 External Asse… Lombardo, Jeff