[OAUTH-WG] Weekly github digest (OAuth Activity Summary)
Repository Activity Summary Bot <do_not_reply@mnot.net> Sun, 05 July 2026 09:58 UTC
Return-Path: <do_not_reply@mnot.net>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A229B10EFDA94 for <oauth@mail2.ietf.org>; Sun, 5 Jul 2026 02:58:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783245515; bh=T8N+Pni385/sMGSioIwqi3+0r1mI8Cg59FBjdzKSRsw=; h=From:To:Subject:Date; b=US64foG+GRjccwNi/VqwUz5fy2cFP7zS8dZdShQ6j5keTQHIQqyFtdcK7SqRr5Afo r7EObGg19Orp734m25O1qbvEEEGV+c7aU6zE25CF5goK8sUchUvjPQpggV+LoPxwpa OYrBRBcdLs/KsVbvMdb2LngSpqLlrciYlhbFNuZg=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.397
X-Spam-Level:
X-Spam-Status: No, score=-2.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=mnot.net header.b="kRSbO3vb"; dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=messagingengine.com header.b="RTbdYc33"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4x4TNMZEYZie for <oauth@mail2.ietf.org>; Sun, 5 Jul 2026 02:58:34 -0700 (PDT)
Received: from fout-a7-smtp.messagingengine.com (fout-a7-smtp.messagingengine.com [103.168.172.150]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1431610EFD2BF for <oauth@ietf.org>; Sun, 5 Jul 2026 02:57:58 -0700 (PDT)
Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfout.phl.internal (Postfix) with ESMTP id F3433EC0178 for <oauth@ietf.org>; Sun, 5 Jul 2026 05:57:57 -0400 (EDT)
Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-06.internal (MEProxy); Sun, 05 Jul 2026 05:57:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-type:content-type:date:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to; s=fm3; t= 1783245477; x=1783331877; bh=dI/etXVyu2wsbXILwL/qvmGMt56oVZfdcFm ksIoKiYs=; b=kRSbO3vbqlfyxqRntcLGIAHC2tZz76SEf/kS2rkpO4eBa0ROYnd bjcG6UPPcq8rRQEGIgrkN60yJXTbVzoiIX8IeU+bmGfYNJBw0yr6qb7G8YnWPxNJ fJhkxGFor6e4u1HxyX315zxWqwMv3a19BsP49clVoRAOvRiSyL6GuOtVxL6a6fme +n8NKluGNuAT1IcuW4VUQD7ESX9Yd+cB2AV9N8WP+JzDAzAS1HygIIdhYf+Cu7gv jQEpV4OJAUoZmh0LVdfLO/zgGf2LMRi1vvD3Y8k1QotVDgBwRkKQy/59fW1R47x/ Es6NmH0uPmAU9wNRIxanWDAz76Pg/YHlilw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1783245477; x= 1783331877; bh=dI/etXVyu2wsbXILwL/qvmGMt56oVZfdcFmksIoKiYs=; b=R TbdYc334SY/ahdbhmjR8z2MKhMsVVrBSmBNJlw7AQnYwI/pdWhb7lcU56PL16pj+ C8RqIBRA5Aqmohz6dQnfuGHxJ0Ic7Xs2t6yO4Yk7l3A5YdAYKXb3FucbiKVNPHjj p5gNIIcbMW6HREtkAPYA6GHPOIOekii7NG6MIUGWCv8rxbgxIYQ5MDnidwqYuEku X7XXB89pSjvp7WqRri0LQ6EOzkm5ksNovvKw2NIHLnOEKx2mvvHz+8qkQxPefxcK o5JDuWOphAF8dgqQ4ITX6ng2dwaidKTVq44q6Z2DdtvblkINJWnVBHC+PP3CHV2b 9H9kWQD0RZZ+h90/nYeFQ==
X-ME-Sender: <xms:pSpKaqsCW6l8l4rzM1CXXzhAEdwFW43RBYhjjg8XqmK6WpRNacbEzQ> <xme:pSpKalVWZxJ8sCIuIHYCZer2liUuAFpyYyXpCiGaljj-_d6uczbtUcnsWJGdlREYJ MUym30BTeCTS80aIftkyQCuq0rKN9vaZ6XWwtpV0ZFltlYxS5kTdw>
X-ME-Received: <xmr:pSpKag3tnAJJ0zvJYmc5fUZt6rN4IavB8wjEObH4gUEP1q_mhJ8y6-oMpF2dfmsA-7A6sQ75R3pMTDT1Adslh-tkkHpo4hTD9_CE16Fz1jxn3yTDO_TNW9zzEo5UpQKnBUC60A>
X-ME-Proxy-Cause: dmFkZTFoBI+ZgiZffWRmafnbBPoszT6TU7r/ST0HBMjm+Aul+og97PlndHAXrzSXdO9B/1 SxN4HvTHJIIjhnHQHmdMAuU9R4gRgWS4QIa+LztOug5ONQTKLUqduHeMZcXypTN5eoOMIc C7Ydst0K4rVV2FPHCo1onXUx9jxtmxPFaP/7ctZZ1qC8Z8fCwh/SSfHYjF0Ayy+e1Kzonw CG0P0oS+X2Kq8d8wRMux25125dpfhKowosxM5s1WkZglaqnxrlvkbm262yywgyRnMzIkRa XYbI8vw3X6B3Hl1HdplTae71Bd34WhSpBRUFVsRHh6bY8um040dXesfX0f0u9A94kJZHif G7UOkLjVotzJZioWMLBbaizG+0cmstOCzPBRZaURb0VKARMt8zBXcn3cNI3uvMUW3ect1e bZ8TebNTJEd+uwDKFMXiHjaYemaDnk++XwzVfR53V8u/StNBLz0Sn/rOUi77JJ/Lv10vxz 3obIDKiqktQ5V3+ggNpAaIAtconBlaZSDnjOIWYnxixeVGpYPXowwu/Kg7P8fNFvTDcTd2 BxyLg00UOONhdfqzezUEa871zvS41UcBBCyxCQVkx6567U/fFq/8BX4rg6vv3t81/tl8Ea NBzQqlOuis+eG+yHMuvm2iDDT3SIG55jna3J/Cb+zCkvvn8RCyTvHboq46mw
X-ME-Proxy: <xmx:pSpKaiCxZo5mIg6ktVSviA1KAieUjW-nOQ4ZCcPjDsGw9Mk4ZjeCSA> <xmx:pSpKauiVfmpGVp4bJqXnRt2AOGTjqUU59n2APon6hWRW_Wc3ztXxgg> <xmx:pSpKau_E6dzC8Z6d7Agls9uKiwtCCBGGVUZwD_jZD1hbKqMn3YMWCw> <xmx:pSpKai-J8IXQxYu8O4n-DlJa982N3EvHhAGc32Mk7t2OBFloXuW7Dg> <xmx:pSpKag2mAghfSgxkw7kqPWFkhGiZ-UCGZo8WfG6ZqfjSGkqRQ7zF__Yo>
Feedback-ID: i1c3946f2:Fastmail
Message-Id: <1783245477.865381.176EF159@outbound.messagingengine.com>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <oauth@ietf.org>; Sun, 5 Jul 2026 05:57:57 -0400 (EDT)
Content-Type: multipart/alternative; boundary="===============5289526471147787130=="
MIME-Version: 1.0
From: Repository Activity Summary Bot <do_not_reply@mnot.net>
To: oauth@ietf.org
Date: Sun, 05 Jul 2026 02:57:58 -0700
Message-ID-Hash: KHFF3GIJB2FOSWKGETYE6ONIZAXR44C5
X-Message-ID-Hash: KHFF3GIJB2FOSWKGETYE6ONIZAXR44C5
X-MailFrom: do_not_reply@mnot.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Weekly github digest (OAuth Activity Summary)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8dm7ZWZmAfK5tUCBh2s3EChU7hE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Events without label "editorial"
Issues
------
* oauth-wg/oauth-transaction-tokens (+0/-0/π¬2)
2 issues received 2 new comments:
- #357 Β§14.6 Scope Processing: behavior undefined when subject_token has no `scope` claim (1 by Dhruvagnihotri)
https://github.com/oauth-wg/oauth-transaction-tokens/issues/357
- #351 Using RFC 9396's authorization_details as a claim and for request_context (1 by sdatspun2)
https://github.com/oauth-wg/oauth-transaction-tokens/issues/351
* oauth-wg/oauth-sd-jwt-vc (+1/-7/π¬11)
1 issues created:
- SD-JWT is not only a superset of JWT (by awoie)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/417
6 issues received 11 new comments:
- #417 SD-JWT is not only a superset of JWT (6 by adeinega, awoie, bc-pi)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/417
- #413 Editorial: clarify how path processing relates to claim metadata (1 by awoie)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/413
- #412 Editorial: move vct#integrity definition from 5.3.1 to 5.3 (1 by awoie)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/412
- #411 Define behaviour when wallet needs to resolve/process type metadata (1 by awoie)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/411
- #410 Define behaviour when the wallet needs to process the path (1 by awoie)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/410
- #409 Define behaviour for the wallet if `sd` in claims metadata does not correspond to `_sd` and Disclosures (1 by awoie)
https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/409
7 issues closed:
- Define behaviour for the wallet if `sd` in claims metadata does not correspond to `_sd` and Disclosures https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/409
- Define behaviour when the wallet needs to process the path https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/410
- Define behaviour when wallet needs to resolve/process type metadata https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/411
- Editorial: move vct#integrity definition from 5.3.1 to 5.3 https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/412
- Editorial: clarify how path processing relates to claim metadata https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/413
- SD-JWT is not only a superset of JWT https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/417
- Define behaviour of the wallet when claims metadata is malformed https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/408
* oauth-wg/draft-ietf-oauth-attestation-based-client-auth (+1/-3/π¬1)
1 issues created:
- Allow other PoP mechanisms to be used (by c2bo)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/204
1 issues received 1 new comments:
- #200 Draft 9 - Relationship with rfc7521 (1 by c2bo)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/200
3 issues closed:
- Interim Feedback: Add more explanation/requirements on Client Attester https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/196 [ready-for-pr]
- Further implementer guidance on Client Instance Attestations https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/107 [pending-close] [discuss]
- Draft9 - Clarification on DPoP Combined Mode and `dpop_jkt` https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/199 [ready-for-pr]
* oauth-wg/oauth-identity-assertion-authz-grant (+0/-0/π¬2)
1 issues received 2 new comments:
- #73 Proposal: Workload/Agent Identity SSO and Explicit Delegated βOn-Behalf-Ofβ Access (2 by kennethsinder, mcguinness)
https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/issues/73
* oauth-wg/oauth-first-party-apps (+1/-5/π¬3)
1 issues created:
- add `redirect_uri` as a parameter (by aaronpk)
https://github.com/oauth-wg/oauth-first-party-apps/issues/179
2 issues received 3 new comments:
- #177 Differentiate actual errors from insufficient authorization by Status Code (2 by aaronpk)
https://github.com/oauth-wg/oauth-first-party-apps/issues/177
- #134 Collect things that would need to happen to use the PAR endpoint (1 by aaronpk)
https://github.com/oauth-wg/oauth-first-party-apps/issues/134
5 issues closed:
- auth_session binds to a client instance, not a client? https://github.com/oauth-wg/oauth-first-party-apps/issues/175
- Collect things that would need to happen to use the PAR endpoint https://github.com/oauth-wg/oauth-first-party-apps/issues/134
- example is missing request 'response_type' parameter https://github.com/oauth-wg/oauth-first-party-apps/issues/172
- auth_session reuse https://github.com/oauth-wg/oauth-first-party-apps/issues/174
- possible mixup attack https://github.com/oauth-wg/oauth-first-party-apps/issues/176
* oauth-wg/draft-ietf-oauth-client-id-metadata-document (+2/-2/π¬2)
2 issues created:
- Disallow the root path `/` as a CIMD URL (by aaronpk)
https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/86 [ietf-126]
- Be more prescriptive about how the AS should return errors (by aaronpk)
https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/85
2 issues received 2 new comments:
- #85 Be more prescriptive about how the AS should return errors (1 by ThisIsMissEm)
https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/85
- #82 Add guidance for pattern-based Client ID Metadata Document URL admission policies (1 by aaronpk)
https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/82
2 issues closed:
- Review from Justin Richer https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/79
- Are SSRF checks when AS is running on loopback needed for URLs *within* CIMDs? https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/73
Pull requests
-------------
* oauth-wg/oauth-transaction-tokens (+3/-0/π¬1)
3 pull requests submitted:
- (by tulshi)
- (by PieterKas)
- (by PieterKas)
1 pull requests received 1 new comments:
- #360 Clarified req_wl value (1 by PieterKas)
https://github.com/oauth-wg/oauth-transaction-tokens/pull/360
* oauth-wg/oauth-sd-jwt-vc (+0/-0/π¬1)
1 pull requests received 1 new comments:
- #416 Fixes #408, #409, #410, #411, #412, #413, #417 (1 by danielfett)
https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/416
* oauth-wg/draft-ietf-oauth-attestation-based-client-auth (+3/-0/π¬2)
3 pull requests submitted:
- (by c2bo)
- (by c2bo)
- (by c2bo)
2 pull requests received 2 new comments:
- #186 Adds an example generation script (1 by c2bo)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/186
- #149 OAuth 2 artefact binding (1 by c2bo)
https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/149
* oauth-wg/oauth-identity-assertion-authz-grant (+0/-0/π¬1)
1 pull requests received 1 new comments:
- #108 Add guidance on RAS-specific and private claims in the ID-JAG (1 by aaronpk)
https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/pull/108
* oauth-wg/draft-ietf-oauth-client-id-metadata-document (+1/-0/π¬3)
1 pull requests submitted:
- (by aaronpk)
3 pull requests received 3 new comments:
- #84 incorporate feedback from Justin Richer's review (1 by aaronpk)
https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/pull/84
- #63 require sending Accept header when fetching metadata (1 by aaronpk)
https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/pull/63 [ietf-126]
- #50 Restrict URI properties to absolute URIs using the https: scheme (1 by aaronpk)
https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/pull/50
Repositories tracked by this digest:
-----------------------------------
* https://github.com/oauth-wg/oauth-browser-based-apps
* https://github.com/oauth-wg/oauth-identity-chaining
* https://github.com/oauth-wg/oauth-transaction-tokens
* https://github.com/oauth-wg/oauth-sd-jwt-vc
* https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata
* https://github.com/oauth-wg/oauth-cross-device-security
* https://github.com/oauth-wg/oauth-selective-disclosure-jwt
* https://github.com/oauth-wg/oauth-v2-1
* https://github.com/oauth-wg/draft-ietf-oauth-status-list
* https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth
* https://github.com/oauth-wg/oauth-identity-assertion-authz-grant
* https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis
* https://github.com/oauth-wg/draft-ietf-oauth-rfc7523bis
* https://github.com/oauth-wg/oauth-first-party-apps
* https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document
--
To have a summary like this sent to your list, see: https://github.com/ietf-github-services/activity-summary
- [OAUTH-WG] Weekly github digest (OAuth Activity S⦠Repository Activity Summary Bot