[OAUTH-WG] Weekly github digest (OAuth Activity Summary)

Repository Activity Summary Bot <do_not_reply@mnot.net> Sun, 14 September 2025 07:40 UTC

Return-Path: <do_not_reply@mnot.net>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 010596268DB1 for <oauth@mail2.ietf.org>; Sun, 14 Sep 2025 00:40:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.397
X-Spam-Level:
X-Spam-Status: No, score=-2.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=mnot.net header.b="aGSOkkWh"; dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=messagingengine.com header.b="RQNMB+5a"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id maytk7z0HzVi for <oauth@mail2.ietf.org>; Sun, 14 Sep 2025 00:40:58 -0700 (PDT)
Received: from fhigh-b5-smtp.messagingengine.com (fhigh-b5-smtp.messagingengine.com [202.12.124.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5EFA8626814B for <oauth@ietf.org>; Sun, 14 Sep 2025 00:40:11 -0700 (PDT)
Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42]) by mailfhigh.stl.internal (Postfix) with ESMTP id 1313D7A009B for <oauth@ietf.org>; Sun, 14 Sep 2025 03:40:11 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-02.internal (MEProxy); Sun, 14 Sep 2025 03:40:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-type:content-type:date:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to; s=fm2; t= 1757835610; x=1757922010; bh=DMJXKhnrkXwb+vjKtdk1Mju92mT3ebvDeaP 7c8YM7bE=; b=aGSOkkWhHd1Vp0faJpJLCQJtUlZaM79f8V1aEClIAoeNKoFR29N lF8MB8nShyn438Nh9kNaOTVbl4e/EvVnhO4cg7GD4X9zdLQUhBLmDvz9WhLMPhHP mpdLRaEGMKHWEZ46pYYGouZAwmf2V/2ma5tQr7H9jdKGIywlKj+BQg8it1qK6qfV /5XT0kxbzihSN//j1NalH8eWT2Am/H4RjsfA50G9iE5qBQFOAC5TibjgmJlypUTD SiNTE/XyTAAYhXvnD3vaPCP2OY8hkIeK8wjbeWxre0RGwWAAQap/oSyk0Wo6dHCB AsX+UZfTDWOnM7VSwKnhIR3TojShIsmJhew==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1757835610; x= 1757922010; bh=DMJXKhnrkXwb+vjKtdk1Mju92mT3ebvDeaP7c8YM7bE=; b=R QNMB+5aS0PXShikdZMEDm7NuUqDkev5LRLDf0Z8aO8v6o8ZoBtsanPYtFV+X/tnk 4PHSJC0/0QUQU0SOkThvnq8zIXgFl3lUGJG9SvXt9aM8nwkTxHmtngQorPHSZsCv Wu+ht9/EOXaiYIiYTVyYWD0zElSscQW+kCinnJnPhjkzwkt4X0CePgERh0uSQoCU 0dfZqS7nGE8+2ImPXZZ7HeCnFdiYBXcl30WT++ilmHCfb3UBgyW2vDJwRhQ5R/VE euYxDosT2XUDklKiSpxQ289KjSLTADMEFmx0MnNOhSvvcP7Tlo+L5RQPS8KEMWq9 XTi2zVloNimvDhHSMVHjg==
X-ME-Sender: <xms:WnHGaBVzsCr5P8ZTrM5V9dY5oCHtmYF4o8HrxPh8EZZPVyI3soD3vQ> <xme:WnHGaM2qkgobM3xxE_NU8lakKoL3ukEZmIFwVvuiYZIU6lGy_HB3iPdizJWZ78rEP CTg6jreJFTiRC2JZA>
X-ME-Received: <xmr:WnHGaOD7gif7wyKqUzfby-C9hAM4AcN5IQoftFCGgzDgylzrdvsPpEf1fPcQ_QiCVhX9pq9E4LOwXuZ2WQRibT9ReriCo6KAxx9keU0HPd6U9y3Ztko73TQiA3m0c-OlsVQ7rA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdefgedvgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecupfhoucgurghtvgcufhhivghlugculdegledmnecujfgurh eptggghffvufesrgdttdertddtjeenucfhrhhomheptfgvphhoshhithhorhihucettght ihhvihhthicuufhumhhmrghrhicuuehothcuoeguohgpnhhothgprhgvphhlhiesmhhnoh htrdhnvghtqeenucggtffrrghtthgvrhhnpeekfedvudetjedvfeekheeiveeugfefhfet teevgeffkefffeetffdvleehudeiteenucffohhmrghinhepghhithhhuhgsrdgtohhmne cuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepughopghn ohhtpghrvghplhihsehmnhhothdrnhgvthdpnhgspghrtghpthhtohepuddpmhhouggvpe hsmhhtphhouhhtpdhrtghpthhtohepohgruhhthhesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:WnHGaKjpsm9S7ZPNs1nYBJtvnpBWsJO4epPVBe8vX1k6jHRsVMJs0A> <xmx:WnHGaK_tb8yO1cVJgTeEcakB2sN_p06cJlxlYToViNQKPvd-Wsf1cw> <xmx:WnHGaO9irBv_6V58PwnqUIpMAidyyJ34c2hY7S2L-0AnNwvAYL9s_A> <xmx:WnHGaLDGR-E5A9TAly7hhD8UWp0ojxxhwCMt0GI8ITao8LvR65L-Iw> <xmx:WnHGaHNdoiZDOdxsItVM4mmSVYUfzklBHx30dnmRVIDa2YwY4IjA8ccY>
Feedback-ID: i1c3946f2:Fastmail
Message-Id: <1757835610.432473.507712E6@outbound.messagingengine.com>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <oauth@ietf.org>; Sun, 14 Sep 2025 03:40:10 -0400 (EDT)
Content-Type: multipart/alternative; boundary="===============8871853877758814139=="
MIME-Version: 1.0
From: Repository Activity Summary Bot <do_not_reply@mnot.net>
To: oauth@ietf.org
Date: Sun, 14 Sep 2025 00:40:11 -0700
Message-ID-Hash: GQVFJ4ONUOUU4QU5OZK4YZW2N6F2TRGJ
X-Message-ID-Hash: GQVFJ4ONUOUU4QU5OZK4YZW2N6F2TRGJ
X-MailFrom: do_not_reply@mnot.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Weekly github digest (OAuth Activity Summary)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/G0rFK8ALTR9iHOb1dNsMG6gtKxg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>



Events without label "editorial"

Issues
------
* oauth-wg/oauth-identity-chaining (+0/-3/šŸ’¬3)
  3 issues received 3 new comments:
  - #146 Improve examples in the appendix (1 by bc-pi)
    https://github.com/oauth-wg/oauth-identity-chaining/issues/146 
  - #139 Updates to reflect changes to RFC7523 (jwt_privatekey attack) (1 by bc-pi)
    https://github.com/oauth-wg/oauth-identity-chaining/issues/139 
  - #120 OAuth client acting as a client (1 by bc-pi)
    https://github.com/oauth-wg/oauth-identity-chaining/issues/120 

  3 issues closed:
  - Required `requested_token_type` parameter https://github.com/oauth-wg/oauth-identity-chaining/issues/111 
  - WGLC (2 of ?): claims/token transcription/rewrite security https://github.com/oauth-wg/oauth-identity-chaining/issues/170 
  - WGLC (1 of ?): trust relationship realization https://github.com/oauth-wg/oauth-identity-chaining/issues/169 

* oauth-wg/oauth-transaction-tokens (+0/-0/šŸ’¬14)
  10 issues received 14 new comments:
  - #232 Need consistent normative language for txn claim (1 by PieterKas)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/232 [WGLC Feedback] 
  - #231 Describe parameter use (1 by PieterKas)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/231 [WGLC Feedback] 
  - #230 Clarify "JWT Representation" (1 by PieterKas)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/230 [WGLC Feedback] 
  - #229 Consider "Authorization surface" (1 by PieterKas)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/229 [WGLC Feedback] 
  - #228 Clarify claim usage (1 by PieterKas)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/228 [WGLC Feedback] 
  - #222 Should tctx field be a MUST (1 by ashayraut)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/222 [WGLC Feedback] 
  - #217 Transaction token Lifetime extension (1 by ashayraut)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/217 [WGLC Feedback] 
  - #194 Reconsider 'purp' claim scope (4 by PieterKas, bc-pi, dagdagdag83)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/194 [WGLC Feedback] 
  - #193 Rationale for 'txn' being REQUIRED (2 by ashayraut, bc-pi)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/193 [WGLC Feedback] 
  - #191 Exception for self-signed JWTs (1 by jsalowey)
    https://github.com/oauth-wg/oauth-transaction-tokens/issues/191 [WGLC Feedback] 

* oauth-wg/oauth-sd-jwt-vc (+1/-0/šŸ’¬7)
  1 issues created:
  - StringOrURI should probably not be used (by bc-pi)
    https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/343 

  3 issues received 7 new comments:
  - #343 StringOrURI should probably not be used (3 by adeinega, bc-pi)
    https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/343 
  - #342 Remove JSON schema from Type Metadata (1 by bc-pi)
    https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/342 
  - #247 Potential Privacy implications of verifier knowing display information (3 by bc-pi, cre8)
    https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/247 [pending close] [blocked] 

* oauth-wg/draft-ietf-oauth-attestation-based-client-auth (+0/-3/šŸ’¬0)
  3 issues closed:
  - Allow MAC as signature algorithms? https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/130 
  - Add option without PoP but with ad-hoc client attetation and nonce https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/111 [ready-for-pr] 
  - Client Attestation HTTP Headers https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/118 [discuss] 

* oauth-wg/oauth-identity-assertion-authz-grant (+3/-0/šŸ’¬6)
  3 issues created:
  - Clarify that IdP client can be mapped via ID-JAG to AS specific client (by mcguinness)
    https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/issues/45 
  - Include more examples of claims in the id-jag (by meghnadubey)
    https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/issues/43 
  - IdP metadata recommendation (by meghnadubey)
    https://github.com/aaronpk/draft-parecki-oauth-identity-assertion-authz-grant/issues/38 

  4 issues received 6 new comments:
  - #45 Clarify that IdP client can be mapped via ID-JAG to AS specific client (3 by mcguinness, meghnadubey)
    https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/issues/45 
  - #41 Clarify ID-JAG is a typed profile of JWT Assertion Grant (1 by meghnadubey)
    https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/issues/41 
  - #40 Editorial cleanup to make clear interaction and role of the AS for the Resource App (1 by meghnadubey)
    https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/issues/40 
  - #39 Adopt Tenant Claim from OpenID Enterprise Extensions for ID-JAG (1 by meghnadubey)
    https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/issues/39 

* oauth-wg/draft-ietf-oauth-rfc8725bis (+0/-1/šŸ’¬1)
  1 issues received 1 new comments:
  - #19 Representation of time values to void the 2038 bug (1 by selfissued)
    https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis/issues/19 

  1 issues closed:
  - Markdown magic https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis/issues/20 



Pull requests
-------------
* oauth-wg/oauth-identity-chaining (+2/-1/šŸ’¬0)
  2 pull requests submitted:
  - six seven (by bc-pi)
    https://github.com/oauth-wg/oauth-identity-chaining/pull/173 
  - six seven (by bc-pi)
    https://github.com/oauth-wg/oauth-identity-chaining/pull/172 

  1 pull requests merged:
  - prospective changes from WGLC reviews
    https://github.com/oauth-wg/oauth-identity-chaining/pull/171 

* oauth-wg/oauth-transaction-tokens (+4/-5/šŸ’¬2)
  4 pull requests submitted:
  - Clarify "request_context" (by PieterKas)
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/247 
  - Remove "surface" to describe extend of authorization (by PieterKas)
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/246 
  - Delete "represenntation" (by PieterKas)
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/245 
  - considerations for internal requests (by jsalowey)
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/244 

  2 pull requests received 2 new comments:
  - #240 added internal flow (1 by jsalowey)
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/240 
  - #239 Clarify authentication requriements (1 by PieterKas)
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/239 

  5 pull requests merged:
  - Multiple TTS Instances
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/242 
  - renamed microservice to workload
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/185 
  - Delete draft-ietf-oauth-transaction-tokens-03.md
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/187 
  - Delete "represenntation"
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/245 
  - Remove "surface" to describe extend of authorization
    https://github.com/oauth-wg/oauth-transaction-tokens/pull/246 

* oauth-wg/oauth-sd-jwt-vc (+1/-0/šŸ’¬0)
  1 pull requests submitted:
  - Remove JSON schema from Type Metadata (by bc-pi)
    https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/345 

* oauth-wg/draft-ietf-oauth-attestation-based-client-auth (+2/-3/šŸ’¬7)
  2 pull requests submitted:
  - mandate header fields (by c2bo)
    https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/148 
  - add use_fresh_attestation error type (by c2bo)
    https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/147 

  3 pull requests received 7 new comments:
  - #147 add use_fresh_attestation error type (5 by c2bo, panva)
    https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/147 
  - #146 DPoP Optimisation (1 by paulbastian)
    https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/146 
  - #142 70 register as and client metadata for algorithm negotiation of attestations and pops (1 by paulbastian)
    https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/142 

  3 pull requests merged:
  - remove restrictions to not allow MAC-based algorithms
    https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/141 
  - add use_fresh_attestation error type
    https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/147 
  - mandate header fields
    https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/148 

* oauth-wg/draft-ietf-oauth-rfc8725bis (+0/-1/šŸ’¬0)
  1 pull requests merged:
  - Venue info and boilerplate directive
    https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis/pull/21 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/oauth-wg/oauth-browser-based-apps
* https://github.com/oauth-wg/oauth-identity-chaining
* https://github.com/oauth-wg/oauth-transaction-tokens
* https://github.com/oauth-wg/oauth-sd-jwt-vc
* https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata
* https://github.com/oauth-wg/oauth-cross-device-security
* https://github.com/oauth-wg/oauth-selective-disclosure-jwt
* https://github.com/oauth-wg/oauth-v2-1
* https://github.com/oauth-wg/draft-ietf-oauth-status-list
* https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth
* https://github.com/oauth-wg/oauth-identity-assertion-authz-grant
* https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis
* https://github.com/oauth-wg/draft-ietf-oauth-rfc7523bis
* https://github.com/oauth-wg/oauth-first-party-apps


-- 
To have a summary like this sent to your list, see: https://github.com/ietf-github-services/activity-summary