[OAUTH-WG] Re: Shepherd Review - OAuth Identity and Authorization Chaining Across Domains
Brian Campbell <bcampbell@pingidentity.com> Fri, 06 February 2026 17:49 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 702B4B2FA8F5 for <oauth@mail2.ietf.org>; Fri, 6 Feb 2026 09:49:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2m5eyD5VXFzz for <oauth@mail2.ietf.org>; Fri, 6 Feb 2026 09:49:23 -0800 (PST)
Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B9DF4B2FA8EC for <oauth@ietf.org>; Fri, 6 Feb 2026 09:49:23 -0800 (PST)
Received: by mail-vs1-xe2c.google.com with SMTP id ada2fe7eead31-5faddf6db62so1301808137.0 for <oauth@ietf.org>; Fri, 06 Feb 2026 09:49:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770400157; cv=none; d=google.com; s=arc-20240605; b=Dq5GHhmushKhbRmbJsjFMlpYFbAfdFpNvab3ch4jWSc8tKuoVl85S05utMtkGvUzv+ uUgjh4Nks+baxu4tlSXnGSSeZ6RpEsr/UikWtg63MRvnc5w7oM+AUQF/7tMcxX8hkLHt Frq+tczH5kINRta7x1aCesOz//QXAfTU4v19Lyf3Z2K+O0vQ9MhP38etq/Ivu9Nvtmqr Gh0sBGZlXjn3iAh0FbO3MAgKHzOwtnq3RSfBUxqIHlsNuoko2TUBjKWMi/sB8nj7tTYj 7eWfkSuIngetkRQsA8xiA6zQT6tRtwf3TgPFVvj+lfElcptxLIG6yQbGbiVGFKiKbll3 dKAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=1HoM+boYZVwIlFKacbzW7brf6jFCv6bY5o/DIN1B530=; fh=b7oDB13V7isyUpE40UxHH21Zvi4/vGP/dT0hAEuZDwQ=; b=SlaaIt05Xg8nJnMvQd1gUtq3IhiLfCLGGQ2DdUb7jhThjVLvzgIY8ywv7/TSvhQ5V6 ENuUz7M2zOk7g3Sar7i8luOgae0QjBA35OPHatiuQ4/0gSqzNsG/CVc401e+NcNAT5A8 Ruwoji+7PiMDrGSaD+BygbZwJb1kUWcjWmMeiuu16hEMPjFpy4KUIDOck0pJBMX7dTXm 90KmUs4ewQBAtfJJyZXO9ymaNLl5iR7e3FzseFCPfrnBnjGgn/vEh3K4/fkj4cH5+kq5 0ZO1mSB9WB7mZX9dY3RA3C0lN5XIXkMWziCBKuTpJKihhz1fidh/27HS8OLvIOI3OO9b y/vg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1770400157; x=1771004957; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1HoM+boYZVwIlFKacbzW7brf6jFCv6bY5o/DIN1B530=; b=KfaiLA7q0ZMEkNbz7mbrZjGO28FPHW1WJdaeYS00N0rK7nydb4ntysdy9rmhcth+VS 7sAVpw86cb+PQMSknQLWwvT31P4ifvjvgFtQ/rPG2akrDlKwjkAhCM0Pn45dmGvZTFXn s8E3PelePYVyoh+HgPQEVSXVNIrb/1Hv2s+z61o2CSJJ4YLt1IW8gWSpLE5LeuySZpmf CbUttTfh55OXWzQ4ETRA5m1RqCRzTVuymfDeyl/zto4WHBnyppzIj6KG8efz/iOxgtGU Q79hDtCcuR0CXOvh5X4BHA/uvzFSMkP6qfAMzmK8kiwQ5+4pAI3oerOrnkUH78lsDS0a Letw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770400157; x=1771004957; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1HoM+boYZVwIlFKacbzW7brf6jFCv6bY5o/DIN1B530=; b=OzMTJ7cZYeJBj/yY84nx2wwzeoZHKf5T0uF1QU1yXVA6rsqd7CI2cUlzC5iLjLCGkI 51eHrjlkurWwg3jqYBCUzQaydGnrnM1L8QHmjxsOoHFZksI/6LnhkWElZDlbyM1K64eY MdmVKn3iWKpwUHXRN7EiQ7GzDbaWY6XNMFjsnpzlsBI1e8zMlVbcwhjR9S/nS56wMlPh T6I3DtNtmOU3RchP/q/yvEBPzxwKBtFi9zGHNmTAs12EAQQToEmR3j6fsYGSw+8xnqSh EPVs1r8EUQL61r43ZRH7kVTlfZDLbagXdx8Kx6eWeInjJ/gsDVX14EjTK8+7pN3CriOc TEqw==
X-Gm-Message-State: AOJu0YyDxrD6xocyU4wHTCKaDNEDPqO/1Z0lkaoNfRpqMm/fCJgB/V21 +UCgLAvSkmVXldWyV0khI8Er8BWtk5004QZqxX33LD9SzpWLBClfmF+jKTA710FwKZ54cne3ir3 3x9QyVyA6WDJe8WoKD+gzbQbckUQPlfxf35Ar2vMlLz47YXLcYWRwhcpgr527yBzTDmkJKAqn/y izQNzRqOErvALpHse3xxxrh1+icwi55w==
X-Gm-Gg: AZuq6aLhrWzPHt/l9nfcgR4F4qGev50NknTUVL4hqL0Zc9/4CrVE72vyq8In+T2BosB utXkSJ969jNnXjgTUAHaJ6oeissO5tVWw0X/0l7HekY3wJiTbRdBuTmYQL2c/Fp3oiKNlobQEM8 hBPAiwdKUUNDHCtFjDTvYOceSrg7PXBlwklKGSyglXtFKdYmay6cR/UTn9UyBqfP3o+XQvZjiHp SLRd9iKRLKVy0jw/Q/BH2hmpLRutNwT1mmfibqkP+/vp1Y/80VDemupUp+QMY347DBQ2Z8UtAfh 2l2duTc=
X-Received: by 2002:a05:6102:54a8:b0:5db:cec7:810b with SMTP id ada2fe7eead31-5fae8bfaa8cmr1054751137.29.1770400156981; Fri, 06 Feb 2026 09:49:16 -0800 (PST)
MIME-Version: 1.0
References: <CADNypP-PTh=duUD0uLKr7jvxUXeGSuTufZQYRpfJVe7AaH2G6A@mail.gmail.com> <CA+k3eCTdCpqC1DKyDYyC3XwHj=nVo_YiyAw9O0kSZoFN3ZFqTg@mail.gmail.com>
In-Reply-To: <CA+k3eCTdCpqC1DKyDYyC3XwHj=nVo_YiyAw9O0kSZoFN3ZFqTg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 06 Feb 2026 10:48:50 -0700
X-Gm-Features: AZwV_Qg6BMSJbJoQn6tqwbyvRlhVqK2HkG0Oi7BSKqSMNx6P85RaCsL6eqso5t0
Message-ID: <CA+k3eCRMUm55Bec3UmLOA2DGji3JgNR6Kt77BKMb8+yD89dKSA@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000077b8d1064a2b6869"
Message-ID-Hash: D6NHPY3M4MXNSB3QZKBQ462TLJ2MU6EH
X-Message-ID-Hash: D6NHPY3M4MXNSB3QZKBQ462TLJ2MU6EH
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Shepherd Review - OAuth Identity and Authorization Chaining Across Domains
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IDixBENKnljgIc_SSl4-8gD_9gA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
And -07 is out with those updates https://mailarchive.ietf.org/arch/msg/oauth/ru9IXKjK79ng3MbZ1vnKYVVF_CE/ On Fri, Feb 6, 2026 at 7:02 AM Brian Campbell <bcampbell@pingidentity.com> wrote: > Thanks Rifaat and apologies on behalf of the editorial team for being > somewhat slow to get to this. Attempts at responding to individual items > are inline below. And this PR > https://github.com/oauth-wg/oauth-identity-chaining/pull/176 is > collecting the resultant changes, which I hope to go over with folks > tomorrow er... today in like an hour in an informal semi-recurring call > with some of the editors and interested parties. > > > On Thu, Jan 29, 2026 at 6:36 AM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > >> All, >> >> As the shepherd for this document, I have reviewed the latest version of >> the draft >> https://www.ietf.org/archive/id/draft-ietf-oauth-identity-chaining-06.html >> >> I have the following comments/questions: >> >> Section 2.1 >> >> It would be great if a sentence or two are added to explain why the >> initial interaction in domain A is limited to token exchange. >> > > The idea makes sense in my head but writing the words proved more > difficult. This is what I managed: > > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/45d233f4cc8b07c7d3c5a22dcf3e683688c70bb7 as > part of the PR > > >> >> >> Section 2.1, bullet (C) >> >> where domain B's authorization server trusts the public key(s) of domain >>> A to sign JWT authorization grants >> >> >> I think I understand what this sentence is trying to say, but I think it >> needs to be reworded, because you cannot use public keys to sign a JWT. >> > > Yep: > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/3c9f90442aacf5b8fba794d7b455ff22191582df > > > > >> >> >> Section 2.3.2, first bullet >> >> It would be great if you can add a reference to a document that >> explicitly defines which error code would be used to deny the request. >> > > > Yep, > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/09b2edd2794416573dea91ea6d02e00a480623f7 > > > >> >> >> Section 2.4.1, 3rd bullet >> >> You might want to add some text to explain ‘scope’ >> > > That's embarrassing. I took a little different approach to fixing it > though: > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/463c0bb9a892fc3f0703abdd12071e0e7c8f9aa5 > > > >> >> >> Section 2.4.2, second bullet >> >> It would be great if you can add a reference to a document that >> explicitly defines which error code would be used to deny the request. >> > > Yup, > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/3eff55a90f8daf5138f65dba46b149f93b9083b8 > > >> >> >> Section 2.5, last bullet >> >> The populated claims SHOULD be namespaced or validated to prevent the >>> injection of invalid claims. >> >> >> Can you elaborate on this sentence? >> > > Honestly, I don't know what that means nor am I able to discern what might > have been intended. So going with > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/7df2b2f5ceeda1cb713dbfb1efa63cafbe057951 > on this > > >> >> >> Section 3 >> >> Authorization servers MAY choose not to advertise some supported >>> requested token types… >> >> >> What would be the reasons for doing this? >> > > Information disclosure concerns maybe? Going with that: > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/4f00cea01e18b7b9262f4fe82a8ab1b563f81787 > > >> >> >> Section 5.1 and 5..2 >> >> Why is the use of SHOULD instead of MUST? >> > > attempt to qaulify things there with > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/d0f8b70e335d76172cfd22cf7aa4ba2f8102f798 > and > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/ace14363b0d9e52c9e9a619a6ce00487aedaf3f7 > > >> >> >> Section 5.3 >> >> The authorization server in trust domain A SHOULD perform client >>> authentication >> >> >> You might want to elaborate on why this is a SHOULD and not a MUST, to >> make sure the implementer understands in which cases this is possible and >> which is not. >> > > yep, tried to do that in > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/3269e141bda313f3a03777c50ded1316f9f06bc7 > > > > >> >> Section 5.4 >> >> The authorization server in trust domain B SHOULD NOT issue refresh >>> tokens to the client within the scope of this specification. >> >> >> Are there use cases where the AS can issue refresh tokens? If yes, then >> maybe provide an example, if no, then maybe this should be a MUST NOT? >> > > I think I'd prefer a MUST NOT here but back in the development of RFCs > 7521/7522/7523 there was enough resistance to that prohibition that it is > kind of discouraged but not disallowed. Going further here seemed like too > much. But maybe? Anyway, I tried to explain it a bit with > https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/7e57b8115d0f75c26dc4a63b89dd7a7fc7752b4a > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Shepherd Review - OAuth Identity and A… Rifaat Shekh-Yusef
- [OAUTH-WG] Re: Shepherd Review - OAuth Identity a… Brian Campbell
- [OAUTH-WG] Re: Shepherd Review - OAuth Identity a… Brian Campbell