[OAUTH-WG] WG Review: Web Authorization Protocol (oauth)
The IESG <iesg-secretary@ietf.org> Thu, 21 May 2026 16:54 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from [10.244.11.249] (unknown [4.156.85.76]) by mail2.ietf.org (Postfix) with ESMTP id 929C6F29CBDF; Thu, 21 May 2026 09:54:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779382449; bh=PrIFfEKJFxJyQiyI7egsucKG6E/f/JIgML7qSYC3Io0=; h=From:To:Subject:Cc:Reply-To:Date; b=nVopJ1SeOPOEc2Io+dyiL7NUKV5zdcGN+I29B240rNMcdR1gJiHdl+PeZU2LKmPgj eNdkJFP5Y9F6qiQxHrs7BkDuedoxLjP4SRbmUe7ykVfQlEmffTj6U4yikB+E6TIvEx 8yckICXCM3zWM7UNDZi4JVB/qhw5IKcjZ3QNrpaI=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 12.65.1
Auto-Submitted: auto-generated
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Message-ID: <177938244951.150010.12754957350784511059@dt-datatracker-6995bf6b4c-lv9zr>
Date: Thu, 21 May 2026 09:54:09 -0700
Message-ID-Hash: M5L37LUZJ6LPA34IL4XLZ3HAHXRYQHFD
X-Message-ID-Hash: M5L37LUZJ6LPA34IL4XLZ3HAHXRYQHFD
X-MailFrom: iesg-secretary@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: iesg@ietf.org
Subject: [OAUTH-WG] WG Review: Web Authorization Protocol (oauth)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_FM29T8w8evDNLYv3I0OZST_JK8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
The Web Authorization Protocol (oauth) WG in the Security Area of the IETF is undergoing rechartering. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by 2026-05-31. Web Authorization Protocol (oauth) ----------------------------------------------------------------------- Current status: Active WG Chairs: Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Assigned Area Director: Deb Cooley <debcooley1@gmail.com> Security Area Directors: Deb Cooley <debcooley1@gmail.com> Christopher Inacio <stndrds-inacio@andrew.cmu.edu> Mailing list: Address: oauth@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/oauth Archive: https://mailarchive.ietf.org/arch/browse/oauth/ Group page: https://datatracker.ietf.org/group/oauth/ Charter: https://datatracker.ietf.org/doc/charter-ietf-oauth/ The Web Authorization (OAuth) protocol is a delegation protocol that allows users to grant third-party applications limited access to their resources without sharing their long-term credentials, or even their identity. For example, a photo-sharing site that supports OAuth could allow its users to use a third-party printing website to print their private pictures, without allowing the printing site to gain full control of the user's account and without requiring the user to share their long-term credentials with the printing site. As automated agents increasingly act on behalf of users, organizations, or both, these delegation patterns become increasingly involved and complex. The OAuth 2.0 protocol framework already includes: - A procedure for enabling a client to register with an authorization server. - A protocol for obtaining authorization tokens from an authorization server with the resource owner's consent. - Protocols for presenting these authorization tokens to protected resources for access. This framework has been enhanced with functionality for interworking with legacy identity infrastructure, token revocation, token exchange, dynamic client registration, token introspection, and standardized formats like JSON Web Token (JWT). It also includes specifications to mitigate security attacks, such as Proof Key for Code Exchange (PKCE), native app support, step-up authentication, and Demonstrating Proof of Possession (DPoP). ##Work Program The working group is now tackling these topics which will be published primarily as Standards Track or BCPs: - Consolidation: Finalizing OAuth 2.1 to consolidate the core framework and incorporate established security best practices into a single baseline. - Digital Credentials: Completing Selective Disclosure for JSON Web Tokens (SD-JWT), SD-JWT-based Verifiable Credentials (SD-JWT VC), and Token Status List (TSL) to support privacy-preserving attribute disclosure. - Complex Delegation: Developing new mechanisms or/and extensions for authorization of automated agents working on behalf of users, including addressing scenarios where automated agents act across multiple administrative domains. - First-Party Integration: Standardizing patterns for first-party applications to provide a secure, interoperable alternative to proprietary extensions. - Security Maintenance: Maintaining and updating Best Current Practices (BCPs) for browser-based and native applications to address evolving web security models. ##Coordination To ensure interoperability and avoid duplication of effort, the working group will coordinate with: - WIMSE (Workload Identity in Multi-System Environments): On the application of OAuth-based tokens (e.g., Token Exchange and DPoP) for service-to-service and multi-hop workload identities. - Secure Patterns for Internet CrEdentials (SPICE): on the application of SD-CWT and other CBOR related work. - EU Digital Identity Wallet: To ensure that SD-JWT and related credential formats remain compatible with broader architectural requirements for digital wallets and verifiable presentations. Milestones: Jul 2026 - Submit “SD-JWT-based Verifiable Digital Credentials (SD-JWT VC)” to the IESG Dec 2026 - Submit “OAuth 2.1 Authorization Framework’ to IESG Dec 2026 - Submit “Transaction Tokens” to the IESG