[OAUTH-WG] Re: New Draft: OAuth 2.0 External Assertion Authorization Grant
"Lombardo, Jeff" <jeffsec@amazon.com> Fri, 03 October 2025 13:29 UTC
Return-Path: <prvs=364d5f9a1=jeffsec@amazon.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 47DC26CDF5B0; Fri, 3 Oct 2025 06:29:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=amazon.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6KJBNiqgK08p; Fri, 3 Oct 2025 06:29:37 -0700 (PDT)
Received: from pdx-out-015.esa.us-west-2.outbound.mail-perimeter.amazon.com (pdx-out-015.esa.us-west-2.outbound.mail-perimeter.amazon.com [50.112.246.219]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1C3AD6CDF5A6; Fri, 3 Oct 2025 06:29:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1759498177; x=1791034177; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=gWWSgIH4IM4FA5Fbp3TsSj0PN5ZnHgYIfc6u+Nu9/g4=; b=kUVbVxASmUhqJY9IM1a2xTge68c8oebvWPYQd1QtpEebsujBgxLK6kGY o9fV+IWX9M9LjfoeUDpgxvgROy28CJ2ca6PrBz8n3dnzQYiPOYNgjgs9F dx5EwnedVjBWlMJrwaoNLvFEA+zzBGAVjYJqWPb72cd0VHJH16sDhdrpz DUsgXYDsER6fevSO+oRN9Zzzyl0l1i0b7BlZavc53Onti+I2A8tHFFyd9 PrlODO8+BDHw3INom2ak3CVFD4OrPg1yvgKaXL7aJrEp+9c2GXRIyOvZp 5iH51olqUfR+10TR6jvaWQIOi1s4RC5R3jr1urDARaJC9oD/5+uEJwQ47 Q==;
X-CSE-ConnectionGUID: FcBNRWzPTUqJSySZsAu1MQ==
X-CSE-MsgGUID: aWm7g8vcT3aOHe/YTUL4EA==
X-IronPort-AV: E=Sophos;i="6.18,312,1751241600"; d="scan'208,217";a="4026175"
Thread-Topic: [OAUTH-WG] New Draft: OAuth 2.0 External Assertion Authorization Grant
Received: from ip-10-5-0-115.us-west-2.compute.internal (HELO smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.0.115]) by internal-pdx-out-015.esa.us-west-2.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Oct 2025 13:29:29 +0000
Received: from EX19MTAUEC001.ant.amazon.com [10.0.44.209:5208] by smtpin.naws.us-east-1.prod.farcaster.email.amazon.dev [10.0.82.10:2525] with esmtp (Farcaster) id 745d2fdf-980a-4958-91ab-c3a58b8dbf41; Fri, 3 Oct 2025 13:29:29 +0000 (UTC)
X-Farcaster-Flow-ID: 745d2fdf-980a-4958-91ab-c3a58b8dbf41
Received: from EX19EXOUEC002.ant.amazon.com (10.252.135.179) by EX19MTAUEC001.ant.amazon.com (10.252.135.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.20; Fri, 3 Oct 2025 13:29:28 +0000
Received: from EX19EXOUEB002.ant.amazon.com (10.252.135.74) by EX19EXOUEC002.ant.amazon.com (10.252.135.179) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.20; Fri, 3 Oct 2025 13:29:28 +0000
Received: from DS2PR08CU001.outbound.protection.outlook.com (10.252.134.239) by EX19EXOUEB002.ant.amazon.com (10.252.135.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.20 via Frontend Transport; Fri, 3 Oct 2025 13:29:28 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=FfZanXCXF9XTkJNG7Y/usz05EJC/BSi9XgCfki5Lm1kbwSeLAGmzFozfvaw6bZDRFhywoHUL1onlQ5DZC+xxM167/7wFqV79//NRCDb4AWRbg7po3yLscr8ej1ZdLL6ZqM+WJSgpYxxvlYnQKp3hxxeIF1gZhLUDc5U+zX6NKNGlTkElV2VtkzEqDa4fi08ATvvPNbu8YHCqMZYosZlZcs2t2tLxXEqhGzJ6il3VXGWJIyWUm8SnIfZMoP+vhqKFbzVE4O52jdCrW10kQyBDgsfCv93UWDJrNEDPVBZQarnfOQCz6cYhqQpXwFmN0/4lKPjwTjgOK/zbtz5JIUqYaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gWWSgIH4IM4FA5Fbp3TsSj0PN5ZnHgYIfc6u+Nu9/g4=; b=L5Z18hzkdMoWbnnpS4XO7orOkogPVs85rbKW4SG7SsqhQwIqDeRv/kHBHBFe979x8ljgpF/w5eyr7ynFXoJTmbc8JHq3cJMcsuav1UFNHbkUKy3x4rFrvs0jzDeTF6Vj64G1ZtqXJriYTm9nSFraQwJVirzMt1QHNbRXsFW8cA+9i6L8vG8qcf/YBSaa/6t8VEKH4Dq9SQBnKfcs87U7PwNBDIHGrvyTtfFwRQ6IxSavcMeMPSeqqt+mSsUTnejooBOear3RFjJHWyI94hebNcAxe75ao1ShqtgkJtfSekJUp/gj435PEV/vCfQXBYEFfccZk8zl0Dx3FfROHjBjAQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amazon.com; dmarc=pass action=none header.from=amazon.com; dkim=pass header.d=amazon.com; arc=none
Received: from PH0PR18MB4685.namprd18.prod.outlook.com (2603:10b6:510:c8::22) by SN7PR18MB5344.namprd18.prod.outlook.com (2603:10b6:806:2df::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9160.18; Fri, 3 Oct 2025 13:29:21 +0000
Received: from PH0PR18MB4685.namprd18.prod.outlook.com ([fe80::1fe4:7c1b:4a8f:34eb]) by PH0PR18MB4685.namprd18.prod.outlook.com ([fe80::1fe4:7c1b:4a8f:34eb%5]) with mapi id 15.20.9182.015; Fri, 3 Oct 2025 13:29:19 +0000
From: "Lombardo, Jeff" <jeffsec@amazon.com>
To: Jorge Turrado Ferrero <jorge_turrado@hotmail.es>
Thread-Index: AQHcNGEwx4n0NSZOQkqU2bZ76P4Nv7SwZ+FA
Date: Fri, 03 Oct 2025 13:29:19 +0000
Message-ID: <PH0PR18MB4685A34F73600D7E0E0E41BED9E4A@PH0PR18MB4685.namprd18.prod.outlook.com>
References: <DU0P190MB244842D6D7376CEB48208238F9E4A@DU0P190MB2448.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <DU0P190MB244842D6D7376CEB48208238F9E4A@DU0P190MB2448.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amazon.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR18MB4685:EE_|SN7PR18MB5344:EE_
x-ms-office365-filtering-correlation-id: 36b709cf-ea47-4f17-3287-08de0280db78
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|13003099007|38070700021|8096899003|7053199007;
x-microsoft-antispam-message-info: Bj78Jq5pMQaeetgqUf1CDrKJAc9POROaDAvC/03s3mfdyRDnB9y55tUwG3AzSCjTTBkDmazhOKjqxZzwPLJXpS+LYY7sb+26gyK2W1QPrcWbndEk60ox2jnSxP0ZRGk0wRxIolZcyep/UQ1Oqw2Qc7b7MmJZJY/kwHzYmLro2/tt9VCW/RYptBHEJHIzH20GXNnEWMBOSwfKazWiselyOtCWytGMHh6myTiNAWzK0cBA1wZ+qI0iaIzVOarVt0h5F7BQwqlnbQiFC+Zbo3vJ1c0aWqUjPWx2zy0uGb/Lgws1JWp7SeElf2Haf8ZIctJDmJyvT6roxlge8fvWgupLdv3gLUqJVQNcelutyfpvlJT6kf2K+TWXiYly201z5zDr0wpVV1LWPjcmNo1MmCKN3PLszqEIEAwTPxnhqANVXv/2hOa30KJAV+uIhMo+ibHZcY3EXQZgJmwDeM8eoqsBSoTGGHkcJtRQY7Y1RuOUdvld5QuYK+usg6kKME4ZgYGye+lryvHqNlXP22ghRxdxNC6PgQ5IE8GU7bqUetmlb1wwMNU2T/cUoGCnPdrPpIfT+7eCXYzSZKNhBo6WXwZKoqBEJqbKEO3LyPAN1mi+4Db/J+nHnfNKwGoYlzM0lOJIeA2cm/e/CCRgcCt9al8YWw2ivnF+Tz7Os9ZiFc+0x2EF5FPqT1Sf0pfn2/aG9YTH1/l7/hZNVCXs5CnI0DpbH3u8lcdDQ9SsWY9Ua3B0s0t6hvOFturHNhpE+AjKhAd6zpgl2JCuqq7cZxe6oGpC9gJHTF/4lPdfT5W7MZDTiPHe661ALyjkUUTcgVRKQvvb+nozpEvt5W4oipwkEz7vrYpmL2HOScbwQ0ZDVMlliXaWhJycTwiqnzvz20PdCNKhEnKQeH/g4L6UsUKrh34nEWmCd8p+hOjqGra40IcPO47jww/UIhbv/jqaBMgtZojEu6nFCMaYSngKD78PgqHB5p9XXYIl2T1UQnJ5vR8jJubN9di8CyIltegpj72lUiwmnMpd9VK1oSwVGxLJUMA9NSGWv5uP0OxUYw18IE8qoKd4uwplbodTnrt2Tk3JGaS3VNzN/XGMT9EpAVJJwNqMpz1xeRxUSPn6AyaiwAn3M5KMBBNu0UJD3kQ/mAUUWIZP+UTnTl3zohg6ioeO+RYTLkW+at4b9b4qtguRjv35CQ46kV21K4NVt57m9Fv3Q+YGKyOfvO4OQwvjdJYeLxQjME0gLWkcSbvU+z6Oiud+GNIkBi1QFA3qSGzluD8dUZ2pD0ZVJiyyF4ssyPauPd0Wpi+W+3cY7eJJgnCWZcc1BKLi4BJpdYceaPKE3vKVfi7EYisHUcXbeY5xbaVh4wtnYqG51BnikBUhgcVYhlOv/8oBVQc4JbxOA+UWNdRcWuoKSM3is0XoT7m4EIE9jt0IAzT4dt/eyk4XVPXk7zTVQc1DYqbGsTS5SXBy7JMsv64U3HdmP4g88bit550+7GXYnw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR18MB4685.namprd18.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(13003099007)(38070700021)(8096899003)(7053199007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iZgmkR8CYqtVXB+AndJOuYb0yrLhcU/OcjlZRcOjwhHODUFPGknc4Ee4p/M2hyol+MsGTaBAxJzHITQWW1P95AHLZsaYNwMFOgjgDBrkaFZ1MOlCWR60UOKBnuB1tUorLroHnkFmELpW5KWjEB9LdnoGWFcGThfwfWPkJXrqwrXtGQ4OkqRYp8jy200d+10oNXLNPscBEav71Opmwkv1r4HboBFq9lfvD+9zzLHv4+4myUhg9mXC5+gCtbR7o2H+bkBti8V/n7KFwW67VG+5nN5ZJwVWhJiaxuNFXMydzz1cfMwPWO1/jM+Ahwqn9Pu4UhHFqRKM+r16/7C4rS2EzZutXxHH0CTtVtDEyq0hbC5CVv0oAsWp4iENTJRkVorvK+rlfvMY9eVdfPleXxaiHfsHWQNWisrZVvqG37lViJeFTs0CuJ+fsOcJaaeh1/t4fBfWnBnUBlhrG9Fcdu+42WHTUdTHiIEsguXAR3tYOke4IBuDnHur+KmDDGOs4A8ssDSqAdP4QW6OFA9fYYWglep5JdMcxOLwEm1uSdXKDVKdcvQMgYw8NIooVLAbyr1KKWqFDiHzDlQnB3iZPBBgHv8E8wjnKmyAGtArMdmdF+ArweMmdcu96CvctOTZ1zUOVoyCfc0rsNjnUx9wgQ/yoZSJOJLZPDdWe9zxrQvIF5I2eWO1V4mPmp+NDXWUtfwbB/ryDHVyQTjqn0HfNm8bqVTc9Nagl6xmayZjL4t/U6i7RXUq4D5URRNUxVSXlp4631OkrLFsX4tnY2oIC8EHtgsVwpKBm8zj6TSEiRf9tChKjdv00nzuMM/a/wd2glgJgft3aSOs2nU4K+zJkz7CY3Tovl0M8slS4JVuGyZKm6ja8bzzWlqgPYIhFYGefXvkEJrGFP0C50sbrN1qDtRKBZhAOa4SuXA1Epk5Vi5NziezLFTf9dp54ieNUO9/rYzOQZ5yZiO4o0knaCoICn7nsCMgBrkZ7QzW03QhbQkMLDgkxfhY0BSAE15svV/6eE49ImZtRt2FEZkx9E9e2r2xO60iOHuMdG/Kq0N01KBl16CnkZhG0KG07hQgptuyCvzpF0fOGeEaFBshVQ4Y/JWd6CXapo3pW7M0yZ9MnYqsfa45SXOGp64YH0cmBFlg2Sn1GsP5vuepGLMQYH7JeolVduo1XHeQwUo1mWe/3ZF1Rprm64hngbC7d3h5OKlxd7cZPIPlJQ6n3EqUw3AJ8usUaSwDZK5+fiX4P5gLD3jg/Hz/EF5FtUYj6mzu7M16w4rWXDf3rdk2A+PniSWrqTYlLci2U6De1Lq2yQpqCZRNHCQYWgaxXSDn7gCOKLgkj9tqjfgzc8GxCruxwBYgstTZlF/TZjfuO6IqF18hUM4ehPKsXlcUGl00W5fm2f/pJ9G+kYhyagbVX0nxRH0hrLFaS37VaogHuxAUKfIlEhxLeyVl46v+4yE2oP7dUFV+bhQ78hNco7RDXJiwaZe1LOFMpW6qkLLKvhniCmidJA3RO4cNlT4FDXML002gzk4cqz28FAoMjjpZ6JV1CAjrwJ8hlVTlEpPd8Cf5p0DQadBSBmwchsSHZb8F4x/7F9kN5NMT
Content-Type: multipart/alternative; boundary="_000_PH0PR18MB4685A34F73600D7E0E0E41BED9E4APH0PR18MB4685namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR18MB4685.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 36b709cf-ea47-4f17-3287-08de0280db78
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Oct 2025 13:29:19.3805 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5280104a-472d-4538-9ccf-1e1d0efe8b1b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Fc+YMkRzaDk3YHlZo2YVw8jIXbfsbU1YkO6oYvvk05jGEES0l2sffV581DlkncY0/+u3ugmKAp42H/dP8+B4fQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR18MB5344
X-OriginatorOrg: amazon.com
Message-ID-Hash: 37HMYSV3VGWGVBUTG2AFT66OPFY27ONW
X-Message-ID-Hash: 37HMYSV3VGWGVBUTG2AFT66OPFY27ONW
X-MailFrom: prvs=364d5f9a1=jeffsec@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-external-assertion-oauth-grant@ietf.org" <draft-external-assertion-oauth-grant@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: New Draft: OAuth 2.0 External Assertion Authorization Grant
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bixdeBQestOZ4yhjIADL-g4AfLU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi, That was an interesting read thanks. I have few questions: * When you said that: - In the jwt-bearer grant, the client presents a JWT it has signed, and the Authorization Server validates it using a public key that has been pre-registered or exchanged. - In the external-assertion grant, the JWT is issued by an external entity the AS already trusts (for example, a federated IdP). The AS validates it using that IdP's keys and trust configuration, not a per-client key exchange. It is not completely accurate against the latest of the Drafts that exist and are evaluated already by the working group, see https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/. In this Draft - Figure 1, from my understanding, the authorization grant JWTis issued by a trusted 3rd party AS (domain A) to be used at the AS (domain B). This is highlighted in section 2.1 / (C): This requires a trust relationship between the authorization servers in trust domain A and trust domain B (sometimes called federation, such a trust relationship typically manifests in the exchange of key material where domain B's authorization server trusts the public key(s) of domain A to sign JWT authorization grants). What would be the differences with the proposal here (introduction of a new grant type excluded)? * I fully noted the: If the request is valid and authorized, the AS issues an access token per Section 5.1 of [RFC6749]. A refresh token MUST NOT be issued for this grant type. But could this be worked out within https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/ directly? Jeff Jean-François "Jeff" Lombardo | Amazon Web Services Architecte Principal de Solutions, Spécialiste de Sécurité Principal Solution Architect, Security Specialist Montréal, Canada Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. From: Jorge Turrado Ferrero <jorge_turrado@hotmail.es> Sent: October 3, 2025 8:28 AM To: oauth@ietf.org Cc: draft-external-assertion-oauth-grant@ietf.org; oauth@ietf.org Subject: [EXT] [OAUTH-WG] New Draft: OAuth 2.0 External Assertion Authorization Grant CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. AVERTISSEMENT: Ce courrier électronique provient d'un expéditeur externe. Ne cliquez sur aucun lien et n'ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l'identité de l'expéditeur et si vous n'êtes pas certain que le contenu ne présente aucun risque. Hello, We submitted https://datatracker.ietf.org/doc/draft-external-assertion-oauth-grant/ This draft introduces a new OAuth 2.0 authorization grant type, "urn:ietf:params:oauth:grant-type:external-assertion", that allows a client to obtain an access token from an Authorization Server by presenting a verifiable assertion issued by a trusted external Identity Provider. The motivation is to support zero trust architectures in cloud and server farm environments, where workloads and applications often authenticate with different identity providers but must access shared resources under a common authorization server. Today, each deployment implements its own bespoke token exchange or local credential system, leading to fragmented approaches and operational overhead. The External Assertion Grant standardizes this flow so that: - Workloads can present a JWT assertion from a trusted external IdP. - Authorization Servers can validate and transform it into a short-lived access token. - Access can be consistently enforced without long-lived secrets or provider-specific hacks. A key difference from the existing "urn:ietf:params:oauth:grant-type:jwt-bearer" grant is the trust model: - In the jwt-bearer grant, the client presents a JWT it has signed, and the Authorization Server validates it using a public key that has been pre-registered or exchanged. - In the external-assertion grant, the JWT is issued by an external entity the AS already trusts (for example, a federated IdP). The AS validates it using that IdP's keys and trust configuration, not a per-client key exchange. This enables practical zero trust at scale: every request is authenticated and authorized based on verifiable, short-lived identity tokens, even when crossing trust boundaries between providers. Feedback from the WG is very welcome on scope, validation requirements, and applicability to real-world multi-cloud and server farm scenarios.
- [OAUTH-WG] New Draft: OAuth 2.0 External Assertio… Jorge Turrado Ferrero
- [OAUTH-WG] Re: New Draft: OAuth 2.0 External Asse… Warren Parad
- [OAUTH-WG] Re: New Draft: OAuth 2.0 External Asse… Aaron Parecki
- [OAUTH-WG] Re: New Draft: OAuth 2.0 External Asse… Jorge Turrado Ferrero
- [OAUTH-WG] Re: New Draft: OAuth 2.0 External Asse… Lombardo, Jeff