[OAUTH-WG] Re: Feedback Requested: Deferred Token Response

Max Gerber <mgerber@twilio.com> Wed, 24 June 2026 17:01 UTC

Return-Path: <mgerber@twilio.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 23E66106A232B for <oauth@mail2.ietf.org>; Wed, 24 Jun 2026 10:01:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782320498; bh=d6h8rvbclDzczPswJelMY4BhwCohA9O5Kk18/5OKmwQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=msQPv1oErqzkg2ZAKGTsCpN8FLkdR+cTPxOLbDqbkF7A2OePkPa0Yz4iHrxNTjVNb I6IAA2oXeAZlCYbpK00DqjKlxFCrnkorm4kv/rkxKcuTVGra0UP6g3+twH1ZUj+NCf litfme7B6HFHoIjTUT738LQaw42VYmx5AExCNfI4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=twilio.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id anJwVggaYvoC for <oauth@mail2.ietf.org>; Wed, 24 Jun 2026 10:01:36 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AAD2E106A2324 for <oauth@ietf.org>; Wed, 24 Jun 2026 10:01:36 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id 2adb3069b0e04-5aa68cf9123so1389116e87.0 for <oauth@ietf.org>; Wed, 24 Jun 2026 10:01:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1782320495; cv=none; d=google.com; s=arc-20240605; b=UcZlnbdKLdcWzsD6rc3BqqY/gt5NU9hVUWEMt6MKMYvwacdvhPFrrF35funxoYf+cz u04WZvDe7wJJGl1GD0BRUYLi0V27umRFhcmRjiaae289rgsIvlaMs9e/dGf+BG3Xt++f wPmkKY3NzIsP2HHNnMhqPBc8sHpOS/jx4XHCcQEnftNGlH09Mvebgzufw0cZ9IrdkJSi 6jUGoSoMi9vEyRkAbGGnKGFQt6lN7kCRJRKxcePwDrXZ2Bo29aUXY6U3nHzC4PHl0EeH gYZ6uMsQx5dG3LqX4v7tF1AVwjmPsvvZA5tcM7gIphDV/tSjD4DBHUiGRs0HR+IH4tkI HRiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=8SuSOBWUKpVqnlbW/ZpylvL8PGfEHx+/ppACFLcJQcE=; fh=N4OWNJrO+0DYJap/6WqYs65Wdm8vkoHYzgE9BAQNWmg=; b=Q6szxWI8I5bDWJzUsO15XQKa0rhSHbuGpZLOEheTgD6VzaMhJuvGwrN/HPubwbNSEw hUtb3dMcef1Tmo+jEXzn257F78k2KnQ9hz+MP7t8fVNNn9Ew3GHr4GGkVHXjO+UE5Le/ JMCZyHsDHvC6cw7c6bD5LsdDLEMMeZCtD8/0GK9vXh0MISaQrjGrLNXpXygV1TWm3uhd aH5Z7SntoMod1WxwU2FzdTo1b2LMiDEXk0Te45ZPtC6G9PmhM5v/E37qq8atQgTU8YSX OAlplGYOnMGa/8gbRLbTXALTxO4e1YJM2vrDPDS55Mdei4xukyot4ftpAQwPPuci2a9D Atgg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=twilio.com; s=google1024; t=1782320495; x=1782925295; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8SuSOBWUKpVqnlbW/ZpylvL8PGfEHx+/ppACFLcJQcE=; b=d2jq6QUgkFk9QWZBVvfXKbIQrkK29IXD8GKXkRTwRpEe4D4TLriB/OmHL1BpJIjRwL NGYCP+5X0wBQ+7kMM/qE5JVwdmDm/khftc44o3PP93Wb8N8NrgDN4Uu/oqC3qJBg58EO 20uJIHQVKmpmWZcFW1A11P4pStkIt2N9etTwM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782320495; x=1782925295; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=8SuSOBWUKpVqnlbW/ZpylvL8PGfEHx+/ppACFLcJQcE=; b=bmrp7JdJCwhM+0Gog2HbQTbtsrhlaKDTxo1epdvAxG1o1cbT4FMZc2kSPj3PRWhcwd jNdvC3WEc+i2iL33zrj9l6JLQR4qCCvPjSqsZ+PAoF+OLQUroWsY6mnlDBV31/PwqyN6 1esYqgp9cAucBaCkjS8e3eKTpBsZ7u7hF8+LaCyAGWeesneaSM/9/FU0dIU22bPzLDcw ONUG9adyBhDv6iLHmqly1qztHvUqXYR8mqAECktiOtPwVo3wN7eYTp7NPtzwrTRvm3hE WE1GEViaZ09HUX9rA0h9Guhm5ZcmTMMkalrgEVANyS8/lnPi+squTTa/CvwN7NwEbJex lphA==
X-Forwarded-Encrypted: i=1; AHgh+RpvrHYFGF//rvnRL1VWYloTe0XH7XEr9K2hdgqdA5PJFIWTmiQxK+I2rWfbmQAYTzXLFxzMvA==@ietf.org
X-Gm-Message-State: AOJu0Yy5mKA5KaowxQn5FMn90Ljg95QGd5m5Y6SgA8zPhYgP8+tnCp9V u7XHp8/A7gr4e1nImATykk/q/SJzd8hQHoq7+D0gLaUaUoHg0pgImdob5/uSF4VEIpfJGs80vuv gTjO4mgZ/8g91lCCgUoXjYfj1F8C4W4sNDck4J2okoQ==
X-Gm-Gg: AfdE7ckqs64oe3iPtUExZ4z64rDLhd7jmUWgHMy/vngplFTHPPM88FDC3JdaDKULNlx w4uX3NnZaS5PxP+6UyMWgdCBE8HbtuPEbGNVdoXL7RGJ1GAesvyLpGPQMtRp+oxvzrH3Tsy3Lmq DZKihdOdpSMhoTDcC9doRkxlRnY9KWh57lP4LXuGT2QwnKm4b9c+RuvLA8l+cXHSL6lxzyZ9l7a 2eLRPJ2JdW8Q6vv1+qNzcxqv8mE9eFmi9wG/rAn5jY3BG3KFCXNkwtJYyr7uHNyIaO2IBdKCg==
X-Received: by 2002:a05:6512:145a:20b0:5ad:4ae2:a203 with SMTP id 2adb3069b0e04-5ae9d59b0d6mr889568e87.26.1782320492628; Wed, 24 Jun 2026 10:01:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAH8kd8QBNiPYFMp0+Ar5=mgRaUB4YBmgDSXae2Q+gJ2adf-p+g@mail.gmail.com> <VI0PR04MB118413F63404E73CED2639DAD93EE2@VI0PR04MB11841.eurprd04.prod.outlook.com> <CO1PR18MB4684D238CF73B81525076455D9EE2@CO1PR18MB4684.namprd18.prod.outlook.com>
In-Reply-To: <CO1PR18MB4684D238CF73B81525076455D9EE2@CO1PR18MB4684.namprd18.prod.outlook.com>
From: Max Gerber <mgerber@twilio.com>
Date: Wed, 24 Jun 2026 10:01:20 -0700
X-Gm-Features: AVVi8Ce5tQoE36EhPw0r9FW3ULyBvutVWTkcfLE-R2fNv8dSU0gVe7YZO-LItYY
Message-ID: <CAH8kd8TkKVvFh_Y8mM+NXCc5h8Wox0y4f9pyxtDpihGmznJkFQ@mail.gmail.com>
To: "Lombardo, Jeff" <jeffsec=40amazon.com@dmarc.ietf.org>, Guilherme Niero <gniero@gmail.com>, Frederik Krogsdal Jacobsen <frederik.krogsdal@idura.eu>, Karl McGuinness <me@karlmcguinness.com>
Content-Type: multipart/alternative; boundary="000000000000d6eb06065502d399"
Message-ID-Hash: CDU2SOO7JGTP55V5ES6SX5IGVVA4IYEB
X-Message-ID-Hash: CDU2SOO7JGTP55V5ES6SX5IGVVA4IYEB
X-MailFrom: mgerber@twilio.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Judith Kahrer <judith.kahrer@curity.io>, "oauth@ietf.org" <oauth@ietf.org>, Yaron ZEHAVI <yaron.zehavi@rbinternational.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Feedback Requested: Deferred Token Response
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dRio5d4uWdLYf86-u_dBP8H4E5Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Yaron, Jeff,

Thank you for your comments. It's good to hear that the core problem
(asynchronous authorization decisions) resonates.

> deferral_code is used by the client as a CIBA login hint.

Reusing existing CIBA rails is a very interesting suggestion. I had two
problems applying CIBA to HITL usecases:
- CIBA is client-initiated, meaning that an authorization server cannot
easily direct a client to start a CIBA flow based on the result of a policy
decision, risk engine, etc.
- Today, the client identifies the user who must be contacted during CIBA,
which doesn't work well when the client doesn't know the user's identity or
when the access request must be routed dynamically.

Using an authorization-server-issued deferral_code as the CIBA login hint
fixes both of these issues. The authorization server instructs the client
when to initiate CIBA (by providing the hint). The authorization server
also reserves the right to determine where to route the request by keeping
the structure of the deferral_code opaque.

My chief concern is CIBA's* focus on end user authentication*, rather than
authorization. I believe CIBA requires the client to request the `openid`
scope and the authorization server to return an `id_token`, which may not
have semantic meaning for authorization servers that are not also openid
providers. CIBA parameters, such as binding messages and user codes, may
not make sense in this scenario either.

@Guilherme Niero <gniero@gmail.com> @Frederik Krogsdal Jacobsen
<frederik.krogsdal@idura.eu> - would love to hear your thoughts on this.

> Ithe deferral_code should be returned already from the authorization
endpoint.

Yes, our intent was to treat the Token endpoint as the common denominator
and define DTR for all grant types simultaneously. Returning the
deferral_code from the authorization endpoint would require defining DTR
behavior for the authorization code grant type separately, and possibly for
first-party apps as well.

Additionally, deferral codes are rather long-lived compared to
authorization codes. Returning them from the Token endpoint makes it
possible to apply DPoP binding to them, as described in §10.1. Returning
deferral codes from the authorization endpoint would break this property
(though, if we only use the deferral code as a CIBA login hint we could
apply DPoP to the CIBA auth_req_id instead...)

If the consensus is that it would be better to return the `deferral_code`
as soon as possible and avoid the awkwardness of issuing an authorization
code for a grant that has not completed + extra round trip call to the
Token endpoint that is something we can look into. @Karl McGuinness
<me@karlmcguinness.com> has already opened an issue along those lines here
<https://github.com/maxwellgerber/deferred-token-response/issues/46>.

Thanks,
Max


On Tue, Jun 23, 2026 at 2:09 PM Lombardo, Jeff <jeffsec=
40amazon.com@dmarc.ietf.org> wrote:

> Hi,
>
> This proposal seems to be interesting when AS-Backend access control
> decision needs more time to converge. It seems you put on the Token request
> cause it is the common denominator of all the grant flow, but by doing so
> it seems then that the deferred issuance is not related to Resource Owner /
> Subject related decision.
>
> Therefore, I got similar reaction as Yaron, In Authorization Code grant
> flow, the issuance of the authorization code would have already been
> performed. If all the controls related to this request are OK (scope,
> audience, Authorization details), delaying more at the token request feels
> bizarre. I second that in this case, the deferral_code should be returned
> already from the authorization endpoint.
>
>
>
> Jeff
>
>
>
> *Jean-François “Jeff” Lombardo* | Amazon Web Services
>
>
>
> Architecte Principal de Solutions, Stratégie de Sécurité
> Principal Solution Architect, Security Strategy
> Montréal, Canada
>
> *Commentaires à propos de notre échange? **Exprimez-vous **ici*
> <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>
> *.*
>
>
>
> *Thoughts on our interaction? Provide feedback **here*
> <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>
> *.*
>
>
>
> *From:* Yaron ZEHAVI <yaron.zehavi=40rbinternational.com@dmarc.ietf.org>
> *Sent:* June 23, 2026 4:50 PM
> *To:* Max Gerber <mgerber=40twilio.com@dmarc.ietf.org>; oauth@ietf.org
> *Subject:* [EXT] [OAUTH-WG] Re: Feedback Requested: Deferred Token
> Response
>
>
>
> *CAUTION*: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
>
>
> *AVERTISSEMENT*: Ce courrier électronique provient d’un expéditeur
> externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous
> ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas
> certain que le contenu ne présente aucun risque.
>
>
>
> Dear Max and colleagues,
>
> The proposal is interesting and I agree with your reasoning regarding
> authorization servers which may need to decide to divert various grant
> flows to asynchronous and possibly multi-party interactions.
>
>
>
> However, since CIBA, which you identify as providing some of the desired
> capabilities, already solves polling / push notification mechanisms –
> perhaps the gap can be bridged without building so much from scratch?
>
> Imagine this high-level flow:
>
>    1. The client initiates whatever grant.
>    2. Authorization server decides on asynchronous interaction and
>    returns a deferral_code. I assume this point is reached after some
>    information is provided and in redirect flows also user interaction, so
>    authorization server can determine who the user(s) are, how to contact them
>    etc.
>    3. deferral_code is used by the client as a CIBA login hint.
>
>
>
> Another note – perhaps in authorization code oauth flows, the
> deferral_code should be returned already from the authorization endpoint.
>
>
>
> Regards,
>
> Yaron
>
>
>
>
>
>
>
> Classification: GENERAL
>
> *From:* Max Gerber <mgerber=40twilio.com@dmarc.ietf.org>
> *Sent:* Tuesday, June 23, 2026 3:57 PM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] Feedback Requested: Deferred Token Response
>
>
>
> You don't often get email from mgerber=40twilio.com@dmarc.ietf.org. Learn
> why this is important <https://aka.ms/LearnAboutSenderIdentification>
>
> This message is from an external sender - be cautious, particularly with
> links and attachments.
>
>
>
> Dear OAuth Working Group,
>
>
>
> We would like to request your opinions on this draft:
> https://datatracker.ietf.org/doc/draft-gerber-oauth-deferred-token-response/
>
>
>
> This document proposes an opt-in mechanism to convert OAuth grants into
> asynchronous processes - extracting the polling and notification mechanisms
> defined in device authorization and CIBA grants into a generic mechanism
> that can be applied to any grant type.
>
>
>
> This asynchronous deferral mechanism empowers the authorization server to
> deal with authorization decisions that cannot complete synchronously:
>
>
>
> - Fraud Prevention: Sensitive operations may trigger manual review by
>
>   parties other than the resource owner.
>
>
>
> - ID Verification: Users may submit copies of physical credentials
>
>   during onboarding or step-up. Verification by the authorization server
>
>   (or a third party acting on its behalf) can take hours.
>
>
>
> - Autonomous Agent Authorization: An agent acting on behalf of a user
>
>   may request access beyond what was provisioned at enrollment,
>
>   requiring out-of-band approval before the request can be granted.
>
>
>
> Slides comparing this draft to CIBA, specifically for human-in-the-loop
> cases for AI Authorization can be found here
> <https://maxgerber.com/slides/ciba-vs-dtr-may-2026.html>.
>
>
>
> This recent IETF draft evolved from an earlier draft
> <https://github.com/gniero/oidc-dtr-resources/tree/main> of the same name
> in the OIDF after we realized the proposed mechanism was suitable for a
> wider range of use cases. Additionally, the draft seeks interoperability
> with the AuthZEN Access Request and Approval Profile Draft
> <https://openid.github.io/authzen/authzen-access-request-approval-profile-1_0.html>,
> which adds an asynchronous requesting flow to AuthZEN systems as well.
>
>
>
> The draft was presented recently at IIW #42. Both Frederik and Max will be
> present for IETF 126 and are hoping for feedback from the working group.
>
>
>
> Thank you,
>
>
>
> Frederik, Guilherme, and Max
>
>
>
>
>
>
> This message and any attachment ("the Message") are confidential. If you
> have received the Message in error, please notify the sender immediately
> and delete the Message from your system, any use of the Message is
> forbidden. Correspondence via e-mail is primarily for information purposes.
> RBI neither makes nor accepts legally binding statements via e-mail unless
> explicitly agreed otherwise. Information pursuant to § 14 Austrian
> Companies Code: Raiffeisen Bank International AG; Registered Office: Am
> Stadtpark 9, 1030 Vienna, Austria; Company Register Number: FN 122119m at
> the Commercial Court of Vienna (Handelsgericht Wien).
>