[OAUTH-WG] Re: Shepherd Review - OAuth Identity and Authorization Chaining Across Domains
Brian Campbell <bcampbell@pingidentity.com> Fri, 06 February 2026 14:04 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A2683B2D61D5 for <oauth@mail2.ietf.org>; Fri, 6 Feb 2026 06:04:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0_ScuR3oCeo for <oauth@mail2.ietf.org>; Fri, 6 Feb 2026 06:04:56 -0800 (PST)
Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5EF8AB2D5EE3 for <oauth@ietf.org>; Fri, 6 Feb 2026 06:02:57 -0800 (PST)
Received: by mail-ua1-x92b.google.com with SMTP id a1e0cc1a2514c-948bd416c7eso550020241.2 for <oauth@ietf.org>; Fri, 06 Feb 2026 06:02:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770386577; cv=none; d=google.com; s=arc-20240605; b=NkieMuc9LaaPx319wXLnepMNeiax6+WmwTGwfFNYQ/eoswKB6RtVeV1lNatMdqN2hr OF0dksZHfLz2xfXF03Y3jyQriE14jROGt3qotDv+kgtA6AYdDFGfa/cNOc9iWdvw5ZEZ c+MskeNsq0U2mw1a3/D96Vq74Bq2vqAOPI1mWmHGuWB5tOv0DPszPkxK1MFTTxw1AsZ6 ZicVdos8BaXklp5lXE1rCGV1ncRMr+YJv02koCMT+lCnV/TVfCq4C2k5DO3DUttdztxQ WcuCTqgynqJfg2Sr8aUI/OOrghY4a0c7sp+4O9QF2+rVDQnhemMVnwsDqwCZhy9cKNuy /N7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=eTwv0OqX6R03cKIN2FnUXUNd+o5vXIF7u4lR7zmB6ZY=; fh=b7oDB13V7isyUpE40UxHH21Zvi4/vGP/dT0hAEuZDwQ=; b=V2tq67MmmOCfpWPq+MsQHOTZnlZQRtFu2umrnlCG9cT2006NwhmVlf/OeU0IyM8VSJ 0yDrU0MGUuEvTwFgb2TowDjPra3Y2JitIo8lydHG3wMsLeHCnCdXhXBxx2NoCy72ztJu XqZ1tXG2JZrDQCROF2vy04D9bITmQe5xJh0LJVcxZc3nO8JBZVrg5xvn0GMdB5V+RTJC xxgkMHXWRjmFqPF+PJIUeLbfdVsYdVHiwhJah+PmbXFRZTjNIbINO1HWfR+PAht7w+cF rO4w9mqBHhUVW+mvB8+jq8g8jdVM+pjYZKqwMWHLclPBxAsJZCBCnDDIO5TcB5An8G6U x40Q==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1770386577; x=1770991377; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eTwv0OqX6R03cKIN2FnUXUNd+o5vXIF7u4lR7zmB6ZY=; b=RyLzUC8tyufjfUjGBOTGqgkvCoNdpFu4MnkAPY5qXlIAa3oTGrmiN5HOMdtkO+34m2 72HGrSOXHQrpH8bvC7KDcUYL0EzrAyU/1VIuBSY19vsdhlGJLgxXD9+ok9PZBhM0jD5e FMC+ULWZlFgCO4vVgMe7cpP9BDHXfMybYNbzQd34BFUCrfe4PDR5oNEVAsleWtfsIqoy 1zUzmxQ9MY6oN01FCr7QwXtgDiPUV8Xy9Ii15jkQwUfT22T4WHZK0/OAMOqPG+GB6WvT mkOajvmBCngOVVJi4nNTUSlpfaetI3inGVuhwl8MUlVWFD1c+xSE+YLlh2En/m04OPOp V1cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770386577; x=1770991377; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=eTwv0OqX6R03cKIN2FnUXUNd+o5vXIF7u4lR7zmB6ZY=; b=f1ttjixhgy1NP+EZqThjl0OYHtzRYH47MBGgQEQkydmN4yOv/Xh+bu8be1m4gB27h7 emc6DaxW/NZ5okN7QhaaYxVP3dzq074SKG1d8Nj/5fDmZhhw7dkhm4E1pqLKPrwwpctI Pnzk6K8H8jECIKWGvwRJ/D1IW4P65uZm6zIumRSIAZTscyYqKaeyanfmRiW/A3Iu/IVz vOEBv7ickYSSvExSR2rwU76htdqekMPvGwAMQ92BTamHj6vBjPz8OE4vR8ZoftoEUrzm 54fU9qEfvw0HvRa2THbIJTojqsa8bC2lBSMjDcWdqXIDqev0RI1g02Tsewp3BlQZteuo KE4Q==
X-Gm-Message-State: AOJu0Yz16p7PiBJipjkiOfj7tpFzRLSDtxy2oqmvVd0FxeLmCl8mHMha pyBEfSQAvfP1ERDtn4rGhvV7yO67M4umeeGkB6dD88YLlgaBVLL7pKcP/U/pXlvKcSje9GWAIXY JI2XD7ohURd1MswS4ejTMDWR996SC8ehw8hFLSWY1DtX43c+s8Sy7j+7/A4JjUTseJs84KHKGNZ /l7GZSIJsd6YHNTmA4XY+/Hr+aHabyCQ==
X-Gm-Gg: AZuq6aKLLJMv8PaD6sUPtwhLJf19KAbugq2nX07fjrdJBDXg/U1fn7IAFKNLOV3Oy/d EdywuobcNBnYCvyoSYwXo/ox0RREi0U3RjEYjENw+nuujVsVMu7nPDcgVnTotpEkzHlRzCmhDyx bzOKNIaq31+s9Uce+FypbFa/zYoF7Gf/fspS3AFS6EJwDYksw8EoCUQZxc9a/JfMSWWCpSQSwMb P48bTk5jA15oX31EeM4Tv2EyYD2s0NfCbmKWd3dSyGPeu2J5edLbUGalFwNzR3rUspFVfBghjGQ 2nZ/369KBnGU4ANaksqk8cfnmxSc1mF5sLGMcyA=
X-Received: by 2002:a05:6102:3746:b0:5ee:a05e:f7b5 with SMTP id ada2fe7eead31-5fae8c60effmr537349137.44.1770386576382; Fri, 06 Feb 2026 06:02:56 -0800 (PST)
MIME-Version: 1.0
References: <CADNypP-PTh=duUD0uLKr7jvxUXeGSuTufZQYRpfJVe7AaH2G6A@mail.gmail.com>
In-Reply-To: <CADNypP-PTh=duUD0uLKr7jvxUXeGSuTufZQYRpfJVe7AaH2G6A@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 06 Feb 2026 07:02:29 -0700
X-Gm-Features: AZwV_Qg6LUIgCfOta-6JBOVHy8DU485RZKbgKwTHbDiXjvm16eGxyOTr88FwU3k
Message-ID: <CA+k3eCTdCpqC1DKyDYyC3XwHj=nVo_YiyAw9O0kSZoFN3ZFqTg@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000000034eb064a283f8c"
Message-ID-Hash: IU33GQGD3XTPTXLQJV47I7TUU6XI5GX2
X-Message-ID-Hash: IU33GQGD3XTPTXLQJV47I7TUU6XI5GX2
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Shepherd Review - OAuth Identity and Authorization Chaining Across Domains
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dfJvAFIB572QdjEoYWXWEIJedng>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Thanks Rifaat and apologies on behalf of the editorial team for being somewhat slow to get to this. Attempts at responding to individual items are inline below. And this PR https://github.com/oauth-wg/oauth-identity-chaining/pull/176 is collecting the resultant changes, which I hope to go over with folks tomorrow er... today in like an hour in an informal semi-recurring call with some of the editors and interested parties. On Thu, Jan 29, 2026 at 6:36 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote: > All, > > As the shepherd for this document, I have reviewed the latest version of > the draft > https://www.ietf.org/archive/id/draft-ietf-oauth-identity-chaining-06.html > > I have the following comments/questions: > > Section 2.1 > > It would be great if a sentence or two are added to explain why the > initial interaction in domain A is limited to token exchange. > The idea makes sense in my head but writing the words proved more difficult. This is what I managed: https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/45d233f4cc8b07c7d3c5a22dcf3e683688c70bb7 as part of the PR > > > Section 2.1, bullet (C) > > where domain B's authorization server trusts the public key(s) of domain A >> to sign JWT authorization grants > > > I think I understand what this sentence is trying to say, but I think it > needs to be reworded, because you cannot use public keys to sign a JWT. > Yep: https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/3c9f90442aacf5b8fba794d7b455ff22191582df > > > Section 2.3.2, first bullet > > It would be great if you can add a reference to a document that explicitly > defines which error code would be used to deny the request. > Yep, https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/09b2edd2794416573dea91ea6d02e00a480623f7 > > > Section 2.4.1, 3rd bullet > > You might want to add some text to explain ‘scope’ > That's embarrassing. I took a little different approach to fixing it though: https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/463c0bb9a892fc3f0703abdd12071e0e7c8f9aa5 > > > Section 2.4.2, second bullet > > It would be great if you can add a reference to a document that explicitly > defines which error code would be used to deny the request. > Yup, https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/3eff55a90f8daf5138f65dba46b149f93b9083b8 > > > Section 2.5, last bullet > > The populated claims SHOULD be namespaced or validated to prevent the >> injection of invalid claims. > > > Can you elaborate on this sentence? > Honestly, I don't know what that means nor am I able to discern what might have been intended. So going with https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/7df2b2f5ceeda1cb713dbfb1efa63cafbe057951 on this > > > Section 3 > > Authorization servers MAY choose not to advertise some supported requested >> token types… > > > What would be the reasons for doing this? > Information disclosure concerns maybe? Going with that: https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/4f00cea01e18b7b9262f4fe82a8ab1b563f81787 > > > Section 5.1 and 5..2 > > Why is the use of SHOULD instead of MUST? > attempt to qaulify things there with https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/d0f8b70e335d76172cfd22cf7aa4ba2f8102f798 and https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/ace14363b0d9e52c9e9a619a6ce00487aedaf3f7 > > > Section 5.3 > > The authorization server in trust domain A SHOULD perform client >> authentication > > > You might want to elaborate on why this is a SHOULD and not a MUST, to > make sure the implementer understands in which cases this is possible and > which is not. > yep, tried to do that in https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/3269e141bda313f3a03777c50ded1316f9f06bc7 > > Section 5.4 > > The authorization server in trust domain B SHOULD NOT issue refresh tokens >> to the client within the scope of this specification. > > > Are there use cases where the AS can issue refresh tokens? If yes, then > maybe provide an example, if no, then maybe this should be a MUST NOT? > I think I'd prefer a MUST NOT here but back in the development of RFCs 7521/7522/7523 there was enough resistance to that prohibition that it is kind of discouraged but not disallowed. Going further here seemed like too much. But maybe? Anyway, I tried to explain it a bit with https://github.com/oauth-wg/oauth-identity-chaining/pull/176/changes/7e57b8115d0f75c26dc4a63b89dd7a7fc7752b4a -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Shepherd Review - OAuth Identity and A… Rifaat Shekh-Yusef
- [OAUTH-WG] Re: Shepherd Review - OAuth Identity a… Brian Campbell
- [OAUTH-WG] Re: Shepherd Review - OAuth Identity a… Brian Campbell