IETF Logo Mail Archive

[OAUTH-WG] Re: Separating the ID-JAG issuer from the ID-Token issuer

Atul Tulshibagwale <atul@sgnl.ai> Wed, 05 November 2025 01:26 UTC

Return-Path: <atul@sgnl.ai>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4546B83207A7 for <oauth@mail2.ietf.org>; Tue, 4 Nov 2025 17:26:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sgnl.ai
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zmz4M6eXTUFg for <oauth@mail2.ietf.org>; Tue, 4 Nov 2025 17:26:05 -0800 (PST)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4FCDF8320739 for <oauth@ietf.org>; Tue, 4 Nov 2025 17:26:02 -0800 (PST)
Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-2953e415b27so40537525ad.2 for <oauth@ietf.org>; Tue, 04 Nov 2025 17:26:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sgnl.ai; s=google; t=1762305961; x=1762910761; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0muxfiEnXsQfHRTA8mkJ8Jx3aZ+AxNCCXgXTAcDzOc0=; b=VSoJdZDcwcP1H/ZFkAIlWziEdMVcUqtx0vZFCRqoA3EGqcksSYehWjMzvsE3y5zwUJ 4woLNH5hnDFvpK4+d/17yy9uxT1E2En8iFyawn4Im499bzhw9eaRdkE6HBgX91Dif2eK pXUc3wDxjpOOt4feTbXVajiWLkRQtxHuSg64WLFUvdegtqv/MWVmF4zJPe8sfWk6Oh6W qX8D4C1qHM+C45YkO2pBYzoPIMDwxOdE1MFmm/MHadAZUd7IHH7kvvhMF43/MWQxfgGB guFWCESC75zrwziqVPTgNBmwJRCqMTgeBHv7h73InFwXD3CC6zk+iSv3w1yCFam5hsAS 0xoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762305961; x=1762910761; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0muxfiEnXsQfHRTA8mkJ8Jx3aZ+AxNCCXgXTAcDzOc0=; b=G22JtbaOdmoZ76ZylVt3NcZi2OiubOulgHefPnNwoORogK+CWPKHDW7Jeuzc/DZqYX lXF3lMnrRRO1a6/JkkdiWIn9TaEFeJQzTLI3uJ8g7I2/TvfhuUbgU7YfvL2cX6tz8VTF VpgdfFGezQZiJaVj0NYvrE0uq6S8Akw3kKmU4on7ogJcsuqznIMRmB09Ny/bFeekLfCJ jLJydQk6xQQr+dP+I9sCrdqkXpD9e4FoApqjiTzxxXe52PXtCzvh5TFS+WfAsXtOQWLR eRVDK1+kGNBvLP30fYZxu+oOv8/BIcpnVg3U3mXi3S7zVksb08DO4ZIYyXxWtGjtsqaX XQjg==
X-Forwarded-Encrypted: i=1; AJvYcCXHD6l75nFKyER+c9u8l9Q9z13WhkzzrRL6XUGA5mF7kmZZAWMo5URzQ4tPyuyUGQU+Ov814w==@ietf.org
X-Gm-Message-State: AOJu0YxP2J4QgqAjxAyt18K4OsTV5UdfymLT9Fp1UCmQ2TZX5QmNExHc v0vv+RCGC803f+At8PGH8Fsc0j28sVdOPk9c1kcR+/oVrWGKXgva59u4H5H5vxkxyCu1q7jlkXL 4tIzGEtQI15Sh08f06QzuUL3fCxLiktL3VHHE9HA4hQ==
X-Gm-Gg: ASbGncumiIrwelNLASNhMVX6tzYHKXn719stOb8nhXvmElZmusCcEy6k7uzGtUU3JXW 4V8o4U5VN+kIT+wTkzBjGir6dRqVi8/ud0x4qFL+rP4vIFYSNJEMC4Pk3++FGILz+BiZi5vzNhg VdT2TvsAkJ19SLyOl4J562nRE83NjXBVeFCQh13191AiE7XK7c1PF9YsbVDHM40oHV0tB7aOH/C HTIxQVudKJynX1+oAboFY8csk6mCRckZwlSkSXFKX3Muuj7fLSZR4IjrWDM
X-Google-Smtp-Source: AGHT+IGux46jNjcz9BIi1IJqa3l26mg7zZfBgMazWZRJ0Srg5GvjjhKC3k/QIk1qmSg8zyHwQWQkK2RZY3U7VcBwq0c=
X-Received: by 2002:a17:902:ce03:b0:295:1626:6be5 with SMTP id d9443c01a7336-2962ae37819mr22326865ad.44.1762305961209; Tue, 04 Nov 2025 17:26:01 -0800 (PST)
MIME-Version: 1.0
References: <CANtBS9cA0Ab7ChYa5JZX7pDZ+1-W1=9TigYkL6J61Yc+WZUMyw@mail.gmail.com> <D33B3BA9-A0FD-415F-A8CB-9A73DDEB4FC1@karlmcguinness.com>
In-Reply-To: <D33B3BA9-A0FD-415F-A8CB-9A73DDEB4FC1@karlmcguinness.com>
From: Atul Tulshibagwale <atul@sgnl.ai>
Date: Tue, 04 Nov 2025 17:25:44 -0800
X-Gm-Features: AWmQ_bnnqimsKfkcI6r_XppZg8-p8RkamKoC03Fjn0wHd7cZ4VGy2GuYGm4b__o
Message-ID: <CANtBS9eTfehHx4Zgg56t+CpTuNg7GWtkd8u+-LC5JMye5GaNuA@mail.gmail.com>
To: Karl McGuinness <me@karlmcguinness.com>
Content-Type: multipart/alternative; boundary="000000000000cdc0d30642ced472"
Message-ID-Hash: 2BUQKRREG5ZD5DPUEVJJYTDZXHJ72UDI
X-Message-ID-Hash: 2BUQKRREG5ZD5DPUEVJJYTDZXHJ72UDI
X-MailFrom: atul@sgnl.ai
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Separating the ID-JAG issuer from the ID-Token issuer
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eSVyHsmORsO3HhM5Vgtgk6-7bxk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Karl,
BTW The "dark mode" cut and paste in your email made it a little hard to
read (I had to paste it elsewhere to read it!).
To address your points:

   -  There is no concern if the subject claim doesn't have to change
   between the ID-JAG and the ID-Token. I thought the discussion started
   because you thought it needed to change between the two.
   - I agree on the identifier mapping to applications being an
   architectural question.
   - ID-JAGs are "authorization grants", so they are different from
   ID-Tokens, which are authentication tokens.
   - What I'm advocating for is that I love the benefits of having ID-JAGs,
   I just don't want their issuer to be required to be the IdP that issues the
   ID-Tokens.

Thanks,
Atul

On Tue, Nov 4, 2025 at 3:47 PM Karl McGuinness <me@karlmcguinness.com>
wrote:

> Perhaps the resource authorization server uses a separate identifier
> format and value for users than the IdP
>
>
> I wouldn’t expect this to be a subject claim in a cross-domain (federated)
> assertion. Subject claims are scoped to issuer
> in a federation.
>
> This profile is reusing the same claims as the ID Token. In a normal
> authorization code flow the Resource AS would redirect to the IDP if there
> wasn’t a session and get back an ID Token that it would use the claims to
> perform account resolution to a local user and prompt for consent to issue
> an authorization code. ID-JAG is providing the same claims and identifiers
> for account resolution. This keeps the same trust relationship for the
> resource owner, improves interoperability (no claims mapping needed) and
> enables the Resource AS to include authentication context into token
> issuance decisions (eg amr, auth_time, etc).
>
> It's an architectural question for organizations about how the IdP issued
> identifiers should be mapped to the identifiers that the application
> recognizes.
>
>
> How is this different than ID Tokens? This profile is allowing the same
> flexibility as SSO which has both brown and greenfield deployments and
> supports JIT or provisioned accounts.
>
> It sounds like what you are advocating for can be solved with vanilla JWT
> Authorization Grant and ID Chaining Spec. You don’t want to use an ID Token
> to obtain the grant (audience issue, AS isn’t the IdP or Client) and you
> want to have Resource AS specific claims in the assertion for identifying
> the resource owner.
>
>
> On Nov 4, 2025, at 3:07 PM, Atul Tulshibagwale <atul@sgnl.ai> wrote:
>
> 
> Hi Karl,
> My comments below.
>
> Thank you for your patience with my suggestions and questions,
> Atul
>
> On Mon, Nov 3, 2025 at 7:51 PM Karl McGuinness <me@karlmcguinness.com>
> wrote:
>
>> A couple of other points to add
>>
>>    - The ID-JAG has the same `iss`+`sub` as the SSO ID Token for the
>>    Resource Authorization Server as RP.
>>
>> I'm not sure the ID-JAG is required to have the same `iss` or the same
> `sub` as the ID-Token. Perhaps the resource authorization server uses a
> separate identifier format and value for users than the IdP, and the ID-JAG
> Authorization Server (which in my proposal is separate from the IdP) does
> that mapping before it issues the ID-JAG. The resource authorization server
> can be configured to trust the ID-JAG Authorization Server instead of the
> IdP for the ID-JAG.
>
>
>>
>>    - This ensures the same account linking/resolution logic for SSO can
>>    be reused for ID-JAG processing reducing surface area and security issues
>>    of generic claims mappings needed for something like vanilla JWT
>>    Authorization Grant in a federation.   For example, the Resource
>>    Authorization Server as RP stores the IdP's iss+sub during JIT from SSO
>>    then matches the `iss`+`sub in the ID-JAG.
>>
>> It's an architectural question for organizations about how the IdP issued
> identifiers should be mapped to the identifiers that the application
> recognizes. So if we are able to propose a standard that doesn't preclude
> the possibility that there may be a separate authorization server, then it
> makes the standard more valuable.
>
> I think there is sufficient evidence that many large organizations choose
> to have separation between the authenticating party and the authorizing
> party, so as a standards body, we should permit and encourage both
> possibilities.
>
>
>>    - The Resource Authorization Server can trust multiple IdPs and
>>    therefore multiple ID-JAG issuers (assuming the secure account resolution
>>    of multiple federation identifiers)
>>
>> I'm not sure if it matters whether the party that a resource
> authorization server trusts for an ID-JAG is a combined "ID Token Issuer +
> Authorization Server", or just an "Authorization Server". Am I missing
> something?
>
>
>> -Karl
>>
>> On Mon, Nov 3, 2025 at 7:00 PM <george@practicalidentity.com> wrote:
>>
>>> I think the issue is that the id_token “audience” restrictions require
>>> them to be the same. Otherwise the “IdP Authorization Server” (that didn’t
>>> issue the id_token) would need to reject the id_token when received because
>>> the “audience” wouldn’t match. I’m not crazy about the idea that says a
>>> bunch of different services performing different tasks are still all the
>>> same “audience”.
>>>
>>> George Fletcher
>>> Identity Standards Architect
>>> Practical Identity LLC
>>>
>>>
>>>
>>> On Nov 3, 2025, at 5:30 PM, Atul Tulshibagwale <atul=
>>> 40sgnl.ai@dmarc.ietf.org> wrote:
>>>
>>> Hi Jeff,
>>> I'm not thinking of changing anything in the draft (e.g. using
>>> Transaction Tokens, WITs etc.)
>>> I'm only suggesting that we should not assume that the IdP that issued
>>> the ID-Token is the same as the "IdP Authorization Server" that issues the
>>> ID-JAG.
>>>
>>> Atul
>>>
>>>
>>> On Mon, Nov 3, 2025 at 1:29 PM Lombardo, Jeff <jeffsec=
>>> 40amazon.com@dmarc.ietf.org> wrote:
>>>
>>>> Not going against anything Aaron said, is your question @Atul
>>>> Tulshibagwale <atul=40sgnl.ai@dmarc.ietf.org> cause you are thinking
>>>> ahead of:
>>>>
>>>> 1/ A transaction Token could be exchanged for a ID-JAG?
>>>> 2/ A Workload Identity Token could be exchanged for an ID-JAG?
>>>>
>>>>
>>>>
>>>> Jeff
>>>>
>>>>
>>>>
>>>> *Jean-François “Jeff” Lombardo* | Amazon Web Services
>>>>
>>>>
>>>>
>>>> Architecte Principal de Solutions, Spécialiste de Sécurité
>>>> Principal Solution Architect, Security Specialist
>>>> Montréal, Canada
>>>>
>>>> *Commentaires à propos de notre échange? **Exprimez-vous **ici*
>>>> <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>
>>>> *.*
>>>>
>>>>
>>>>
>>>> *Thoughts on our interaction? Provide feedback **here*
>>>> <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>
>>>> *.*
>>>>
>>>>
>>>>
>>>> *From:* Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>
>>>> *Sent:* November 3, 2025 4:17 PM
>>>> *To:* Atul Tulshibagwale <atul=40sgnl.ai@dmarc.ietf.org>
>>>> *Cc:* oauth <oauth@ietf.org>
>>>> *Subject:* [EXT] [OAUTH-WG] Re: Separating the ID-JAG issuer from the
>>>> ID-Token issuer
>>>>
>>>>
>>>>
>>>> *CAUTION*: This email originated from outside of the organization. Do
>>>> not click links or open attachments unless you can confirm the sender and
>>>> know the content is safe.
>>>>
>>>>
>>>>
>>>> *AVERTISSEMENT*: Ce courrier électronique provient d’un expéditeur
>>>> externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous
>>>> ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas
>>>> certain que le contenu ne présente aucun risque.
>>>>
>>>>
>>>>
>>>> For some background, the reason for this draft and the ID-JAG in the
>>>> first place is to enable an Authorization Server to issue its own access
>>>> tokens in response to a cross-domain artifact. This is better than the
>>>> other two alternatives which would be:
>>>>
>>>>
>>>>
>>>> 1. Client sends the IdP-issued ID Token to the Authorization Server in
>>>> the other domain (violates ID Token "audience" policy processing)
>>>>
>>>> 2. Have the IdP issue an access token that the Resource Server in
>>>> the other domain accepts (no protocol violation, but experience has shown
>>>> Resource Server implementers do not want this)
>>>>
>>>>
>>>>
>>>> Now to your actual question, why not enable the ID-JAG issuer to be
>>>> separate from the ID Token issuer. This would also violate the ID Token
>>>> "audience" processing, since the ID Token would be presented to an entity
>>>> different from the issuer of the ID Token.
>>>>
>>>>
>>>>
>>>> On Mon, Nov 3, 2025 at 3:49 PM Atul Tulshibagwale <atul=
>>>> 40sgnl.ai@dmarc.ietf.org> wrote:
>>>>
>>>> Hi all,
>>>>
>>>> Great to see the "Identity Assertion JWT Authorization Grant
>>>> <https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/>"
>>>> proposal being accepted by OAuth. I'd like to propose that we should not
>>>> assume that the issuer of the ID-Token is the same as the issuer of the
>>>> ID-JAG. There doesn't seem to be any reason provided for this either in the
>>>> draft or in the short discussion we had today.
>>>>
>>>>
>>>>
>>>> It's just something that is assumed in the draft, and I feel that can
>>>> be generalized without affecting anything in the draft.
>>>>
>>>>
>>>>
>>>> To address Aaron's response that "if you want them separate, then you
>>>> return to the ID-Chaining draft": I feel there's a lot of value in this
>>>> (ID-JAG) specification, and being able to apply to more use cases broadens
>>>> the value of this specification.
>>>>
>>>>
>>>>
>>>> I'd love to know what could be potential issues if the ID-JAG issuer is
>>>> not assumed to be the same as the ID-Token issuer.
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Atul
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list -- oauth@ietf.org
>>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>>
>>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>>

v2.37.1 | Report a Bug | By Email | System Status