[OAUTH-WG] Re: OAuth Transaction Authorization Challenge

"Lombardo, Jeff" <jeffsec@amazon.com> Mon, 29 June 2026 14:14 UTC

Return-Path: <prvs=633c2a1b0=jeffsec@amazon.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CC5E7109D672D; Mon, 29 Jun 2026 07:14:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782742475; bh=XYAYCW2ig5ZpVa61YLi3Fc1IGzSOYkx4/OOK+EYljg8=; h=Subject:From:To:CC:Date:References:In-Reply-To; b=xNiHOSKwq/9O0mn/xMXlAyY4YWiU2VnhE9NjAR2CZkD1KRnRVXzXzhEQPXwHgfPdx XUduz9mt2QbCCB90ikrQUYYNO64KJ9I85DIzOOxBw7v9nUEEpioQsHTEWf5xTK61Iu htWs/C9P18+PEw0HLOWcmnnCc0aXjV+qyhtdukrI=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=amazon.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CY2w0OyP7k6S; Mon, 29 Jun 2026 07:14:33 -0700 (PDT)
Received: from iad-out-015.esa.us-east-1.outbound.mail-perimeter.amazon.com (iad-out-015.esa.us-east-1.outbound.mail-perimeter.amazon.com [44.210.169.44]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C8186109D671B; Mon, 29 Jun 2026 07:14:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1782742473; x=1814278473; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=XYAYCW2ig5ZpVa61YLi3Fc1IGzSOYkx4/OOK+EYljg8=; b=YqXnOdAWlEq0NuAqwbwvIN+DGRTk20sZljDjluhzBn6xi5EGQa3pxu68 D5J/Ccx4RzfiMbCh7n0f8yW02ZkSQTHRctotwmpFYstWUcBMNN4Ckcv8R fHsrEWQ7bfNuSvE3h4RY7G5KkjI7c6TbmrR802uHuu1RcSFK+8w5J/xRb yKqGh/RgsOkKvRUSOxqwO+FUSUjZu4vDJDm1WCIbza6ZRyEyeOJ6yVSTe V+purNXpvKqsUgbaaUNGkGcbaIwsed2bT4Oxx/QrBf9ClQu5ZBieGkewJ 7OxcbRCAJU4FkVq+uK8S8CHd/z13aCyWpTlsTqDJ1+wrOuQfsJhASEtpV Q==;
X-CSE-ConnectionGUID: Xb87nZJQTzmU/L4NczVmag==
X-CSE-MsgGUID: vBD3rAMERuOBR/DwTWzXhA==
X-IronPort-AV: E=Sophos;i="6.24,232,1774310400"; d="scan'208,217";a="21298189"
Thread-Topic: [OAUTH-WG] Re: OAuth Transaction Authorization Challenge
Received: from ip-10-4-10-75.ec2.internal (HELO smtpout.naws.us-east-1.prod.farcaster.email.amazon.dev) ([10.4.10.75]) by internal-iad-out-015.esa.us-east-1.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Jun 2026 14:14:33 +0000
Received: from EX19MTAUEC001.ant.amazon.com [52.94.133.134:30716] by smtpin.naws.us-east-1.prod.farcaster.email.amazon.dev [10.0.92.78:2525] with esmtp (Farcaster) id 044650a8-2038-4c0d-8d8e-743a840a24ec; Mon, 29 Jun 2026 14:14:33 +0000 (UTC)
X-Farcaster-Flow-ID: 044650a8-2038-4c0d-8d8e-743a840a24ec
Received: from EX19EXOUEA002.ant.amazon.com (10.252.134.207) by EX19MTAUEC001.ant.amazon.com (10.252.135.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.43; Mon, 29 Jun 2026 14:14:32 +0000
Received: from SN1PR07CU001.outbound.protection.outlook.com (10.252.135.42) by EX19EXOUEA002.ant.amazon.com (10.252.134.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.43 via Frontend Transport; Mon, 29 Jun 2026 14:14:32 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gpFmDkxwgM2BnFauOpSFlxkF/3iNGc7x1ZFfVD5+kkTm6ZQr0s3l0gjVuop8bSskHJn6WHhfgKXhHWqx6KSltrnfPct4J43BjCqk7AUyRyugZ75eag4E2l+SP7l3xB+aQyxxTuo8hQCsCAFaOMErwuBtNZItuS2d2hqhuDI9E9SJKhwD4/qTHfQ7xZGU5XrsIvJ6eTFYUE3jtjy/Ji7NZRHqT9OWD1xdJVsR8YXW8gfgsUMjw4Ev7oLOIWcFbJL77X4ml1aCWS923tI8owPCqo6CfYZMm2UKiL+nQvShRtTlTNCpF4ocCfaq6A1iR/ciQ6BKARp0A9jUdRRHe315UQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XYAYCW2ig5ZpVa61YLi3Fc1IGzSOYkx4/OOK+EYljg8=; b=zTl2rUg2Jsakray6NGSHFUHXLLuWcR964Jl0EhC8+a3ubChlcQAM3JiUXG+9l3LwbRILOmFyoteMpMWenDwYIRg50jKURPqghEldNc2ioc1wZruZrScCwedxWnsFhPh4kOPtHHQvH7lUouOhSKH1IHe1YVcwLAwmMj/4q1/PxAVhMm4WAmg8veVF5ho1PTm3ms19bqyAoNU42xkKmq2YcouyuxB0cwDHcOLITPizVUYcaPO3mEaP7UfyPELIdTozATjTTnKq/x3GfQIUUYrkG7bfhzltT/kHaMkRiQ3Ld9/uWV+LqTNLUcevXueUTzTkQxqFev/vCqCFwDaFIR4qTQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amazon.com; dmarc=pass action=none header.from=amazon.com; dkim=pass header.d=amazon.com; arc=none
Received: from CO1PR18MB4684.namprd18.prod.outlook.com (2603:10b6:303:e7::5) by SN7PR18MB3999.namprd18.prod.outlook.com (2603:10b6:806:107::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.159.19; Mon, 29 Jun 2026 14:14:28 +0000
Received: from CO1PR18MB4684.namprd18.prod.outlook.com ([fe80::ee52:1b11:6a4a:d106]) by CO1PR18MB4684.namprd18.prod.outlook.com ([fe80::ee52:1b11:6a4a:d106%6]) with mapi id 15.21.0159.018; Mon, 29 Jun 2026 14:14:28 +0000
From: "Lombardo, Jeff" <jeffsec@amazon.com>
To: Yaron ZEHAVI <yaron.zehavi=40rbinternational.com@dmarc.ietf.org>, Yaroslav Rosomakho <yrosomakho=40zscaler.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Index: AQHdB6/Lz7ESNtPcqkGVMvBe7hBNi7ZVfXjw
Date: Mon, 29 Jun 2026 14:14:28 +0000
Message-ID: <CO1PR18MB4684CB31ACE0394EF3D9C086D9E82@CO1PR18MB4684.namprd18.prod.outlook.com>
References: <178238512098.1485043.9460051742400546328@dt-datatracker-f9b87776f-xzl65> <CAMtubr1340h+5re2zKVh=icxsuX+JE0MQ-+G=KXfhHrzVV+GuA@mail.gmail.com> <CAMtubr1bZOzkcEtYPKE6hSTr6cRu6ZqXWk955y2U8OETYG6QqQ@mail.gmail.com> <VI0PR04MB118410010A35D2B818C34681B93E82@VI0PR04MB11841.eurprd04.prod.outlook.com>
In-Reply-To: <VI0PR04MB118410010A35D2B818C34681B93E82@VI0PR04MB11841.eurprd04.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_943e0687-f175-4b9c-b2f5-83c4b4db97be_ContentBits=3;MSIP_Label_943e0687-f175-4b9c-b2f5-83c4b4db97be_Enabled=true;MSIP_Label_943e0687-f175-4b9c-b2f5-83c4b4db97be_Method=Standard;MSIP_Label_943e0687-f175-4b9c-b2f5-83c4b4db97be_Name=General (visual mark);MSIP_Label_943e0687-f175-4b9c-b2f5-83c4b4db97be_SetDate=2026-06-28T09:38:12.0000000Z;MSIP_Label_943e0687-f175-4b9c-b2f5-83c4b4db97be_SiteId=9b511fda-f0b1-43a5-b06e-1e720f64520a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amazon.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR18MB4684:EE_|SN7PR18MB3999:EE_
x-ms-office365-filtering-correlation-id: b9c5544e-f0d7-4fcd-1d1c-08ded5e8bb68
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|23010399003|3023799007|6133799003|4143699003|11063799006|18002099003|22082099003|56012099006|8096899003|13003099007|38070700021;
x-microsoft-antispam-message-info: 3xtV6MHcLdj3jIwJ35VG1Wjba8jFcoHfmiXfVPJjjEs0pXZMSydYQlCmx9HYv79Pv9fnZTFwnz1Yt0XP4zVgzRNToVT/0UU0G6UmCzVG7joM2AwB/Bc/3Z+8NLJpAmOOsZZTzp1FN7Dbeoqg65DjGrU3d17cL9N5G2vBaoDSObNKiWOc0JSH1nt+H3vAW3aoI4g3uoC5gUu1/nr7ZIJCMmEw/m2pZT/zDJLgqumVuFXJW0KQ3382px9BlcoonGKJ7skIldMPgxVyOaaw0yrB5523ouhxR9A+JkkyJsaGURvRyyEZNTNi/TWlo8ujh08NWhiQDyUh9pSegBW4tXVLGKZo02i0DfMnuiV2McrFwh9pbPP5OoXdPQTPHS+q22/tNbrxG8RBzxUvsKXOFltAD9h4K2j2GElRHnDUW9kS47q4Cr2wKkKqUygOQAz9jWnAuP1W8G+rXhJ9ZscRlBljAxdG5UN1ZHR1SsWZhviyWW5rUdSDWRL0LmukbjjUlbWWVCHryqqdzoPWGeCroFqZ9aH37GL7B3wQSCSZiIn3CEg1Re9pStz0bVaWK499jZnx17M3AnS+6ARs3sji4DGu4Zs14F97e8Sx3TJht+VKrqDmHCFlGZ6RMHWJZ741XrctNzzUgBLoTnci5ba85nNqb3QN3BYT9YErOdkOgRlSaF0=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR18MB4684.namprd18.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(23010399003)(3023799007)(6133799003)(4143699003)(11063799006)(18002099003)(22082099003)(56012099006)(8096899003)(13003099007)(38070700021);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JSzT710elMov09zA3IvrMs3sXW2vx6Hzti605Hq5dZCwtSEVHGByJT0ZbrnQEl0y0GQs33q0Jj3+FQ6fX8QVMnbPrMX6FCNLcE7wq7kx27YhXXuMTDyvRM22L85MvgtYTXUztbv5r+j4pspamHDrp/neJqOHR1LCcDBgtU9/oPEoDoFfDTXx3RVvj//NukZcIF1I+QDa4WLACEHZtFhld+PKTmw78dGIUshJIQqD/F47rXX8XwYLb519A9XUpfrgyTDILGycQ1pYxDDi0sgHxjRo/UXoxta/lGJwQnvB9PjKHHwVloLfH0cuufLCqxJCMm4zINVLIUDTotL3qc1eKDU7F6ciX9oxZHKvmNThTJJf0zAE1JUdp+atIdrvqb5ht56HsyTYwS0KKDartpizEU4nAEY0hO0GUBu5L2FN/80KR5JTQnOxip4qTzpZbGqevnY9toXckzWYjwWT9/ojtN1gUpN65PKpDUKik7lheaYomm8cgvuRQcJTs47/cRpnnhklIzbUiv3S+GbS/w4VGBZEel7qz4ZlZRoIwXaPZ7oMmh8/NRfJRLjZgVGYeWS+keSRpLKdbvFHBuRNnYEUatQeSh+fvRXwZwER6TVqfPVW5LaCk94kj0vivG1H4Tl+BIwXygHQyfcc9ukyurFUnxnKQ3SlLqp4I2ckNn9iwax2CAMY1pwWDyziNKrrUsdPPSSUZeF2B4k7rfp7IIQdVEw9RdAMw4oHYcg5EuiVjYUpCi4TsF4xYqe5ULVYMIokbwXsIWJ5hmvs2XmGFKFE3tHLutc4PxDPzNeUFPN4znzgbXAQw7SajOzYgjRzR+C3zYZvbaZQTaKiHNyctI740PLPQ0XQ0FNEKwaAD2t0Nv5LKK4KZLnDADPQqrc2Azr0sqExPn6eosONACedQriP0phq5HRwD000fKAf5PAGFS/pOhoOKFa2LX0AMXW5QNDmzBe/12+m/M27UAvpBZ0JE+C8tO5Q+cu7ln2WR4jknD079TVePqXG6CsMT0SvigDHHXctxuvT0W20M3gjNMpDXU2BApiO/H+Bw9T8y5xyZIaNvqkXPirGDQO8dYO1HIs4iByZEql2WMjjkjjtew+E8OgUcPumRNME+p9VvAUaHzBJ04rxaMdasMYP2P/eRgVyfPkGbZjnPXO46rejcyLmXAqpKuoJm93Uz//YDlKU3bsaIVplxXuE+bClEWyG1OHirU6TDrOWIA051hHC5D7UXOvaEhGnWykGHKnh5CBLIMYxy2b2MquAJVbH0fql7+HWPc9OX2tWGyyzZGU3UdsHimiahQXo5WkLCfeOd1nvoj+Cdxf4j5T36JezXh/T5z+RS3ZWMWjZ49ieV7H3V8+sMUePPOt086i1NuUDEoDRQpJIZbKVlu5MxNBVDpaik4wQb3ePocdEosOgZ1Wox8PFkVEdwVYHopB3f5P6Mh9e3fURZtFGJgoAFYc+BtfZ4W81Aw87NZ3rXxxgHpVJ75TTuSC9sb3jR5Q4vwLkSBSe+8kGAk3CYes3lkhaDJDNPC/++Aa63EBfPb71P5rZ5iWBgv4DKJDshR3vOJBHjcwAqAk/kw3I23IF9j3dZzOiOvQgpbjmZVI1GGYNzZ3BEUtnWZ3INg8tQuHAivMKDEiCw47lwwbyr0i86l9Z/m517sBWQTEH1Y+DPR7pPy8mKds59bYrIki8+zefAl1898OgCsxGZt/rZJyuQbhknqXBE7mk
Content-Type: multipart/alternative; boundary="_000_CO1PR18MB4684CB31ACE0394EF3D9C086D9E82CO1PR18MB4684namp_"
MIME-Version: 1.0
X-Exchange-RoutingPolicyChecked: kdF4As9+vvPSvBStqWeNURiY0uL2M6RJmThs2iYiOCVVMwptv9647Y4Rn2apu5Cvno1Q9MCYn2g4/hRNsb/HTxbndnT18vmN2DJUiY+zV7iVOLysmr1hpEAmzoV3LMPKt2xvu7mmWSTyp4qfGZZeKTOc3gNyd0qw+D4LaIeo0E6pDKVWf1PzUlkKu2wtJRU2yLdXPofl+9J1b0stLYHLRdf3ukSpIudQMsHonDT5Ud7/mPttHIWLMwzNqQIr1pCaxB9kOgmi0fTHofZGyULHce62iJ9rsgQcgFIOcxUABao80shcIS8SAhWgq6Fc24Bjc1XPZhfOWj1UoDxSXxgANw==
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR18MB4684.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b9c5544e-f0d7-4fcd-1d1c-08ded5e8bb68
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jun 2026 14:14:28.6068 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5280104a-472d-4538-9ccf-1e1d0efe8b1b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MRushwJqYe7EVCtkLrnc4hn0yraIFhzYvDX85Jd/9a6BkA8scJDpVbwENPriPn/MXfR19JhwXG+g2UahHh+/Ig==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR18MB3999
X-OriginatorOrg: amazon.com
Message-ID-Hash: SGM2MQAYFQG6ONLKNEC3QSRIQ6FXRT4Q
X-Message-ID-Hash: SGM2MQAYFQG6ONLKNEC3QSRIQ6FXRT4Q
X-MailFrom: prvs=633c2a1b0=jeffsec@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-rosomakho-oauth-txn-challenge.authors@ietf.org" <draft-rosomakho-oauth-txn-challenge.authors@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: OAuth Transaction Authorization Challenge
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/exDxocMf8_yt9eeUy5NQz-HOwQE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi,

Not the author, just another reviewer.

Here are some elements that have been provided in the past WG Discussions based on Yaron comments:


  *   HTTP 401 vs 403.

As noted from this WG during former discussions around our aborted joint proposal  https://github.com/identitymonk/draft-lombardo-oauth-step-up-authz-challenge-proto there is actually no guarantee that HTTP servers and libraries could handle a 403 with a WWW-Authenticate header


  *   Header size.
While true, returning it as Body content was already flagged as breaking protocols like MCP who expects JSON RPC content in body even in case of non 200 responses.

Here are some elements of my own understanding:


  *   Transaction and single-use semantics
While this does not remove anything from Yaron comments, the whole draft is  about binding to transaction details, still the only outcome is an Access Token. I recommend the authors to consider Transaction Token issuance as possible outcome - https://github.com/yaroslavros/oauth-txn-challenge/issues/17.

  *   Initial failure as the only path.
Assumption: The protected resources could be a sub-system, composed of multiple backend layers in the same trust domain. Therefore there could be conditions expressed by the downstream components, not visible from the Client through the Protected Resource Metadata endpoint. Such situation would require such transactional validation while the initially presented Access Token is valid from a Resource Server standpoint.

  *   JWT representation of transaction challenges
Authorization details in this Draft is a reference to the structure defined by Rich Authorization Request / RFC 9396<https://datatracker.ietf.org/doc/html/rfc9396> not a reference to the flow of the same specification.

The outcome of the Authorization Challenge is made for the consumption by the Protected Resource in the overall flow which is the Client of the specific Transaction challenge flow. Therefore there shall  be no processing  possible that could tamper from what the Protected Resource needs as confirmation. Therefore the signature is a not a protection of the authorization_details  structure but the Authorization challenge as a whole.

  *   Transaction authorization endpoint details
This endpoint:
     *   Cannot support PAR as this specification focuses on an OAuth 2 Authorization Request, which this Draft is not based on. If the authors were to go this way that would be a complete fork from PAR anyway.
     *   Should support DPoP optionally when it issues an Access Token as it is of type `Bearer`- https://github.com/yaroslavros/oauth-txn-challenge/issues/18


  *   Token issuance pattern
In this Draft the Protected Resource is the Client of the Transaction challenge and only it should receive the confirmation understanding that the protected resources could be a sub-system, composed of multiple backend layers in the same trust domain where the transaction token could be replayed as long as it is related to the same transaction and within the time boundaries.


  *   Access token relay
I agree that the protection from DPoP should be mentioned in this. I would add that Twice is mentionned that the Access Token must not be modified, but can it be? - https://github.com/yaroslavros/oauth-txn-challenge/issues/19



Jeff

Jean-François “Jeff” Lombardo | Amazon Web Services

Architecte Principal de Solutions, Stratégie de Sécurité
Principal Solution Architect, Security Strategy
Montréal, Canada

Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

From: Yaron ZEHAVI <yaron.zehavi=40rbinternational.com@dmarc.ietf.org>
Sent: June 29, 2026 6:11 AM
To: Yaroslav Rosomakho <yrosomakho=40zscaler.com@dmarc.ietf.org>; oauth@ietf.org
Cc: draft-rosomakho-oauth-txn-challenge.authors@ietf.org
Subject: [EXT] [OAUTH-WG] Re: OAuth Transaction Authorization Challenge


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.

Dear Yaroslav and co-authors,

Thank you for sharing this draft. I found it interesting and useful.

As background, my rar-metadata<https://datatracker.ietf.org/doc/draft-zehavi-oauth-rar-metadata/> draft explores a related pattern: a protected resource returns an authorization failure using the WWW-Authenticate header to indicate insufficient authorization, together with actionable remediation information, including authorization details objects.

I therefore appreciate seeing a similar pattern explored here, and I think this is a useful area for the WG to discuss.

Detailed feedback and questions:

  *   Transaction and single-use semantics. The specific “transaction” concept is familiar to me from banking use cases. However, up until now OAuth has not generally defined single-use token semantics. That is, an authorization server typically has no idea how many times a resource server will accept a given access token for a given resource request. This has historically been enforced by the resource server. What requirement motivates making the authorization server aware of resource-server token-handling semantics? If the AS is expected to know this, would it make sense for the token response to include a token-usage attribute, analogous to but distinct from expires_in?
  *   Role of the agent. The agent appears to be a normative part of the draft. To me, that seems to limit the scope of the solution, while the agent does not appear to perform specific protocol steps beyond declaring capability. In several places, the agent seems more like a channel that requires adversarial considerations, such as tampering, rather than a required protocol actor. Should the draft instead treat the agent as a security consideration?
  *   Capability discovery. OAuth has metadata mechanisms for discovering client, authorization server, and resource server capabilities. Perhaps the capability declaration currently associated with the agent could instead reuse or extend those mechanisms. In addition to the agent, the client needs to be able to process the challenge, be a client of any authorization server identified by the challenge JWT, and that authorization server also needs to support the mechanism. It may be useful to describe how these capabilities are discovered and negotiated.
  *   Initial failure as the only path. The draft seems optimized for the case where the client first calls the protected resource, receives a challenge, and then obtains a compliant token. If the client already knows the resource’s authorization requirements, can it request a compliant token up front and avoid the initial failure? If so, it may be useful to describe that path explicitly.
  *   HTTP 401 vs 403. The draft uses HTTP 401. Could you explain the reasoning? For insufficient authorization where credentials were already provided, HTTP 403 seems more directly aligned with RFC 9110: “the server understood the request but refuses to fulfill it. If authentication credentials were provided, the server considered them insufficient.” This is also the approach I took in my draft.
  *   JWT representation of transaction challenges. Could you elaborate on why transaction challenges are represented as JWTs?

     *   If the goal is authenticity or integrity of the challenge contents, it would help to state that explicitly.
     *   RAR, RFC 9396, does not require signed authorization details; the AS evaluates the authorization_details input as part of the authorization request. If the concern is that the agent or another intermediary may tamper with the challenge, perhaps the JWT could be consumed by the client. The client could validate the JWT, extract the usable parts, and use them in a normal OAuth request. That would avoid requiring the AS to understand challenge JWTs or maintain a trust relationship with resource servers.
     *   The JWT does not appear to be included in the later access token request or in the client’s subsequent request to the protected resource. Therefore, checks such as verifying consistency with the authorization_details claim in the transaction authorization challenge seem to require resource-server state. Is that intended?

  *   Header size. Returning the challenge JWT in the WWW-Authenticate header may create interoperability issues due to header size limits, even before considering larger post-quantum signatures.
  *   Authorization server selection. The challenge can appear to identify an authorization server different from the one used to obtain the token in the failing request. This may be problematic if the client cannot use the indicated AS, is not registered with that AS, or the AS does not support this mechanism. It may be useful to describe the expected client behavior in that case.
  *   New endpoint / grant pattern. Could you explain the reason for introducing a new transaction authorization endpoint? Is this also intended to define a new grant type? Since FiPA already supports challenge negotiation and allows the AS to request direct interaction with the end user through redirect_to_web, perhaps a FiPA extension with your use case plus the Deferred Token Response draft<https://datatracker.ietf.org/doc/draft-gerber-oauth-deferred-token-response/> could address your use case without necessitating a new endpoint.
  *   Transaction authorization endpoint details. Which parameters does the transaction authorization endpoint accept, and which OAuth mechanisms are intended to apply to it, such as client authentication, PAR, DPoP/mTLS sender-constraining, etc.?
  *   User redirection and polling. When authorization_uri is returned and the end user is redirected there, how does the client obtain the result? Is the client expected to poll in parallel?
  *   Token issuance pattern. FiPA returns a code and leaves token issuance to the token endpoint, whereas this draft’s transaction authorization endpoint appears to return tokens directly. Would it make sense to align the patterns?
  *   Access token relay. The draft says: “In deployments where one agent delegates work to another agent, the access token MAY be relayed through one or more intermediate agents before being presented to the protected resource.” Relaying an access token through multiple agents seems difficult to combine with DPoP, since the proof binds token use to one key.

Regards,
Yaron ZEHAVI



Classification: GENERAL
From: Yaroslav Rosomakho <yrosomakho=40zscaler.com@dmarc.ietf.org<mailto:yrosomakho=40zscaler.com@dmarc.ietf.org>>
Sent: Thursday, June 25, 2026 1:50 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Cc: draft-rosomakho-oauth-txn-challenge.authors@ietf.org<mailto:draft-rosomakho-oauth-txn-challenge.authors@ietf.org>
Subject: [OAUTH-WG] OAuth Transaction Authorization Challenge

You don't often get email from yrosomakho=40zscaler.com@dmarc.ietf.org<mailto:yrosomakho=40zscaler.com@dmarc.ietf.org>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
This message is from an external sender - be cautious, particularly with links and attachments.

And this time without a typo in the email alias for draft authors...

-yaroslav

On Thu, Jun 25, 2026 at 12:19 PM Yaroslav Rosomakho <yrosomakho@zscaler.com<mailto:yrosomakho@zscaler.com>> wrote:
Dear OAuth enthusiasts,

Pieter, Brian, Karl and I have submitted a new individual draft: OAuth Transaction Authorization Challenge (draft-rosomakho-oauth-txn-challenge).

This specification defines a mechanism for a protected resource to request transaction-specific authorization before completing a particular operation. The protected resource returns a signed transaction authorization challenge, which is relayed through the agent(s) down to the client. The client presents the challenge to the authorization server, which validates it, obtains any required approval from a human user and/or any additional relevant approving party, and issues an access token whose granted authorization details describe the approved operation.

The motivating use cases include agent-initiated actions requiring human approval (aka "human-in-the-loop") and flexible integration with organizational approval workflows. The mechanism is intended to complement OAuth step-up authentication and CIBA by requesting authorization for a specific transaction rather than stronger or fresher authentication alone.

Questions, suggestions, concerns and overall feedback is very welcome!

Thank you.

-yaroslav
---------- Forwarded message ---------
A new version of Internet-Draft draft-rosomakho-oauth-txn-challenge-00.txt has
been successfully submitted by Yaroslav Rosomakho and posted to the
IETF repository.

Name:     draft-rosomakho-oauth-txn-challenge
Revision: 00
Title:    OAuth Transaction Authorization Challenge
Date:     2026-06-25
Group:    Individual Submission
Pages:    33
URL:      https://www.ietf.org/archive/id/draft-rosomakho-oauth-txn-challenge-00.txt
Status:   https://datatracker.ietf.org/doc/draft-rosomakho-oauth-txn-challenge/
HTML:     https://www.ietf.org/archive/id/draft-rosomakho-oauth-txn-challenge-00.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-rosomakho-oauth-txn-challenge


Abstract:

   This document defines an OAuth mechanism for transaction-specific
   authorization challenges.  A protected resource can require
   additional authorization for a particular operation by returning a
   transaction authorization challenge.  This is useful when requests
   are mediated by agents, automated workflows, or delegated services
   and the protected resource requires confirmation from a human user,
   resource owner, or organizational authority.  The client presents the
   challenge to an authorization server, which validates the challenge,
   obtains any required approval, and issues an OAuth 2.0 access token
   whose granted authorization details, expressed using Rich
   Authorization Requests, describe the approved operation.  The access
   token is then presented to the protected resource as evidence that
   the challenged operation was authorized.



The IETF Secretariat


This communication (including any attachments) is intended for the sole use of the intended recipient and may contain confidential, non-public, and/or privileged material. Use, distribution, or reproduction of this communication by unintended recipients is not authorized. If you received this communication in error, please immediately notify the sender and then delete all copies of this communication from your system.
This message and any attachment ("the Message") are confidential. If you have received the Message in error, please notify the sender immediately and delete the Message from your system, any use of the Message is forbidden. Correspondence via e-mail is primarily for information purposes. RBI neither makes nor accepts legally binding statements via e-mail unless explicitly agreed otherwise. Information pursuant to § 14 Austrian Companies Code: Raiffeisen Bank International AG; Registered Office: Am Stadtpark 9, 1030 Vienna, Austria; Company Register Number: FN 122119m at the Commercial Court of Vienna (Handelsgericht Wien).