IETF Logo Mail Archive

[OAUTH-WG] Re: Feedback on ID-JAG same IdP prohibition - Application to Application Delegation

Brian Campbell <bcampbell@pingidentity.com> Wed, 04 February 2026 21:30 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DAA94B1F9D5F for <oauth@mail2.ietf.org>; Wed, 4 Feb 2026 13:30:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XzXmuNfI6j47 for <oauth@mail2.ietf.org>; Wed, 4 Feb 2026 13:30:17 -0800 (PST)
Received: from mail-ua1-x92d.google.com (mail-ua1-x92d.google.com [IPv6:2607:f8b0:4864:20::92d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C1ACEB1F9D58 for <oauth@ietf.org>; Wed, 4 Feb 2026 13:30:17 -0800 (PST)
Received: by mail-ua1-x92d.google.com with SMTP id a1e0cc1a2514c-94120e0acbeso140576241.2 for <oauth@ietf.org>; Wed, 04 Feb 2026 13:30:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770240611; cv=none; d=google.com; s=arc-20240605; b=JR3FrHdGBT6Qi2K5iECV/Rbdd3rAseTaOFKXAp64yalCnJXoF+j/ng4OB+I7cWFx9j awd+9ov/2T0h4DImJu0FqPbwxl9weccDxkNuZRMD2bhb3s4kIgNjze6nDdsg22vfoa8y kk6T6PKEClXcPrshwaTdRHPVtBjAl4rO/hvxxliURF86fNfAZRQ2LVWw1KJ41vSYYjNr WPiZXEDqlCfIWcI1cW4LvtZBU/A91mIKZIHMkQ2NImk7gWRBOdC140dgVBFjqwlq7C9P YqLgF9dQfw9ld79RQbeMP9yhEvIUekkJNYGQoiksIY3Dl/p1vjR89r+LgfR4GwaATciU Okyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=snPu/mzwftZI8r4/bsn59/GhJoXtvZ0H1whj5mafdow=; fh=0c1h44j5SuEOmwOl/eZ1zc7UefpDYradMJ2J2iBW1Lo=; b=IuekFnyPvoOo+wABIc1uq8vfoxndfZQJN/U8B8xIUocj9mN8iLtctfkZ5AovvsO9IC dMkSyogA47pNJixPVHFGtch+lkgQtPFf/jo7LUOmNDzwECqNQ6QFlxD06MYtOlP6JmQS 9bIX5LHkFmIIdOQP7Utioju+G7KqE2FNYxc4/dDkrFrFF6D5C1S9ABsdwXIYFsgpF4XB SbUtP6YCpE0m2FSPZCIrnJ2ZHaQE7efEgfNmdUvhToYB8qr+gy48Q+bXQQkenNM/WEPm bB1yji9zk0w2SxAM4uray7duJpSDxIQ/ohCzXCf4jOm/C4H65nWlImPI2ATrP7NwqH41 zsKA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1770240611; x=1770845411; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=snPu/mzwftZI8r4/bsn59/GhJoXtvZ0H1whj5mafdow=; b=UNzY5W/5rZB7/IJ9rwb8zBvCgbvR5ui5ToduP+kK7TiQYE8zKFTDPVI5ZJMeHG4maA svlIzCA4jguUrOKGYl5cf/9L8EHXOsZ4Ql+w3ORydGAjqyEf9ctO/QLNsJBaPrtWEyGe glFiJDGFcOnV72flO/fePaBrA5uBFtlYWDh0pDmo0iYZzyPTgpyrVTJP2YeTFkoQHCeH i0U5MstieIZVD0fZC3uYHksbg2r8ocpfhCVaAo1yQ88H/elLNi+bKWTA5n6S7BT3UILR J3Ir7NmsFCHE+srR0caAFA3+SYOL7vKFRRtpncVhL5GrhjGeRMx0SKKpyC6PxRX5cHCl xSVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770240611; x=1770845411; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=snPu/mzwftZI8r4/bsn59/GhJoXtvZ0H1whj5mafdow=; b=GWvSbRUNzEuTda+hknwxAyp1HvVkU9Hs9ll5YS+vt06hP4gznOkb2u/FOeISGl3aFo tv2YV9KXyptI4XrHuT1CAqohgHPLAB3wopae+W6/XUK4WYOji3XmJA/EaybWd7UWwybi IqDHvGsBiq4BPGeYYAL8XhwoDx1EVBOo0qDgqhlEqQuJicSPqT2X1a6w8eBSYcq0xAqH vq0BTFznH1tZ2fkCxQ4RZ9IxC0Y4Uk44v9jqEk+brCTI9qMCAA0g+l2lw71qWRUc+K8o 7JHWwgXmcv4X5Pk89RMjF30p5kusLSExUmBM0mIlOBONINSP/VN65YrbubOhLBM/0GQ/ 4ziQ==
X-Forwarded-Encrypted: i=1; AJvYcCWJurA3s2CZcDc0wLcj0t0kzxa3syYMSP82qRZsA3fGWA98wQNfkBi4xQmq3OIf97M14T3Ebw==@ietf.org
X-Gm-Message-State: AOJu0YywFgnXhJAvd8VPaeGG0EfkOhshZAlyzb1mKI4rKqGPSXOlczjQ PORLvXiZThY53D/9aLzC8nP8dWljr33opGLceB4XS9Bn0ECoYnqyAvT65aHKqttSfvV5ppBLkcX Ik+KWIYky31ctOLFHYdsE8uBcS4Q2nftp4GUTdQZ+DwaYD6ND2Pj4veORfwkYQ6b/twweAVi70q CTfbFnDs5HCfziCQ==
X-Gm-Gg: AZuq6aL3koqkDHC27hPBrKQDrbfCNB9hHHrKO1Mh4fPlLZxiqhNYNGoJ9M03F7PiNug nZ/5IfZGVblM2OJBPolkqwPxZQ3RHQ4lXr9WXhCUhrDsKZIE6gU312yzfX2WaD0C6Po6yypWP3M 6UhSnJjFrIjjYIfA1v2L0/nFf9rVBtsN7xFVDHxH4N9uldBHRx9ebQEZh2DxNcJacZlaTQDqMr7 nZ7lLgDmlDPFdLLN6dwXlM1MjVHbykMmU5Mru4Rli28RbGMO4a0vTbY/J0UaTdQwUCmwCNL
X-Received: by 2002:a05:6102:94f:b0:5ed:a24:1a98 with SMTP id ada2fe7eead31-5f939642149mr1450096137.44.1770240610640; Wed, 04 Feb 2026 13:30:10 -0800 (PST)
MIME-Version: 1.0
References: <CAC7mS1-RovjjCGg16W9W1YpcZgrDD4Ng0D2w9FQN1rCB0dxi5g@mail.gmail.com> <CAGBSGjpsShrJR0TtsncrCpX=qYg1kF4HSqznqNN3F+CP9-41gA@mail.gmail.com> <CAC7mS18R3ngNOwVoU8X3a6WfcF7kV4VOB=7FdPTDDi2AO3TKjQ@mail.gmail.com> <CAC7mS1_2jfC4++tuZX4smJVrcDYzr-=VbK2VHYU2N5jH2EfaEQ@mail.gmail.com>
In-Reply-To: <CAC7mS1_2jfC4++tuZX4smJVrcDYzr-=VbK2VHYU2N5jH2EfaEQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 04 Feb 2026 14:29:44 -0700
X-Gm-Features: AZwV_QiOmfoklYQ-58Xl1ayfLrPXHxRu44IKPWTu3uz7yIPO8651WgUVY7xSpVM
Message-ID: <CA+k3eCT0R1FLZerrO=FfLwJyx6XgdShzh7mVRndmoTE6nMGqQA@mail.gmail.com>
To: Tarun Nanduri <tarunnanduri7@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000c3ba8f064a06422b"
Message-ID-Hash: BDG5UUCGH2ICNNMSKA2LV7YQ5L6NXENI
X-Message-ID-Hash: BDG5UUCGH2ICNNMSKA2LV7YQ5L6NXENI
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on ID-JAG same IdP prohibition - Application to Application Delegation
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/g8szr5Mnz2NzZIUMvg5bcZs8Gjw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Tarun,

As Aaron mentioned there are less tightly profiled variations of this
general flow, like oauth-identity-chaining
<https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/>or
rfc8693 <https://datatracker.ietf.org/doc/html/rfc8693> + rfc7523
<https://datatracker.ietf.org/doc/html/rfc7523> together directly, that
don't have the same constraint regarding the IDP not issuing access tokens
in response to an ID-JAG it issued itself. Perhaps that might meet your
needs? Although those are intended for cross domain as well. Honestly, much
of this seems like more than is needed for a same idp / same domain case.

On Tue, Feb 3, 2026 at 8:13 PM Tarun Nanduri <tarunnanduri7@gmail.com>
wrote:

> Dear Aaron,
>
> I am awaiting your feedback on this. To summarize,
>
> When an Identity Provider (IdP) does not support Single Sign-On (SSO) due
> to the nature of the systems involved, and a user needs to transfer their
> session to another application without re-logging in, I feel ID-JAG offers
> a secure and seamless solution, providing a smooth user experience.
>
> The RFC, as stated in previous emails, explicitly prohibits using the
> specification within the same IdP. Considering the zero-trust model
> typically applied within the same IdP, are we open to modifying the
> specification to allow its implementation within such environments?
>
> Best Regards,
> Tarun Nanduri.
>
> On Fri, Dec 5, 2025 at 8:46 AM Tarun Nanduri <tarunnanduri7@gmail.com>
> wrote:
>
>> Hi Aaron,
>>
>> Thanks for the response, and pointing me to the Identity Chaining draft.
>> However, after looking at it, I don't think it applies to the use-case I
>> shared above (please feel free to correct here). It looks like it's
>> designed for cross-domain scenarios* whereas the use-case I shared above
>> has*,
>>
>>    - Both the clients are in same trust domain
>>    - We have single authorization server (it's the IdP too)
>>
>> The challenge we are trying to solve is,
>>
>>    - Client A needs to transfer user session to client B
>>    - WITHOUT Client A sharing its access token with client B (security
>>    risk due to token exposure, invalid audience, unnecessary privileges etc.)
>>    - Both clients trust the same IdP
>>
>> This is why we're intending to use RFC8693, but it still requires client
>> A to send access token (after token exchange) to client B which creates
>> exposure we're trying to avoid. The ID-JAG pattern (cryptographic proof of
>> identity, not a usable token) would be perfect, except the prohibition
>> defined in section 8.3 of Identity Assertion draft:
>> 8.3.
>> <https://www.ietf.org/archive/id/draft-parecki-oauth-identity-assertion-authz-grant-05.html#section-8.3>Cross-Domain
>> Use
>> <https://www.ietf.org/archive/id/draft-parecki-oauth-identity-assertion-authz-grant-05.html#name-cross-domain-use>
>>
>> This specification is intended for cross-domain uses where the Client,
>> Resource App, and Identity Provider are all in different trust domains. In
>> particular, the Identity Provider MUST NOT issue access tokens in
>> response to an ID-JAG it issued itself. Doing so could lead to
>> unintentional broadening of the scope of authorization.
>> My question remains, Can the section 8.3 prohibition be satisfied with
>> enough security controls (scope validation, replay prevention etc.) for
>> same IdP scenarios, or is it a hard limitation?
>>
>> Thanks and Regards,
>> Tarun Nanduri.
>>
>>
>> On Fri, Dec 5, 2025 at 1:53 AM Aaron Parecki <aaron@parecki.com> wrote:
>>
>>> Hi Tarun,
>>>
>>> It sounds like what you are looking for is the parent draft of this
>>> draft, Identity and Authorization Chaining Across Domains:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/
>>>
>>> The document that defines the ID-JAG, Identity Assertion Authorization
>>> Grant, is a special case of Identity Chaining where both the client and
>>> resource have a pre-existing relationship with the same IdP. So I don't
>>> view it as a limitation, it's actually an optimization when there is a
>>> common IdP. The Identity Chaining draft is the same as this draft except it
>>> doesn't specify the input token format or the reason why the client and
>>> resource trust the cross-domain JWT issuer.
>>>
>>> Aaron
>>>
>>>
>>>
>>> On Mon, Dec 1, 2025 at 8:11 AM Tarun Nanduri <tarunnanduri7@gmail.com>
>>> wrote:
>>>
>>>> Dear OAuth Working Group & Aaron,
>>>>
>>>> I would like to provide feedback on the OAuth Identity Assertion
>>>> Authorization Grant (ID-JAG) specification, specifically regarding
>>>> the prohibition against same-IdP usage.
>>>>
>>>> Use Case:
>>>>
>>>> In microservices architectures using the same IdP, there is a
>>>> legitimate need for service-to-service identity delegation WITHOUT
>>>> sharing access tokens directly:
>>>>
>>>> - Application A has a user-scoped token
>>>> - Application A needs to invoke Application B on behalf of user
>>>> - Sharing Token A with Application B creates security risks:
>>>>   * Token exposure between services
>>>>   * Replay attacks
>>>>   * Over-privileged access
>>>>   * Audience mismatch
>>>>
>>>> The Gap:
>>>>
>>>> ID-JAG's assertion pattern solves this perfectly:
>>>> - Application A creates a cryptographic identity assertion
>>>> - Assertion is audience-bound to Application B
>>>> - Application B exchanges assertion for its own token
>>>> - No credential sharing between services
>>>>
>>>> However, the same-IdP prohibition prevents this legitimate use case.
>>>>
>>>> Suggestion:
>>>>
>>>> Consider either:
>>>> 1. Removing the same-IdP prohibition with appropriate security guidance
>>>> 2. Adding an exception for service-to-service delegation scenarios
>>>> 3. Providing guidance on how to achieve this pattern within the same IdP
>>>>
>>>> RFC 8693 (Token Exchange) doesn't fully address this use case as it
>>>> requires sending the actual token (subject_token), which is what we're
>>>> trying to avoid.
>>>>
>>>> Security Considerations:
>>>>
>>>> With zero-trust validation, same-IdP assertions can be just as secure
>>>> as cross-IdP:
>>>> - Validate assertion issuer is authorized
>>>> - Apply fresh authorization policy evaluation
>>>> - Enforce audience restrictions
>>>> - Use short-lived assertions
>>>> - Implement scope intersection, not broadening
>>>>
>>>> Would appreciate the working group's consideration of this use case.
>>>>
>>>> Best regards,
>>>> Tarun Nanduri.
>>>>
>>> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.39.1 | Report a Bug | By Email | System Status