[OAUTH-WG] Re: I-D Action: draft-ietf-oauth-identity-assertion-authz-grant-03.txt
Aaron Parecki <aaron@parecki.com> Wed, 22 April 2026 22:37 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CD2CBE130647 for <oauth@mail2.ietf.org>; Wed, 22 Apr 2026 15:37:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776897439; bh=/qDzdr0t9TzFz5nS3sm8QizH8XWDbwgO4rLp5hXY4so=; h=References:In-Reply-To:From:Date:Subject:To; b=GzdXYydddBU7p1gfSNBxG2oAGg1jOOXePcPaVNz6MBT31xxQ8b1pq/HHJYOOMN7et ndoFIhwl7/RWsvksJw8Uvmn5NkaXBWi6l55o/EU47k8Mbg0dZa2FEtYj1m+KkftmB/ bCxF1xpEzEec2Zjy8SjA9N2OrNjsEyIR157hS7o8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M8bZRlsruGHu for <oauth@mail2.ietf.org>; Wed, 22 Apr 2026 15:37:19 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A4740E130629 for <oauth@ietf.org>; Wed, 22 Apr 2026 15:37:18 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id 38308e7fff4ca-38e96a071c3so61996741fa.0 for <oauth@ietf.org>; Wed, 22 Apr 2026 15:37:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1776897437; x=1777502237; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=/TTWpDeF420/XLHizuP9KPB4l4JUajVcyeBbXAbtAi0=; b=ZsMJ/CKd7MABpGlRRlwcfe3Ql65yWROYpf8WO8OVfGUvEk9LTLO1GVJD+LXatQ3OZ0 tO/OmVh9OD46kpDBSJgbK0AUGG2J5Qe3rBMob3BiFvzWdibXX7++VklWtNO0GuwQLZCF VYF+eB0glzoq9HtpQ8t3q/0ZK6OZgalf4mt+4H3ZlS1z13wG/vh8PxcjXfVdNZxf43Ry R7J8Vd3YXfnqworcpjMkX704Xihx6nsnGD228XgYGxPaOQL1gkNmP070qs2wxMUEARaa OCS5Pu1AXkbq3hsZqpq8FqFmv6FuNCFc9djRwIyY5MTQBXEe9Ma8VavPMveXshit3gJH F3SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776897437; x=1777502237; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/TTWpDeF420/XLHizuP9KPB4l4JUajVcyeBbXAbtAi0=; b=YyKhwCTlQykh0+8BLthePkrOOOKvuDD0UB5L9cDsTz7eOR0Jt0fGcytW2+ETY2uqlm 0EX4vhi+R1Mip5LWg+jYfdNzTowcAjpjz8smf29R+IZXzv715N/EzkkISqyiToTNVlfU 1JZ744y9B7QeWjKmQ8iD2RZifZI3bnL8N2C1s8MVN1m4zhcBY7d31GK8zb97oukVGCGN 7SnjB/62/RBkg/CXUiTUKnvxGDlCYhprPGCRK9NH1TYZXYbwizq6LLied+3GgkQ2JUzQ 8IH20oG26+NCx0BsGXqG6mrwJR5LHZyB8e8h6exSd8uJdkguXL3/wIOLatzchK53EikV /5SA==
X-Gm-Message-State: AOJu0Yyty0MixUV/h/YmwXEqLPVWBJukEHPKl8N2XeVLyADWmbjvg+vX YQh5USUoxpp4AVqp1iOLDfcDggNZCSvnb1J8TOyND241bW2ozjw5oeIpxLVvo/QSqQeT4sU7nZn fihdPGA==
X-Gm-Gg: AeBDievVR8J1F7srDYiBWQwHt2WQ+Uody2oi2fGnNWq7so9+tPpzVWQ4/Ne4sFRQZKj +2oeG2Fr1oVG4slS7k4rmscXpdzLxJxOXzG1csLprfyj0iFyFZ4Jdpd6YVwBHvwb0/fBkD22cV3 33tIbfbzaljZS4UfTik5DZksSW+YSW9giKLL77uBTdNVhFmgx393eBggWFQRZn0ZNFM4pXm7x/w gF1jZ+WRNxvtK0F3vzsiBalmbLqfzDAPGpQTr/92sSfWmGNop7bPW4qLJqGT5jfMxyMDcgcZgXi ELn0B87bZ3c7Xv3AqR4pYzyC6hY4SXG5M1yQELZdtDBwlbUtT4Sf0iFZ3IqS3jFqhk+yMuKOiiE psnjpKxG5M2f8K+1fiyEWtaXIRZXP1HlHDm9pquRaJpyKMkQsYl1hWdPGvzgSZqr3fUY+8X6WcX 7Mv/Qu+rNHjguNcSppq7ceDTxhY9gsHFSOE2nJdRH901l7xOMrsU1lDHX1bMA0FY6PyGF77nE=
X-Received: by 2002:a05:651c:41ce:b0:389:fa42:b266 with SMTP id 38308e7fff4ca-38ec7844337mr68615381fa.11.1776897436772; Wed, 22 Apr 2026 15:37:16 -0700 (PDT)
Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com. [209.85.208.172]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-38ecb716751sm42516171fa.29.2026.04.22.15.37.15 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 22 Apr 2026 15:37:16 -0700 (PDT)
Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-38e96a071c3so61996621fa.0 for <oauth@ietf.org>; Wed, 22 Apr 2026 15:37:15 -0700 (PDT)
X-Received: by 2002:a2e:a993:0:b0:38e:78b1:78c5 with SMTP id 38308e7fff4ca-38ec7b6292bmr76686761fa.25.1776897435247; Wed, 22 Apr 2026 15:37:15 -0700 (PDT)
MIME-Version: 1.0
References: <177689619842.1120235.8501085276987816236@dt-datatracker-b45949c58-5szpr>
In-Reply-To: <177689619842.1120235.8501085276987816236@dt-datatracker-b45949c58-5szpr>
From: Aaron Parecki <aaron@parecki.com>
Date: Wed, 22 Apr 2026 15:37:03 -0700
X-Gmail-Original-Message-ID: <CAGBSGjrx2fkiw+xMYDTZzDkZh4X8BUM3t8AAW=+2RaNKd2xf+Q@mail.gmail.com>
X-Gm-Features: AQROBzC4UVEg10Y3HaLqinSqN4-sOQ-GVH6QA91YiXHViHNPi52EIg5bopblRFA
Message-ID: <CAGBSGjrx2fkiw+xMYDTZzDkZh4X8BUM3t8AAW=+2RaNKd2xf+Q@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006e29350650142c30"
Message-ID-Hash: ZWNQNLRAD7JANS5BMMMHXERB7Y7F2AJA
X-Message-ID-Hash: ZWNQNLRAD7JANS5BMMMHXERB7Y7F2AJA
X-MailFrom: aaron@parecki.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: I-D Action: draft-ietf-oauth-identity-assertion-authz-grant-03.txt
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/h78pXxHry0nKTrQscvAyW4EB1Po>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
The editors published a new version of this draft based on feedback received from implementers over the last couple months. A summary of the changes: - Added a section defining terms used in the document - Updated language to be less specific to "enterprise" and more about the relationships between the IdP and Resource Authorization Server - Clarified the use of the resource and audience parameters in the token exchange request - Removed language discouraging the use of the actor_token in the token exchange request - Added a new AS metadata parameter authorization_grant_profiles_supported to enable a Resource Authorization Server to publish support for this profile If you graciously offered to review the document after IETF 125, please make sure to read the latest draft. Thanks! Aaron On Wed, Apr 22, 2026 at 3:18 PM <internet-drafts@ietf.org> wrote: > Internet-Draft draft-ietf-oauth-identity-assertion-authz-grant-03.txt is > now > available. It is a work item of the Web Authorization Protocol (OAUTH) WG > of > the IETF. > > Title: Identity Assertion JWT Authorization Grant > Authors: Aaron Parecki > Karl McGuinness > Brian Campbell > Name: draft-ietf-oauth-identity-assertion-authz-grant-03.txt > Pages: 58 > Dates: 2026-04-22 > > Abstract: > > This specification provides a mechanism for an application to use an > identity assertion to obtain an access token for a third-party API by > coordinating through an identity provider that the downstream > Resource Authorization Server already trusts for single sign-on > (SSO), using Token Exchange [RFC8693] and JWT Profile for OAuth 2.0 > Authorization Grants [RFC7523]. > > The IETF datatracker status page for this Internet-Draft is: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/ > > There is also an HTML version available at: > > https://www.ietf.org/archive/id/draft-ietf-oauth-identity-assertion-authz-grant-03.html > > A diff from the previous version is available at: > > https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-identity-assertion-authz-grant-03 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-identity-… internet-drafts
- [OAUTH-WG] Re: I-D Action: draft-ietf-oauth-ident… Aaron Parecki