IETF Logo Mail Archive

[OAUTH-WG] Re: Feedback on ID-JAG same IdP prohibition - Application to Application Delegation

Pieter Kasselman <pieter@defakto.security> Mon, 09 February 2026 14:53 UTC

Return-Path: <pieter@defakto.security>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 43E53B40F6DB for <oauth@mail2.ietf.org>; Mon, 9 Feb 2026 06:53:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=defakto.security
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxPEca5NFzOX for <oauth@mail2.ietf.org>; Mon, 9 Feb 2026 06:53:31 -0800 (PST)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 571E9B40F6CD for <oauth@ietf.org>; Mon, 9 Feb 2026 06:53:31 -0800 (PST)
Received: by mail-vs1-xe36.google.com with SMTP id ada2fe7eead31-5f5418c40daso4908113137.0 for <oauth@ietf.org>; Mon, 09 Feb 2026 06:53:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770648805; cv=none; d=google.com; s=arc-20240605; b=gOGqOKqxf64uvyEwQms0t1CQUIdDgnM23bKtwbPHdAq8yI42KSk5sdRD/OiGSI0FUQ OrixZOndTdSN/HdbR3GEgkXn+Ba2KZz1/grRN4xDqU33Xtn0grW5UwaeF8H6TV1K/Dnb aoIZNRbu3WQ2cLq3sMmDak96SnHwVTeHfC0qAL9tmenC3EWkhpO0xDhKJW47bYt0W/53 iC07uArAPM9XDDmkXBvzp/quwqW+Ug0Z4opHuxgD8n6SXjcMwd+qJuBhsoCyUr4BWKni 8CUFqEN0zrRFOq3im5H2j6s+Ib4uya1xwg+SXg5IBq6stxYbt6HR1GB77Ij0KKt4fLKk BkRQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=di1XZUwDNhL65Cuow2cwuPZmmYD05AUqIlbj6ferlZw=; fh=MeryAviSUuT7h4rqgUUn7bAgCEQV5VNBjloP/KOlaKE=; b=IyqBWW/gh+4wN9TlYeSaImEzAuey/oFw24VwN5r1bnfDK8dADhnODw7tfdW0t+jDHm V0xbgrpEBc7HTgvmSMosxfRQjAatKurKuapkkYzsvZR1wX1SYFIQMfx82lb7XaLZj3iP V4k4vq3s1y3wka7foI98Kk+o31DqzE05sa2kIQ6Lugjg5BPmjr8ShWqY63PxiGgRiFhw kHHfhKPjH3BUJj4Ye4oSGd0dckeppUA5qpEVKL8DOcj5Jt5DTVHawYZhFiDP5hoQRbI0 vSVNblUSMQ1reZPL6twxhN2gtYsUzyOHbMxVvE2MuZlhpmcmwaqwuOKq5/oIxEUSKOn3 vTUA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defakto.security; s=google; t=1770648805; x=1771253605; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=di1XZUwDNhL65Cuow2cwuPZmmYD05AUqIlbj6ferlZw=; b=JdQ3Od0xc94vTju6mvoKZDrQ+40/8aGrwopEp3cT0Bc0e1twp3WvFHsejso5A18jOx Y7UF5plbtulUSVLhalD8BqGznE8KYD9BMAiAfOoG+1Rg3ZjG2ueNKGO/qaoFIQ0DE+3R Z5UhZmgETSUPjjZNpryn7Ju7OwPtl0+XOYWmmBOObRFd8VJ/T7al1zxscrRI44EcLY3r Fd8IyLFq2I24lJ+LFQz5+O0xj4zTsaghSzeK89qOQLzWLkMN+NFS4+neIW8w7WP6WMKl 5kTmxdfGjDuG6hUy3jYGBKWeCXHgjvqK+Utblzpqg+l1A6l0AFmyYRUw2e5KAe+HQ2KI oHpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770648805; x=1771253605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=di1XZUwDNhL65Cuow2cwuPZmmYD05AUqIlbj6ferlZw=; b=QOIKcR5pxCHyaS6sPesYN4K7z8/2Z40t6GV6Y5RbUt5gOFeXYh6RLCcs/wgJCYVGIM u9qLKTWtVELADFGeK4caz8eFAhY/0OZoxQ0M6fKmA7oEgQJInHEYJBAxCg7ttN9jKAr9 7zFMlsv+QTYeOTxF3COc+KvALWI0zPztGHm2yzGEunAUh8AJlKGL4aFCkiKDRaJx5F0B /OMjW6IkWrPjIL1gBJ5un+vyW4GNHDYhv/JMdnMLbzaKqeyofxpc6wtUWpphljXNflEx GSmMzfNwu0D+we3xc+rLW21SNTZAXK1u8EXBCATSSPHWSZDZ0rLZnRXE04DiFaE7xa79 YSZQ==
X-Forwarded-Encrypted: i=1; AJvYcCV1enP33io3Wr41cSJ4Vn4uZs+WsMdWnAMpCcZRRAuKeG3gxccWFGnLG6rw1jjP8OY2TXLzsQ==@ietf.org
X-Gm-Message-State: AOJu0YwusbE/HZogGGwbBlSRVSQF/F8+YkbQnKKBVtTCmFIMA5AT9n87 EFmP9W1oh7omMjQoeQMD8C4oAY3+qrUW9tmlTvjVE0s022UiUyb9pXnhxGEVjBRX47xeQ+Fmy+k QVqdkyuPIft8kWPzK/ZMizLz/lm96RroCV799Z23DQlYpPE08xiuZScg=
X-Gm-Gg: AZuq6aKVX/BOnnxlLOXuX1bXlrDNoiFrbWVMsaAzj85NGyYifNLy30UdeV4hAEx54/B j60fJ/HqBqt+fnkHXu/2KsPaEGVAJV2rMgirA/VZY1V74pgIuyqnMCHRHDDXm50QNU01XiC/sQG bZ1ZQy8Y5K54fxuUvd/OERF0fITvWaOMZuWePRAChJGdmyMpG53skkC4mSuZu/tzjtCkxmw2Mnf ZRy8Sk2U33qb8HnCv9HYSWXPGsz9HjoTBUtAgUhGo48ISMEIKplQFQLdn9P58InCT+X1Ss4lWOJ Mg6lglduWX9FoWcUaTQB59kalSAGx5svP1LKXGeHcDB2rZR85UagUHUTFe0=
X-Received: by 2002:a05:6102:3052:b0:5db:293c:c294 with SMTP id ada2fe7eead31-5fae76bf6ecmr3351260137.5.1770648805130; Mon, 09 Feb 2026 06:53:25 -0800 (PST)
MIME-Version: 1.0
References: <CAC7mS1-RovjjCGg16W9W1YpcZgrDD4Ng0D2w9FQN1rCB0dxi5g@mail.gmail.com> <CAGBSGjpsShrJR0TtsncrCpX=qYg1kF4HSqznqNN3F+CP9-41gA@mail.gmail.com> <CAC7mS18R3ngNOwVoU8X3a6WfcF7kV4VOB=7FdPTDDi2AO3TKjQ@mail.gmail.com> <CAC7mS1_2jfC4++tuZX4smJVrcDYzr-=VbK2VHYU2N5jH2EfaEQ@mail.gmail.com> <CA+k3eCT0R1FLZerrO=FfLwJyx6XgdShzh7mVRndmoTE6nMGqQA@mail.gmail.com> <CALtWOA3TCXd02WSO9odywT5bwrn-E20zYiJudZ9BzVs07hF7pw@mail.gmail.com> <CAC7mS1_6ajOH0JU3uuLjmObdnaeo2sKc8x5TWiVtCE=S+ckpFw@mail.gmail.com>
In-Reply-To: <CAC7mS1_6ajOH0JU3uuLjmObdnaeo2sKc8x5TWiVtCE=S+ckpFw@mail.gmail.com>
From: Pieter Kasselman <pieter@defakto.security>
Date: Mon, 09 Feb 2026 14:53:14 +0000
X-Gm-Features: AZwV_QiwIV1i_NDwL8lgwbDV9HdEpdWnUZ94eytvtjKpGSBBJt6PoqBEOjbuv_M
Message-ID: <CALtWOA1KWhq8diBTA9J52GcGqHNHQgEL+oWfJY9SJL_DPiqf0g@mail.gmail.com>
To: Tarun Nanduri <tarunnanduri7@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000000d50df064a654dc1"
Message-ID-Hash: ZX64KXC3DS73QA5RMQ5WQYGPUOYL756I
X-Message-ID-Hash: ZX64KXC3DS73QA5RMQ5WQYGPUOYL756I
X-MailFrom: pieter@defakto.security
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on ID-JAG same IdP prohibition - Application to Application Delegation
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/p7Ohmv7CR602otvK9TL2R9FyX38>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Tarun, for the original use case you described, you may want to consider
the transaction token spec [1].

It was specifically developed to allow authorization context, including
user and workload/microservice identity information, to be passed between
microservices within a domain, without having to pass around access tokens.

Cheers

Pieter

[1] https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/07/

On Sun, Feb 8, 2026 at 8:02 AM Tarun Nanduri <tarunnanduri7@gmail.com>
wrote:

> Hi Pieter, Brian, Aaron, and the WG,
>
> Thanks for the feedback and for taking the time to look at this. I’ve been
> thinking over the points about Section 8.3 and the general intent of ID-JAG.
>
> Stepping back from the specific spec for a second, it feels to me like we
> have a bit of a gap in the OAuth/OIDC specifications. We’re essentially
> looking for a standard way to do Directed Session Transfer, in environments
> where shared cookies/SSO just aren't an option for security reasons.
>
> You pointed toward the Identity Chaining Across Domains draft as the
> intended home for this, and I see the logic—since the AS in Domain A
> generates the JWT grant, it handles the "identity proof" part of the
> handover.
>
> But right now, if I want to move a user from App A to App B without a
> fresh login, the options still feel a bit thin:
>
>    - Standard SSO is off the table because of the "no-shared-cookie"
>    constraint.
>    - RFC 8693 is a great building block, but it’s mostly used for
>    service-to-service backend swaps. There isn't really a front-channel
>    "profile" for this (as RFC863 sends back a usable token rather than an
>    assertion).
>    - Identity Chaining, as Brian mentioned, is explicitly a specification
>    for cross-domain use.
>
>
> It feels a bit ironic that the protocol makes "Cross-Domain" identity
> transfers standardized via ID-JAG (as an OAuth native grant), but leaves
> "Intra-Domain" delegation as a "roll-your-own" exercise. Without a standard
> profile for this, people might just end up building non-standard hacks
> which is exactly what we’re trying to avoid.
>
> I’m not trying to force a change to ID-JAG if the WG feels it’s the wrong
> home, but I am curious:
>
>    - Do we think this "Directed Session transfer" pattern is a gap worth
>    filling?
>
> It feels to me like there should be an "OAuth-native" way to do this that
> has the right guardrails (audience binding, act claims, etc.) to make it
> secure in a Zero Trust setup, but is as straightforward to implement as a
> basic Auth Code grant. I’d love to hear if anyone else sees this gap, or if
> there's a pattern I’m missing that doesn't involve a lot of custom "glue"
> code.
>
> Best Regards,
> Tarun Nanduri.
>
> On Thu, Feb 5, 2026 at 6:14 PM Pieter Kasselman <pieter@defakto.security>
> wrote:
>
>> Hi Tarun
>>
>> I agree with Brain and Aaron that your use case can likely be addressed
>> by the Identity and Authorization Chaining Across Domains draft [1]. You
>> could always profile it further if needed. Is there a reason you would not
>> be able to use that draft?
>>
>> Cheers
>>
>> Pieter
>>
>> [1] https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/
>>
>> On Wed, Feb 4, 2026 at 9:31 PM Brian Campbell <bcampbell=
>> 40pingidentity.com@dmarc.ietf.org> wrote:
>>
>>> Hi Tarun,
>>>
>>> As Aaron mentioned there are less tightly profiled variations of this
>>> general flow, like oauth-identity-chaining
>>> <https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/>
>>> or rfc8693 <https://datatracker.ietf.org/doc/html/rfc8693> + rfc7523
>>> <https://datatracker.ietf.org/doc/html/rfc7523> together directly, that
>>> don't have the same constraint regarding the IDP not issuing access tokens
>>> in response to an ID-JAG it issued itself. Perhaps that might meet your
>>> needs? Although those are intended for cross domain as well. Honestly, much
>>> of this seems like more than is needed for a same idp / same domain case.
>>>
>>> On Tue, Feb 3, 2026 at 8:13 PM Tarun Nanduri <tarunnanduri7@gmail.com>
>>> wrote:
>>>
>>>> Dear Aaron,
>>>>
>>>> I am awaiting your feedback on this. To summarize,
>>>>
>>>> When an Identity Provider (IdP) does not support Single Sign-On (SSO)
>>>> due to the nature of the systems involved, and a user needs to transfer
>>>> their session to another application without re-logging in, I feel ID-JAG
>>>> offers a secure and seamless solution, providing a smooth user experience.
>>>>
>>>> The RFC, as stated in previous emails, explicitly prohibits using the
>>>> specification within the same IdP. Considering the zero-trust model
>>>> typically applied within the same IdP, are we open to modifying the
>>>> specification to allow its implementation within such environments?
>>>>
>>>> Best Regards,
>>>> Tarun Nanduri.
>>>>
>>>> On Fri, Dec 5, 2025 at 8:46 AM Tarun Nanduri <tarunnanduri7@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Aaron,
>>>>>
>>>>> Thanks for the response, and pointing me to the Identity Chaining
>>>>> draft. However, after looking at it, I don't think it applies to the
>>>>> use-case I shared above (please feel free to correct here). It looks like
>>>>> it's designed for cross-domain scenarios* whereas the use-case I
>>>>> shared above has*,
>>>>>
>>>>>    - Both the clients are in same trust domain
>>>>>    - We have single authorization server (it's the IdP too)
>>>>>
>>>>> The challenge we are trying to solve is,
>>>>>
>>>>>    - Client A needs to transfer user session to client B
>>>>>    - WITHOUT Client A sharing its access token with client B
>>>>>    (security risk due to token exposure, invalid audience, unnecessary
>>>>>    privileges etc.)
>>>>>    - Both clients trust the same IdP
>>>>>
>>>>> This is why we're intending to use RFC8693, but it still requires
>>>>> client A to send access token (after token exchange) to client B which
>>>>> creates exposure we're trying to avoid. The ID-JAG pattern (cryptographic
>>>>> proof of identity, not a usable token) would be perfect, except the
>>>>> prohibition defined in section 8.3 of Identity Assertion draft:
>>>>> 8.3.
>>>>> <https://www.ietf.org/archive/id/draft-parecki-oauth-identity-assertion-authz-grant-05.html#section-8.3>Cross-Domain
>>>>> Use
>>>>> <https://www.ietf.org/archive/id/draft-parecki-oauth-identity-assertion-authz-grant-05.html#name-cross-domain-use>
>>>>>
>>>>> This specification is intended for cross-domain uses where the Client,
>>>>> Resource App, and Identity Provider are all in different trust domains. In
>>>>> particular, the Identity Provider MUST NOT issue access tokens in
>>>>> response to an ID-JAG it issued itself. Doing so could lead to
>>>>> unintentional broadening of the scope of authorization.
>>>>> My question remains, Can the section 8.3 prohibition be satisfied with
>>>>> enough security controls (scope validation, replay prevention etc.) for
>>>>> same IdP scenarios, or is it a hard limitation?
>>>>>
>>>>> Thanks and Regards,
>>>>> Tarun Nanduri.
>>>>>
>>>>>
>>>>> On Fri, Dec 5, 2025 at 1:53 AM Aaron Parecki <aaron@parecki.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Tarun,
>>>>>>
>>>>>> It sounds like what you are looking for is the parent draft of this
>>>>>> draft, Identity and Authorization Chaining Across Domains:
>>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/
>>>>>>
>>>>>> The document that defines the ID-JAG, Identity Assertion
>>>>>> Authorization Grant, is a special case of Identity Chaining where both the
>>>>>> client and resource have a pre-existing relationship with the same IdP. So
>>>>>> I don't view it as a limitation, it's actually an optimization when there
>>>>>> is a common IdP. The Identity Chaining draft is the same as this draft
>>>>>> except it doesn't specify the input token format or the reason why the
>>>>>> client and resource trust the cross-domain JWT issuer.
>>>>>>
>>>>>> Aaron
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Dec 1, 2025 at 8:11 AM Tarun Nanduri <tarunnanduri7@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Dear OAuth Working Group & Aaron,
>>>>>>>
>>>>>>> I would like to provide feedback on the OAuth Identity Assertion
>>>>>>> Authorization Grant (ID-JAG) specification, specifically regarding
>>>>>>> the prohibition against same-IdP usage.
>>>>>>>
>>>>>>> Use Case:
>>>>>>>
>>>>>>> In microservices architectures using the same IdP, there is a
>>>>>>> legitimate need for service-to-service identity delegation WITHOUT
>>>>>>> sharing access tokens directly:
>>>>>>>
>>>>>>> - Application A has a user-scoped token
>>>>>>> - Application A needs to invoke Application B on behalf of user
>>>>>>> - Sharing Token A with Application B creates security risks:
>>>>>>>   * Token exposure between services
>>>>>>>   * Replay attacks
>>>>>>>   * Over-privileged access
>>>>>>>   * Audience mismatch
>>>>>>>
>>>>>>> The Gap:
>>>>>>>
>>>>>>> ID-JAG's assertion pattern solves this perfectly:
>>>>>>> - Application A creates a cryptographic identity assertion
>>>>>>> - Assertion is audience-bound to Application B
>>>>>>> - Application B exchanges assertion for its own token
>>>>>>> - No credential sharing between services
>>>>>>>
>>>>>>> However, the same-IdP prohibition prevents this legitimate use case.
>>>>>>>
>>>>>>> Suggestion:
>>>>>>>
>>>>>>> Consider either:
>>>>>>> 1. Removing the same-IdP prohibition with appropriate security
>>>>>>> guidance
>>>>>>> 2. Adding an exception for service-to-service delegation scenarios
>>>>>>> 3. Providing guidance on how to achieve this pattern within the same
>>>>>>> IdP
>>>>>>>
>>>>>>> RFC 8693 (Token Exchange) doesn't fully address this use case as it
>>>>>>> requires sending the actual token (subject_token), which is what
>>>>>>> we're
>>>>>>> trying to avoid.
>>>>>>>
>>>>>>> Security Considerations:
>>>>>>>
>>>>>>> With zero-trust validation, same-IdP assertions can be just as secure
>>>>>>> as cross-IdP:
>>>>>>> - Validate assertion issuer is authorized
>>>>>>> - Apply fresh authorization policy evaluation
>>>>>>> - Enforce audience restrictions
>>>>>>> - Use short-lived assertions
>>>>>>> - Implement scope intersection, not broadening
>>>>>>>
>>>>>>> Would appreciate the working group's consideration of this use case.
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Tarun Nanduri.
>>>>>>>
>>>>>> _______________________________________________
>>>> OAuth mailing list -- oauth@ietf.org
>>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>>
>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly prohibited.
>>> If you have received this communication in error, please notify the sender
>>> immediately by e-mail and delete the message and any file attachments from
>>> your computer. Thank you.*
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>>

v2.39.1 | Report a Bug | By Email | System Status