[OAUTH-WG] Re: Feedback on ID-JAG same IdP prohibition - Application to Application Delegation
Tarun Nanduri <tarunnanduri7@gmail.com> Fri, 05 December 2025 03:19 UTC
Return-Path: <tarunnanduri7@gmail.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C51A195C4FB3 for <oauth@mail2.ietf.org>; Thu, 4 Dec 2025 19:19:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0UB6vNnxTou for <oauth@mail2.ietf.org>; Thu, 4 Dec 2025 19:19:17 -0800 (PST)
Received: from mail-yx1-xb12d.google.com (mail-yx1-xb12d.google.com [IPv6:2607:f8b0:4864:20::b12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E205195C4FA9 for <oauth@ietf.org>; Thu, 4 Dec 2025 19:19:17 -0800 (PST)
Received: by mail-yx1-xb12d.google.com with SMTP id 956f58d0204a3-640c9c85255so2639741d50.3 for <oauth@ietf.org>; Thu, 04 Dec 2025 19:19:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764904757; x=1765509557; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=r6hc8qldH+WMuiSwFmouB2y2GnOoGuAjy2BNCEfSQEE=; b=eRCDqTSn7ZEswfNa93SB1+zK4mzzW/R9VVHQJBD9I+2dLwivLqUzTx3qI7XZa3cA2k GiO6iYKukwN1h4qpZcz0Gx4WehfDfmkdgaVtqFYAgq3Faf0/FpB5AZsB4IACVi5x7FJR KxLHtmZgjxJh7Cs1m4lKdHny6JdMX6Yn+A6Kt0+udd9iA+apatH2oxCGO/8wQMVr2N1h 2JKRgf3UtPPAqyLyflPL4yKG/Yy98lNKyKaJztD4MTT1SDkw9AwUFLUqpWkjiHmgqCKL +tV6h1u4Y7T6AgZI4cSeXLKT/kP/rPnJqBh92HmOuxkWS02CL9/AeFHvULLPiHYXXCKz gbtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764904757; x=1765509557; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=r6hc8qldH+WMuiSwFmouB2y2GnOoGuAjy2BNCEfSQEE=; b=anJtc+YfWSEFEXxR+bTJonQnRrn9OPXmypF/h7Ao+MOKZ5uukEdvPYTrhnxhEp4E5i 1/cJ98H01D5Nvwn7601BLyAd1eTXjgz6ktK8GLpe6pOdwWIUQwNFpCusfZK59vstS928 +JVdWV/DnBG1ySDs07Rsb/wCnTq+kYgFXoxUN7cjYkaN1iyKhz8tUWOg73TheY1YS6Zd Oy8yfDY8gdJeutv+MgkIfhtRyP/RPODm1BI5zWy7Hpw8zFZNxo/yqkwG+VwrjBzBNYB/ 7/QtIKXHfGOOuli8as++7cykNvhDCn+0aPTHTiE6P1J2X4x6DW3NdFzAgOaGx+CZ0tiA f81g==
X-Gm-Message-State: AOJu0Yyzxu3O5+bAtE9JlUbJ21VWK1/ktAFzrUgc0z8qjg2INHDSxLzC vATDeje6HuFotCyW9Yiu+Q0i5HS0+WihuA1eVzkBpYNmKH12cTbwYkwwlyMXND1Fj0x+7Npt2VA zpKXt+ckWJr69e1YmKqhYq+Ikk51jrNR4YQ==
X-Gm-Gg: ASbGncsHoW1ZfohUX20PvaajCIm0AREZDvkI+iFQ7v1DKdOLDC2LBNWcYamQO0rNWnp 7WVN1G0kyQLTmRRqPAQJ0YUmD7LaMIjHNdEUsrdzLhKmrLkXwgI/nubHexRC/yChtNngW5GCBHj qPmhMWDcKJlk8Zy1SklhyLh3jS/Jr3FHsMBrarnQhj7OjBAS1q80bBU3mZoH4/mFUZrMw7nDjRv lUSI8Pr5T7JOM0XpE8/LFg4zqxNIB6zbH2Lh9fpsZaWcA//J0W9Ddl7ZPY5V+JhRId5ITWsebFY EngGympDdIKCg3D2UpMqRXtahRIf
X-Google-Smtp-Source: AGHT+IG3TQnmof/tc58GsR8xZI+ZWsLVDNDfYFGF5UznuSZWE1LiSdpv7iobGOPqkmYmLPbiAtcKq92cl7AzOMYtH9c=
X-Received: by 2002:a05:690c:6982:b0:787:e9bc:fad4 with SMTP id 00721157ae682-78c18862223mr34901507b3.46.1764904757290; Thu, 04 Dec 2025 19:19:17 -0800 (PST)
MIME-Version: 1.0
References: <CAC7mS1-RovjjCGg16W9W1YpcZgrDD4Ng0D2w9FQN1rCB0dxi5g@mail.gmail.com> <CAGBSGjpsShrJR0TtsncrCpX=qYg1kF4HSqznqNN3F+CP9-41gA@mail.gmail.com> <CAC7mS18R3ngNOwVoU8X3a6WfcF7kV4VOB=7FdPTDDi2AO3TKjQ@mail.gmail.com>
In-Reply-To: <CAC7mS18R3ngNOwVoU8X3a6WfcF7kV4VOB=7FdPTDDi2AO3TKjQ@mail.gmail.com>
From: Tarun Nanduri <tarunnanduri7@gmail.com>
Date: Fri, 05 Dec 2025 08:49:06 +0530
X-Gm-Features: AWmQ_bl0q5Ky0FhAkQpstq2HIep2BJdxDqicFNuSR4l7YT43qy9cNxNReK4I2MY
Message-ID: <CAC7mS185kZ5bKN9yoWu6Ap2EJnPDV20pDuOcudVpGi4TzTOC7w@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Content-Type: multipart/alternative; boundary="0000000000001ee9f006452be965"
X-MailFrom: tarunnanduri7@gmail.com
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0
Message-ID-Hash: JDKAN57ZUVRIZABKAYUFAFAY3FTS3IUA
X-Message-ID-Hash: JDKAN57ZUVRIZABKAYUFAFAY3FTS3IUA
X-Mailman-Approved-At: Fri, 05 Dec 2025 04:08:47 -0800
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on ID-JAG same IdP prohibition - Application to Application Delegation
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pHxs6dsqV7ozlE_zAyFX8GiV1ys>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
copying Oauth WG, apologies for another reply over! On Fri, Dec 5, 2025 at 8:46 AM Tarun Nanduri <tarunnanduri7@gmail.com> wrote: > Hi Aaron, > > Thanks for the response, and pointing me to the Identity Chaining draft. > However, after looking at it, I don't think it applies to the use-case I > shared above (please feel free to correct here). It looks like it's > designed for cross-domain scenarios* whereas the use-case I shared above > has*, > > - Both the clients are in same trust domain > - We have single authorization server (it's the IdP too) > > The challenge we are trying to solve is, > > - Client A needs to transfer user session to client B > - WITHOUT Client A sharing its access token with client B (security > risk due to token exposure, invalid audience, unnecessary privileges etc.) > - Both clients trust the same IdP > > This is why we're intending to use RFC8693, but it still requires client A > to send access token (after token exchange) to client B which creates > exposure we're trying to avoid. The ID-JAG pattern (cryptographic proof of > identity, not a usable token) would be perfect, except the prohibition > defined in section 8.3 of Identity Assertion draft: > 8.3. > <https://www.ietf.org/archive/id/draft-parecki-oauth-identity-assertion-authz-grant-05.html#section-8.3>Cross-Domain > Use > <https://www.ietf.org/archive/id/draft-parecki-oauth-identity-assertion-authz-grant-05.html#name-cross-domain-use> > > This specification is intended for cross-domain uses where the Client, > Resource App, and Identity Provider are all in different trust domains. In > particular, the Identity Provider MUST NOT issue access tokens in > response to an ID-JAG it issued itself. Doing so could lead to > unintentional broadening of the scope of authorization. > My question remains, Can the section 8.3 prohibition be satisfied with > enough security controls (scope validation, replay prevention etc.) for > same IdP scenarios, or is it a hard limitation? > > Thanks and Regards, > Tarun Nanduri. > > > On Fri, Dec 5, 2025 at 1:53 AM Aaron Parecki <aaron@parecki.com> wrote: > >> Hi Tarun, >> >> It sounds like what you are looking for is the parent draft of this >> draft, Identity and Authorization Chaining Across Domains: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/ >> >> The document that defines the ID-JAG, Identity Assertion Authorization >> Grant, is a special case of Identity Chaining where both the client and >> resource have a pre-existing relationship with the same IdP. So I don't >> view it as a limitation, it's actually an optimization when there is a >> common IdP. The Identity Chaining draft is the same as this draft except it >> doesn't specify the input token format or the reason why the client and >> resource trust the cross-domain JWT issuer. >> >> Aaron >> >> >> >> On Mon, Dec 1, 2025 at 8:11 AM Tarun Nanduri <tarunnanduri7@gmail.com> >> wrote: >> >>> Dear OAuth Working Group & Aaron, >>> >>> I would like to provide feedback on the OAuth Identity Assertion >>> Authorization Grant (ID-JAG) specification, specifically regarding >>> the prohibition against same-IdP usage. >>> >>> Use Case: >>> >>> In microservices architectures using the same IdP, there is a >>> legitimate need for service-to-service identity delegation WITHOUT >>> sharing access tokens directly: >>> >>> - Application A has a user-scoped token >>> - Application A needs to invoke Application B on behalf of user >>> - Sharing Token A with Application B creates security risks: >>> * Token exposure between services >>> * Replay attacks >>> * Over-privileged access >>> * Audience mismatch >>> >>> The Gap: >>> >>> ID-JAG's assertion pattern solves this perfectly: >>> - Application A creates a cryptographic identity assertion >>> - Assertion is audience-bound to Application B >>> - Application B exchanges assertion for its own token >>> - No credential sharing between services >>> >>> However, the same-IdP prohibition prevents this legitimate use case. >>> >>> Suggestion: >>> >>> Consider either: >>> 1. Removing the same-IdP prohibition with appropriate security guidance >>> 2. Adding an exception for service-to-service delegation scenarios >>> 3. Providing guidance on how to achieve this pattern within the same IdP >>> >>> RFC 8693 (Token Exchange) doesn't fully address this use case as it >>> requires sending the actual token (subject_token), which is what we're >>> trying to avoid. >>> >>> Security Considerations: >>> >>> With zero-trust validation, same-IdP assertions can be just as secure >>> as cross-IdP: >>> - Validate assertion issuer is authorized >>> - Apply fresh authorization policy evaluation >>> - Enforce audience restrictions >>> - Use short-lived assertions >>> - Implement scope intersection, not broadening >>> >>> Would appreciate the working group's consideration of this use case. >>> >>> Best regards, >>> Tarun Nanduri. >>> >>
- [OAUTH-WG] Feedback on ID-JAG same IdP prohibitio… Tarun Nanduri
- [OAUTH-WG] Re: Feedback on ID-JAG same IdP prohib… Aaron Parecki
- [OAUTH-WG] Re: Feedback on ID-JAG same IdP prohib… Tarun Nanduri