IETF Logo Mail Archive

[OAUTH-WG] Re: Feedback on ID-JAG same IdP prohibition - Application to Application Delegation

Tarun Nanduri <tarunnanduri7@gmail.com> Wed, 04 February 2026 03:13 UTC

Return-Path: <tarunnanduri7@gmail.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1C550B18BBCC for <oauth@mail2.ietf.org>; Tue, 3 Feb 2026 19:13:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0qnE27BiOPUc for <oauth@mail2.ietf.org>; Tue, 3 Feb 2026 19:13:18 -0800 (PST)
Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 51225B18BBC5 for <oauth@ietf.org>; Tue, 3 Feb 2026 19:13:18 -0800 (PST)
Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-794e95357cfso3153477b3.0 for <oauth@ietf.org>; Tue, 03 Feb 2026 19:13:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770174798; cv=none; d=google.com; s=arc-20240605; b=iqgWc25D+kfaj/Y6y1uMUPu+DdNhPA0W1J4DtpY3GBaBO6xrI8hSBYY/59KfAOvfTk TkO07jgxW5RJ9rvey6F0b0Fie5gl8VayFAatIkfYlWo5PUSjapHXytmhv4AHMFbmKP9C XMYbz0iCtyxSdElqmCAgT+zozzdaW08yGGjt/p1PyN3Fql0CjhXtDj703KnCOrGT8xmQ z/hDNOg+wr/3/ErRfspq1ra0joTnOhDAfuDTIzbd8jduOvqjkPsfUnxck5g/aV5YqloU mIE6tqwWY+Tyhx0OixfRikbHADynnugl/wCedClYyBkQDXIGye9sNZ3phFIxYOPu9/ec 0BqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ZceLG3tLUI+cs/ZV0eo3LXph/AkmUVEANLN/FWXzXPI=; fh=JUyav0LEjNDk66GtJsX4cT9a36DCogNSONTpGgG/k4c=; b=fOaSAzAvaedbcVpqLTqPWFqLeDaRwj6tpUWIh+L5kgUTMEg7gBAJIIGspqQeE9Ye9v lkgG7LYrm2PUT52Fjd22Ggi3MGPeHugd/MfQ7CeR8pX0xmuA1qubR8dnKGR7O7KuVBWD nzIPdxH3QWdEWaijkeQxRsNf4qISfE+IKhD9D42iURhZiBdG2K4ZxYcbE746j5odm5aB DB4NZU/P9rPynYCqqS5mbQSOKOTEUICtAM+z3csbKE/M/LVTndfWU4GoYEnrn6GjPQE4 ZF7ZbWB0ds2jZi6ZoUvXzh6YczjMZdHafVGCL1ln4ZP9N+dSOHuxHcAIb8H8zIJGTdf6 OIzQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770174798; x=1770779598; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=ZceLG3tLUI+cs/ZV0eo3LXph/AkmUVEANLN/FWXzXPI=; b=ayRZs7HAdMhBW1BNG7zMOBpwyaCiPYFY+JuZIgfUwi/TFT4iwASDlKnltf/PFgk3a+ xvF5Lzbe5S+ZdJ8wYbyG72eDM9K5DXs9E8YyFBq02Pl2CXLWVctVc+LBGhVrtv8enJIL LAEsOYctRGRr919PsM0Nrws1N0MeXX8edJR1UisCYupAlcFMLgG2a9V43LgNJLB/scwl PHlYNthnG4tBmFpSOcj6rb44/p4QChxF68BAfACs7QStb0f7TVYbMUOf4neHpILLwuYE +8pvW2Kmuv1OpRjRth+VKITr9dgT3Gm6tus2cqlZP3hjD5RY9OatoJ6chnhba/fhRrsj wxRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770174798; x=1770779598; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZceLG3tLUI+cs/ZV0eo3LXph/AkmUVEANLN/FWXzXPI=; b=IMC/TEdHczB5Sh7QXrLSnoqXKLhwbnokUkE2P7vbw6VvqTNwyh95l5PCmhjQeyWCA0 hppEacOye0X6gUwuCPW4iUsIDbkSpT53+5blV/ArUkdIUJ5UIwa7GLKqiB/SDNiehNKE ZTvNJCqPdhkiihYJxTYPOLcOsIrrSRQzXF+fkInX5SMJaqDoKEviaOtYkLnDcRDxu85o 0kZ0aoIw/KQgM5J9eUq68+mAfLLqtjE6ztyDXbVZss/Qk/Ko6AJWYZQChktVYO1HIvGV hs28Xv1ZnFlgv2vSgikfntWEKkR47l15+UeBBNTeD4SmXNJKH/NBUji5Dsb+I1YvtVph ZB4g==
X-Forwarded-Encrypted: i=1; AJvYcCWdcWwpcxCxLS8nic7kxGOrn0qhQMXjZizXqfIXlVZjhuhdF32dQhQH4xYKJSH4N71/3gTVmw==@ietf.org
X-Gm-Message-State: AOJu0YwaReOwvilU3i4cwULt+CulHcvtFR71YPGX8Zx/FxuCmyG2N+0J RPBFBV77Cs2OwRAn9KEHyEw30jfePUXUA6msgjDeH2sYuawGWJcrOi5zVyNjPkhQgC/KMFjRwl7 JUy6FX0loe15UglYeSTqqCdxWikR+nbFXOw==
X-Gm-Gg: AZuq6aL9EZ5Bf0XWzNwd/spxoDEi68egF5eC9QaqIl6yE9vBFgEjLun8MDxB6UzjWlo MW+FyWfbgS/iNGmho6HOg/0dbK9EYQrfKargcaroGzNFNuNyIPzMIYImO9RvJRAJCS3HTO8xJB+ yBBkzRHfSgypfPNeXj47FOB1f1W1WXQRKlYjyYH5+LPHnHA+XP+rVdt15wbIWvaESxYDoqIZxE4 h8bcDlWeOoB2D0JoCChqfqIJ0rzcFHJh+z202wCAYfJiDPfVJd68OWrNlaAjoDJVT3anvPArNla pKc5MEjxW90mU4loJgNQmi/w8g5wxg==
X-Received: by 2002:a05:690c:39d:b0:794:d44c:866c with SMTP id 00721157ae682-794fe800c11mr16077887b3.60.1770174797657; Tue, 03 Feb 2026 19:13:17 -0800 (PST)
MIME-Version: 1.0
References: <CAC7mS1-RovjjCGg16W9W1YpcZgrDD4Ng0D2w9FQN1rCB0dxi5g@mail.gmail.com> <CAGBSGjpsShrJR0TtsncrCpX=qYg1kF4HSqznqNN3F+CP9-41gA@mail.gmail.com> <CAC7mS18R3ngNOwVoU8X3a6WfcF7kV4VOB=7FdPTDDi2AO3TKjQ@mail.gmail.com>
In-Reply-To: <CAC7mS18R3ngNOwVoU8X3a6WfcF7kV4VOB=7FdPTDDi2AO3TKjQ@mail.gmail.com>
From: Tarun Nanduri <tarunnanduri7@gmail.com>
Date: Wed, 04 Feb 2026 08:43:07 +0530
X-Gm-Features: AZwV_QhZuPNtW1rPpwz5GcBYzvnO888p_mlQmX4BXcK303UpGKWaHU4UR2bxKj8
Message-ID: <CAC7mS1_2jfC4++tuZX4smJVrcDYzr-=VbK2VHYU2N5jH2EfaEQ@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000013c7f0649f6f0f0"
Message-ID-Hash: IVCURLDBD4DF75GWRZ2DO35CGZF6P6KO
X-Message-ID-Hash: IVCURLDBD4DF75GWRZ2DO35CGZF6P6KO
X-MailFrom: tarunnanduri7@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on ID-JAG same IdP prohibition - Application to Application Delegation
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wYk9teyGM4srqZ8_bBRTNMOqMto>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Dear Aaron,

I am awaiting your feedback on this. To summarize,

When an Identity Provider (IdP) does not support Single Sign-On (SSO) due
to the nature of the systems involved, and a user needs to transfer their
session to another application without re-logging in, I feel ID-JAG offers
a secure and seamless solution, providing a smooth user experience.

The RFC, as stated in previous emails, explicitly prohibits using the
specification within the same IdP. Considering the zero-trust model
typically applied within the same IdP, are we open to modifying the
specification to allow its implementation within such environments?

Best Regards,
Tarun Nanduri.

On Fri, Dec 5, 2025 at 8:46 AM Tarun Nanduri <tarunnanduri7@gmail.com>
wrote:

> Hi Aaron,
>
> Thanks for the response, and pointing me to the Identity Chaining draft.
> However, after looking at it, I don't think it applies to the use-case I
> shared above (please feel free to correct here). It looks like it's
> designed for cross-domain scenarios* whereas the use-case I shared above
> has*,
>
>    - Both the clients are in same trust domain
>    - We have single authorization server (it's the IdP too)
>
> The challenge we are trying to solve is,
>
>    - Client A needs to transfer user session to client B
>    - WITHOUT Client A sharing its access token with client B (security
>    risk due to token exposure, invalid audience, unnecessary privileges etc.)
>    - Both clients trust the same IdP
>
> This is why we're intending to use RFC8693, but it still requires client A
> to send access token (after token exchange) to client B which creates
> exposure we're trying to avoid. The ID-JAG pattern (cryptographic proof of
> identity, not a usable token) would be perfect, except the prohibition
> defined in section 8.3 of Identity Assertion draft:
> 8.3.
> <https://www.ietf.org/archive/id/draft-parecki-oauth-identity-assertion-authz-grant-05.html#section-8.3>Cross-Domain
> Use
> <https://www.ietf.org/archive/id/draft-parecki-oauth-identity-assertion-authz-grant-05.html#name-cross-domain-use>
>
> This specification is intended for cross-domain uses where the Client,
> Resource App, and Identity Provider are all in different trust domains. In
> particular, the Identity Provider MUST NOT issue access tokens in
> response to an ID-JAG it issued itself. Doing so could lead to
> unintentional broadening of the scope of authorization.
> My question remains, Can the section 8.3 prohibition be satisfied with
> enough security controls (scope validation, replay prevention etc.) for
> same IdP scenarios, or is it a hard limitation?
>
> Thanks and Regards,
> Tarun Nanduri.
>
>
> On Fri, Dec 5, 2025 at 1:53 AM Aaron Parecki <aaron@parecki.com> wrote:
>
>> Hi Tarun,
>>
>> It sounds like what you are looking for is the parent draft of this
>> draft, Identity and Authorization Chaining Across Domains:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/
>>
>> The document that defines the ID-JAG, Identity Assertion Authorization
>> Grant, is a special case of Identity Chaining where both the client and
>> resource have a pre-existing relationship with the same IdP. So I don't
>> view it as a limitation, it's actually an optimization when there is a
>> common IdP. The Identity Chaining draft is the same as this draft except it
>> doesn't specify the input token format or the reason why the client and
>> resource trust the cross-domain JWT issuer.
>>
>> Aaron
>>
>>
>>
>> On Mon, Dec 1, 2025 at 8:11 AM Tarun Nanduri <tarunnanduri7@gmail.com>
>> wrote:
>>
>>> Dear OAuth Working Group & Aaron,
>>>
>>> I would like to provide feedback on the OAuth Identity Assertion
>>> Authorization Grant (ID-JAG) specification, specifically regarding
>>> the prohibition against same-IdP usage.
>>>
>>> Use Case:
>>>
>>> In microservices architectures using the same IdP, there is a
>>> legitimate need for service-to-service identity delegation WITHOUT
>>> sharing access tokens directly:
>>>
>>> - Application A has a user-scoped token
>>> - Application A needs to invoke Application B on behalf of user
>>> - Sharing Token A with Application B creates security risks:
>>>   * Token exposure between services
>>>   * Replay attacks
>>>   * Over-privileged access
>>>   * Audience mismatch
>>>
>>> The Gap:
>>>
>>> ID-JAG's assertion pattern solves this perfectly:
>>> - Application A creates a cryptographic identity assertion
>>> - Assertion is audience-bound to Application B
>>> - Application B exchanges assertion for its own token
>>> - No credential sharing between services
>>>
>>> However, the same-IdP prohibition prevents this legitimate use case.
>>>
>>> Suggestion:
>>>
>>> Consider either:
>>> 1. Removing the same-IdP prohibition with appropriate security guidance
>>> 2. Adding an exception for service-to-service delegation scenarios
>>> 3. Providing guidance on how to achieve this pattern within the same IdP
>>>
>>> RFC 8693 (Token Exchange) doesn't fully address this use case as it
>>> requires sending the actual token (subject_token), which is what we're
>>> trying to avoid.
>>>
>>> Security Considerations:
>>>
>>> With zero-trust validation, same-IdP assertions can be just as secure
>>> as cross-IdP:
>>> - Validate assertion issuer is authorized
>>> - Apply fresh authorization policy evaluation
>>> - Enforce audience restrictions
>>> - Use short-lived assertions
>>> - Implement scope intersection, not broadening
>>>
>>> Would appreciate the working group's consideration of this use case.
>>>
>>> Best regards,
>>> Tarun Nanduri.
>>>
>>

v2.39.1 | Report a Bug | By Email | System Status