Hi, Thanks for the introduction in previous WG calls. I am interested in providing Workload call chains in OAuth tokens, and based on https://datatracker.ietf.org/doc/html/draft-ietf-oauth-transaction-tokens-00 I have a few questions/feedback about specifics of the draft.
1. Section 5.2.1. Why not use the “act” claim of RFC 8693, rather than introduce the new “sub_id” claim? 2. Section 5.2.1. Should the workload call chain, identifying each workload that has requested a new txn_token, be preserved in the txn_token claims-set, similar to the “act” claim of RFC 8693? It may be that workloads deeper in the chain have no way to reason about prior actors, but maybe the spec should allow for the request call chain to optionally be preserved, in case upstream workloads can reason about downstream workloads. 3. Section 7.2: In the text, it says “The token_type value MUST be set to txn_token", but I think it should say “The issued_token_type value MUST be set to urn:ietf:params:oauth:token-type:txn_token” 4. Section 7.2: I understand why you wouldn't want a refresh_token in the response. Why can’t the response include expires_in or scope? Regards, -Ken McCracken
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
