I have some concerns: - Requiring the requesting service to be in the Trust Domain of the token seems backwards to me. Surely we want these tokens to cross trust domains. - The definition of trust domain as a group with the same security policy I don't think makes a lot of sense. - Scope and subject are to my mind not supposed to interact the way the draft envisions. - Requiring a limited number of services to get these seems to mitigate against using this mechanism at each step in a call chain, and thus overbroad trusting and passing of tokens - We should say more about how the subjects and scope interact or are supposed to be used. - Its not clear to me where the authorization decisions are made. Do we need to say something to link the token server's job to what the workloads are expecting?
There's a vast amount left up to implementors that I think will harm interoperability. Sincerely, Watson On Wed, Aug 6, 2025 at 10:04 AM Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> wrote: > > All, > > As per the discussion in Madrid, this is a WG Last Call for the Transaction > Tokens document. > https://www.ietf.org/archive/id/draft-ietf-oauth-transaction-tokens-06.html > > Please, review this document and reply on the mailing list if you have any > comments or concerns, by August 22nd. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org -- Astra mortemque praestare gradatim _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
