[OAUTH-WG] Weekly github digest (OAuth Activity Summary)

Sun, 21 Sep 2025 08:30:12 -0700 



Events without label "editorial"

Issues
------
* oauth-wg/oauth-transaction-tokens (+0/-6/💬19)
 13 issues received 19 new comments:
 - #243 Consistency Pass Needed (1 by gffletch)

   https://github.com/oauth-wg/oauth-transaction-tokens/issues/243 
 - #222 Should tctx field be a MUST (1 by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/222 [WGLC Feedback] 
 - #217 Transaction token Lifetime extension (1 by gffletch)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/217 [WGLC Feedback] 
 - #214 Self signed JWT Validation (1 by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/214 [WGLC Feedback] 
 - #207 Consider information disclosure as a benefit (1 by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/207 [WGLC Feedback] 
 - #205 purpose containing multiple space-delimited strings (1 by gffletch)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/205 
 - #201 Unsigned JWT Expiration Time (1 by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/201 [WGLC Feedback] [WGLC Discuss] 
 - #196 BASE64URL Parameter Encoding (1 by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/196 [WGLC Feedback] 
 - #195 Relace StringOrURI with String (1 by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/195 [WGLC Feedback] 
 - #194 Reconsider 'purp' claim scope (5 by PieterKas, dagdagdag83, gffletch, obfuscoder)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/194 [WGLC Feedback] 
 - #193 Rationale for 'txn' being REQUIRED (1 by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/193 [WGLC Feedback] 
 - #190 Do we need ReplacementTx-Tokens (1 by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/190 [WGLC Feedback] 
 - #189 Allow Gateways to issue Tx-token to self without using RFC8693 (3 by PieterKas, gffletch)
   https://github.com/oauth-wg/oauth-transaction-tokens/issues/189 [WGLC Feedback] [WGLC Discuss] 


 6 issues closed:

 - Logical vs Physical TTS https://github.com/oauth-wg/oauth-transaction-tokens/issues/233 [WGLC Feedback] 
 - Clarify "JWT Representation" https://github.com/oauth-wg/oauth-transaction-tokens/issues/230 [WGLC Feedback] 
 - Clarify Transaction token in context of Call Chain https://github.com/oauth-wg/oauth-transaction-tokens/issues/203 [WGLC Feedback] 
 - Consider information disclosure as a benefit https://github.com/oauth-wg/oauth-transaction-tokens/issues/207 [WGLC Feedback] 
 - Consider "Authorization surface" https://github.com/oauth-wg/oauth-transaction-tokens/issues/229 [WGLC Feedback] 
 - Be more specific on Authorization Context https://github.com/oauth-wg/oauth-transaction-tokens/issues/192 [WGLC Feedback] 


* oauth-wg/oauth-sd-jwt-vc (+3/-2/💬19)
 3 issues created:
 - wrong ref syntax (by bc-pi)

   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/349 
 - HTTPS GET and HTTP GET normalisation (by yaromin)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/347 
 - Support of the default Issuer Signature Mechanism. Required or not? (by yaromin)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/346 


 13 issues received 19 new comments:
 - #347 HTTPS GET and HTTP GET normalisation (2 by bc-pi)

   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/347 
 - #346 Support of the default Issuer Signature Mechanism. Required or not? (1 by bc-pi)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/346 
 - #310 Should `mandatory` be added to claim metadata? (2 by babisRoutis, nvoutsin)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/310 [enhancement] [discuss] [Ready-for-PR] [schema] 
 - #305 Support PNG background besides just color or SVG (2 by awoie, bc-pi)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/305 [enhancement] [Ready-for-PR] 
 - #290 Add a new claim called "dcpol" for "Digital Credential Policy" (1 by awoie)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/290 
 - #282 Add security considerations on when/what metadata is/can be trusted (1 by awoie)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/282 
 - #273 Provide guidance on versioning (1 by awoie)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/273 
 - #248 Provide information where a credential can be obtained (1 by awoie)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/248 [future-extension] 
 - #225 Consider recommending a way to encode other data types. (1 by awoie)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/225 
 - #222 Add JWS JSON serialization example (2 by awoie, bc-pi)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/222 [Ready-for-PR] 
 - #221 Security considerations on integrity of Type Metadata (1 by awoie)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/221 [Ready-for-PR] [metadata] [PRIO] [wg-05] 
 - #212 Embedded Issuer Policies (3 by awoie, c2bo, cre8)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/212 [discuss] 
 - #145 how cnf claim can be used with any other types of "binding" (1 by awoie)
   https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/145 [discuss] 


 2 issues closed:

 - HTTPS GET and HTTP GET normalisation https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/347 [pending close] 
 - Add a new claim called "dcpol" for "Digital Credential Policy" https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/290 


* oauth-wg/oauth-v2-1 (+1/-1/💬2)
 1 issues created:
 - Working Group Draft link fails (by WhippsP)

   https://github.com/oauth-wg/oauth-v2-1/issues/219 


 2 issues received 2 new comments:
 - #219 Working Group Draft link fails (1 by WhippsP)

   https://github.com/oauth-wg/oauth-v2-1/issues/219 
 - #120 How can an AS support both 2.0 and 2.1 clients concurrently (1 by gffletch)
   https://github.com/oauth-wg/oauth-v2-1/issues/120 [ietf-124] 


 1 issues closed:

 - Working Group Draft link fails https://github.com/oauth-wg/oauth-v2-1/issues/219 


* oauth-wg/draft-ietf-oauth-attestation-based-client-auth (+0/-0/💬1)
 1 issues received 1 new comments:
 - #140 Feedback from mailing list (1 by c2bo)

   https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/140 


* oauth-wg/oauth-identity-assertion-authz-grant (+1/-0/💬0)
 1 issues created:
 - The spec states that `refresh_token` SHOULD NOT be used (by meghnadubey)

   https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/issues/48 


* oauth-wg/draft-ietf-oauth-rfc8725bis (+0/-0/💬1)
 1 issues received 1 new comments:
 - #15 JWTs issued for one individual must not be usable by another individual 
with a complicity between these individuals (1 by dickhardt)

   https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis/issues/15 




Pull requests
-------------
* oauth-wg/oauth-identity-chaining (+0/-1/💬1)
 1 pull requests received 1 new comments:
 - #173 six seven (1 by WhippsP)

   https://github.com/oauth-wg/oauth-identity-chaining/pull/173 


 1 pull requests merged:
 - six seven

   https://github.com/oauth-wg/oauth-identity-chaining/pull/173 


* oauth-wg/oauth-transaction-tokens (+7/-4/💬3)
 7 pull requests submitted:
 - Allow for alternatives to RFC8693 (by PieterKas)

   https://github.com/oauth-wg/oauth-transaction-tokens/pull/254 
 - Clarify need to validate the signature on signed subject tokens (by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/pull/253 
 - Adding token theft as a threat that is mitigated (by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/pull/252 
 - Clarify Transaction token role in Call Chain (by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/pull/251 
 - Replace StringOrURI with string (by PieterKas)
   https://github.com/oauth-wg/oauth-transaction-tokens/pull/250 
 - Removal of `purp` claim (by gffletch)
   https://github.com/oauth-wg/oauth-transaction-tokens/pull/249 
 - Fix typo (by obfuscoder)
   https://github.com/oauth-wg/oauth-transaction-tokens/pull/248 


 2 pull requests received 3 new comments:
 - #252 Adding token theft as a threat that is mitigated (1 by PieterKas)

   https://github.com/oauth-wg/oauth-transaction-tokens/pull/252 
 - #249 Removal of `purp` claim (2 by gffletch)
   https://github.com/oauth-wg/oauth-transaction-tokens/pull/249 


 4 pull requests merged:
 - considerations for internal requests

   https://github.com/oauth-wg/oauth-transaction-tokens/pull/244 
 - Clarify Transaction token role in Call Chain
   https://github.com/oauth-wg/oauth-transaction-tokens/pull/251 
 - Adding token theft as a threat that is mitigated
   https://github.com/oauth-wg/oauth-transaction-tokens/pull/252 
 - Fix typo
   https://github.com/oauth-wg/oauth-transaction-tokens/pull/248 


* oauth-wg/oauth-sd-jwt-vc (+1/-1/💬2)
 1 pull requests submitted:
 - now 12 
https://mailarchive.ietf.org/arch/msg/oauth/-blEIowkxM-IG1oTxp1UyS406_w/ (by 
bc-pi)

   https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/348 


 1 pull requests received 2 new comments:
 - #345 Remove JSON schema from Type Metadata (2 by babisRoutis, bc-pi)

   https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/345 


 1 pull requests merged:
 - now 12 
https://mailarchive.ietf.org/arch/msg/oauth/-blEIowkxM-IG1oTxp1UyS406_w/

   https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/348 


* oauth-wg/draft-ietf-oauth-status-list (+1/-0/💬4)
 1 pull requests submitted:
 - add note on CWT encoding (by c2bo)

   https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/303 


 1 pull requests received 4 new comments:
 - #303 add note on CWT encoding (4 by c2bo, paulbastian)

   https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/303 


* oauth-wg/draft-ietf-oauth-attestation-based-client-auth (+0/-0/💬1)
 1 pull requests received 1 new comments:
 - #149 OAuth 2 artefact binding (1 by c2bo)

   https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/149 


* oauth-wg/oauth-identity-assertion-authz-grant (+1/-0/💬0)
 1 pull requests submitted:
 - Wrong Git Link and Typos (by WhippsP)

   https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/pull/47 



Repositories tracked by this digest:
-----------------------------------
* https://github.com/oauth-wg/oauth-browser-based-apps
* https://github.com/oauth-wg/oauth-identity-chaining
* https://github.com/oauth-wg/oauth-transaction-tokens
* https://github.com/oauth-wg/oauth-sd-jwt-vc
* https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata
* https://github.com/oauth-wg/oauth-cross-device-security
* https://github.com/oauth-wg/oauth-selective-disclosure-jwt
* https://github.com/oauth-wg/oauth-v2-1
* https://github.com/oauth-wg/draft-ietf-oauth-status-list
* https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth
* https://github.com/oauth-wg/oauth-identity-assertion-authz-grant
* https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis
* https://github.com/oauth-wg/draft-ietf-oauth-rfc7523bis
* https://github.com/oauth-wg/oauth-first-party-apps


--
To have a summary like this sent to your list, see: 
https://github.com/ietf-github-services/activity-summary

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org























					Reply via email to