Just sharing this individual draft that hopefully adds some clarity to how a deployment leveraging Transaction Tokens can cross trust boundaries using a profile of the OAuth Identity and Authorization Chaining Across Domains draft.
George Fletcher Identity Standards Architect Practical Identity LLC > Begin forwarded message: > > From: [email protected] > Subject: New Version Notification for > draft-fletcher-transaction-token-chaining-profile-00.txt > Date: May 11, 2026 at 10:30:16 PM EDT > To: "George Fletcher" <[email protected]> > > A new version of Internet-Draft > draft-fletcher-transaction-token-chaining-profile-00.txt has been successfully > submitted by George Fletcher and posted to the > IETF repository. > > Name: draft-fletcher-transaction-token-chaining-profile > Revision: 00 > Title: Transaction Token Authorization Grant Profile for OAuth Identity > and Authorization Chaining > Date: 2026-05-12 > Group: Individual Submission > Pages: 29 > URL: > https://www.ietf.org/archive/id/draft-fletcher-transaction-token-chaining-profile-00.txt > Status: > https://datatracker.ietf.org/doc/draft-fletcher-transaction-token-chaining-profile/ > HTML: > https://www.ietf.org/archive/id/draft-fletcher-transaction-token-chaining-profile-00.html > HTMLized: > https://datatracker.ietf.org/doc/html/draft-fletcher-transaction-token-chaining-profile > > > Abstract: > > This specification defines a profile of the OAuth Identity and > Authorization Chaining Across Domains > [I-D.ietf-oauth-identity-chaining] mechanism that uses a Transaction > Token (Txn-Token) [I-D.ietf-oauth-transaction-tokens] as the subject > token in a Token Exchange [RFC8693] request to obtain a JWT > Authorization Grant for crossing a trust boundary. > > A Txn-Token is scoped to a single trust domain and represents the > full authorization context of an in-progress transaction, regardless > of whether that transaction was initiated by a human user calling an > external API, by an internal system event, or by an automated > workload. This profile specifies how a service operating within that > trust domain can present its Txn-Token to obtain a JWT Authorization > Grant that carries the necessary context across a trust boundary, > enabling an access token to be issued for a partner service, without > exposing internal trust-domain credentials or token formats beyond > the trust boundary. > > > > The IETF Secretariat > >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
