Thanks George. Will open an issue. authorization_details would be provided by the client and it could capture the transaction context much better than a scope supplied with the external token. Also, the source of truth regarding the (business) action performed would not be lost if that is captured in tctx or along with tctx in transaction token.
"The scope claim is defined in Section 4.2 <https://rfc-editor.org/rfc/rfc8693#section-4.2> of [RFC8693 <https://www.ietf.org/archive/id/draft-ietf-oauth-transaction-tokens-08.html#RFC8693> ]. Note that the value of this claim is determined by the TTS and is not required to match the requested scope nor the scope in any supplied external token." Hi Rifaat, Sure. WG mailing list included now. On Thu, May 14, 2026 at 1:25 PM <[email protected]> wrote: > Another option is to open an issue on the repository: > > oauth-wg/oauth-transaction-tokens > <https://github.com/oauth-wg/oauth-transaction-tokens> > github.com <https://github.com/oauth-wg/oauth-transaction-tokens> > [image: apple-touch-icon-180x180-a80b8e11abe2.png] > <https://github.com/oauth-wg/oauth-transaction-tokens> > <https://github.com/oauth-wg/oauth-transaction-tokens> > > There has been discussion around RAR objects in past IETF meetings. The > expectation is that the RAR `authorization_details` object can be a claim > in the `tctx` object. However, since both the `rctx` and `tctx` are only > valid within the trust domain the expectation is that the deployment > defines the required claims for those objects. If that is problematic, then > we should discuss either in an issue or on the OAuth mailing list. > > George Fletcher > Identity Standards Architect > Practical Identity LLC > > > > On May 14, 2026, at 7:22 AM, Rifaat Shekh-Yusef <[email protected]> > wrote: > > Hi Sanjay, > > Is there a reason that you did not send this email to the OAuth WG mailing > list? > > Regards, > Rifaat > > > On Wed, May 13, 2026 at 8:58 PM Sanjay Dalal <[email protected]> > wrote: > >> Hello, >> >> Thanks for writing up my ID on Transaction Tokens. >> >> 1. I was hoping to find a reference to RFC 9396 >> <https://datatracker.ietf.org/doc/html/rfc9396> Rich Authorization >> Requests somewhere, especially while discussing Authorization Context. >> >> 2. Also since RFC 9396's authorization_details is already registered in >> OAuth Parameters registry >> <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml> >> perhaps >> it could be used here as well to provide request_context? It is already >> approved for token request and token response. >> >> 3. Can authorization_details be used here as a claim >> <https://datatracker.ietf.org/doc/html/rfc9396#name-oauth-parameters-registrati> >> instead of tctx? >> >> For #2 and #3, I would not know if reuse is prohibited, it was ignored or >> it was discussed and a decision was taken not to reuse. >> >> Sorry in advance if these issues are already discussed and resolved. >> >> thanks, >> sanjay >> >> >> >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
