Hello George, I have opened https://github.com/oauth-wg/oauth-transaction-tokens/issues/351 as per your suggestion.
Thanks. Regards On Thu, May 14, 2026 at 6:13 PM Sanjay Dalal <[email protected]> wrote: > Thanks George. Will open an issue. authorization_details would be provided > by the client and it could capture the transaction context much better than > a scope supplied with the external token. Also, the source of truth > regarding the (business) action performed would not be lost if that is > captured in tctx or along with tctx in transaction token. > > "The scope claim is defined in Section 4.2 > <https://rfc-editor.org/rfc/rfc8693#section-4.2> of [RFC8693 > <https://www.ietf.org/archive/id/draft-ietf-oauth-transaction-tokens-08.html#RFC8693> > ]. Note that the value of this claim is determined by the TTS and is not > required to match the requested scope nor the scope in any supplied > external token." > > Hi Rifaat, Sure. WG mailing list included now. > > On Thu, May 14, 2026 at 1:25 PM <[email protected]> wrote: > >> Another option is to open an issue on the repository: >> >> oauth-wg/oauth-transaction-tokens >> <https://github.com/oauth-wg/oauth-transaction-tokens> >> github.com <https://github.com/oauth-wg/oauth-transaction-tokens> >> [image: apple-touch-icon-180x180-a80b8e11abe2.png] >> <https://github.com/oauth-wg/oauth-transaction-tokens> >> <https://github.com/oauth-wg/oauth-transaction-tokens> >> >> There has been discussion around RAR objects in past IETF meetings. The >> expectation is that the RAR `authorization_details` object can be a claim >> in the `tctx` object. However, since both the `rctx` and `tctx` are only >> valid within the trust domain the expectation is that the deployment >> defines the required claims for those objects. If that is problematic, then >> we should discuss either in an issue or on the OAuth mailing list. >> >> George Fletcher >> Identity Standards Architect >> Practical Identity LLC >> >> >> >> On May 14, 2026, at 7:22 AM, Rifaat Shekh-Yusef <[email protected]> >> wrote: >> >> Hi Sanjay, >> >> Is there a reason that you did not send this email to the OAuth WG >> mailing list? >> >> Regards, >> Rifaat >> >> >> On Wed, May 13, 2026 at 8:58 PM Sanjay Dalal <[email protected]> >> wrote: >> >>> Hello, >>> >>> Thanks for writing up my ID on Transaction Tokens. >>> >>> 1. I was hoping to find a reference to RFC 9396 >>> <https://datatracker.ietf.org/doc/html/rfc9396> Rich Authorization >>> Requests somewhere, especially while discussing Authorization Context. >>> >>> 2. Also since RFC 9396's authorization_details is already registered in >>> OAuth Parameters registry >>> <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml> >>> perhaps >>> it could be used here as well to provide request_context? It is already >>> approved for token request and token response. >>> >>> 3. Can authorization_details be used here as a claim >>> <https://datatracker.ietf.org/doc/html/rfc9396#name-oauth-parameters-registrati> >>> instead of tctx? >>> >>> For #2 and #3, I would not know if reuse is prohibited, it was ignored >>> or it was discussed and a decision was taken not to reuse. >>> >>> Sorry in advance if these issues are already discussed and resolved. >>> >>> thanks, >>> sanjay >>> >>> >>> >>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
