Hi all, Following the thread on RAR metadata caching semantics: the caching SHOULD-vs-MUST debate intersects directly with posture telemetry that an authorization server needs to surface to clients and resource servers when the access decision is itself dynamic (PQC migration state, attested credential class, multi-tenant key-rotation epoch, etc.).
We are working draft-vicente-oauth-apm — "OAuth Authorization Posture Mechanism" — which proposes a small, opt-in metadata extension that lets the AS publish machine-readable posture (and a freshness contract) alongside the existing well-known/oauth-authorization-server document. The freshness contract there is deliberately framed as MUST-NOT-cache-beyond-N when the posture bit set changes; we found a soft SHOULD insufficient in multi-tenant deployments where stale metadata causes silent downgrade. This may be relevant context for the rar-metadata caching question. Pointers, in case useful to the discussion: Datatracker: https://datatracker.ietf.org/doc/draft-vicente-oauth-apm/ Source: https://github.com/Sanc-Admin/oauth-apm Archive DOI: https://doi.org/10.5281/zenodo.20584241 Happy to take feedback on the freshness-contract framing; if the WG consensus is that posture-class metadata belongs in a separate doc rather than the rar-metadata extension, we are aligned. Best, Brian Vicente Sanctum SecOps LLC ORCID: https://orcid.org/0009-0006-6395-5308 [email protected]
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
