Hi, I’ve updated the individual draft on how to leverage a Transaction Token when needing to cross a trust domain boundary. This is a simple profile of the OAuth Identity and Authorization Chaining Across Domains draft.
If you are using Transaction Tokens in your deployment, or are considering it, please review this draft. Github repository for the draft: https://github.com/gffletch/tt_xdomain George Fletcher Identity Standards Architect Practical Identity LLC > Begin forwarded message: > > From: [email protected] > Subject: New Version Notification for > draft-fletcher-transaction-token-chaining-profile-01.txt > Date: June 20, 2026 at 6:08:06 PM EDT > To: "George Fletcher" <[email protected]>, "Pieter Kasselman" > <[email protected]>, "Sean O'Dell" <[email protected]> > > A new version of Internet-Draft > draft-fletcher-transaction-token-chaining-profile-01.txt has been successfully > submitted by George Fletcher and posted to the > IETF repository. > > Name: draft-fletcher-transaction-token-chaining-profile > Revision: 01 > Title: Transaction Token Authorization Grant Profile for OAuth Identity > and Authorization Chaining > Date: 2026-06-20 > Group: Individual Submission > Pages: 30 > URL: > https://www.ietf.org/archive/id/draft-fletcher-transaction-token-chaining-profile-01.txt > Status: > https://datatracker.ietf.org/doc/draft-fletcher-transaction-token-chaining-profile/ > HTML: > https://www.ietf.org/archive/id/draft-fletcher-transaction-token-chaining-profile-01.html > HTMLized: > https://datatracker.ietf.org/doc/html/draft-fletcher-transaction-token-chaining-profile > Diff: > https://author-tools.ietf.org/iddiff?url2=draft-fletcher-transaction-token-chaining-profile-01 > > Abstract: > > This specification defines a profile of the OAuth Identity and > Authorization Chaining Across Domains > [I-D.ietf-oauth-identity-chaining] mechanism that uses a Transaction > Token (Txn-Token) [I-D.ietf-oauth-transaction-tokens] as the subject > token in a Token Exchange [RFC8693] request to obtain a JWT > Authorization Grant for crossing a trust boundary. > > A Txn-Token is scoped to a single trust domain and represents the > full authorization context of an in-progress transaction, regardless > of whether that transaction was initiated by a human user calling an > external API, by an internal system event, or by an automated > workload. This profile specifies how a service operating within that > trust domain can present its Txn-Token to obtain a JWT Authorization > Grant that carries the necessary context across a trust boundary, > enabling an access token to be issued for a partner service, without > exposing internal trust-domain credentials or token formats beyond > the trust boundary. > > > > The IETF Secretariat > >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
