Dear OAuth enthusiasts, Pieter, Brian, Karl and I have submitted a new individual draft: OAuth Transaction Authorization Challenge (draft-rosomakho-oauth-txn-challenge).
This specification defines a mechanism for a protected resource to request transaction-specific authorization before completing a particular operation. The protected resource returns a signed transaction authorization challenge, which is relayed through the agent(s) down to the client. The client presents the challenge to the authorization server, which validates it, obtains any required approval from a human user and/or any additional relevant approving party, and issues an access token whose granted authorization details describe the approved operation. The motivating use cases include agent-initiated actions requiring human approval (aka "human-in-the-loop") and flexible integration with organizational approval workflows. The mechanism is intended to complement OAuth step-up authentication and CIBA by requesting authorization for a specific transaction rather than stronger or fresher authentication alone. Questions, suggestions, concerns and overall feedback is very welcome! Thank you. -yaroslav ---------- Forwarded message --------- A new version of Internet-Draft draft-rosomakho-oauth-txn-challenge-00.txt has been successfully submitted by Yaroslav Rosomakho and posted to the IETF repository. Name: draft-rosomakho-oauth-txn-challenge Revision: 00 Title: OAuth Transaction Authorization Challenge Date: 2026-06-25 Group: Individual Submission Pages: 33 URL: https://www.ietf.org/archive/id/draft-rosomakho-oauth-txn-challenge-00.txt Status: https://datatracker.ietf.org/doc/draft-rosomakho-oauth-txn-challenge/ HTML: https://www.ietf.org/archive/id/draft-rosomakho-oauth-txn-challenge-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-rosomakho-oauth-txn-challenge Abstract: This document defines an OAuth mechanism for transaction-specific authorization challenges. A protected resource can require additional authorization for a particular operation by returning a transaction authorization challenge. This is useful when requests are mediated by agents, automated workflows, or delegated services and the protected resource requires confirmation from a human user, resource owner, or organizational authority. The client presents the challenge to an authorization server, which validates the challenge, obtains any required approval, and issues an OAuth 2.0 access token whose granted authorization details, expressed using Rich Authorization Requests, describe the approved operation. The access token is then presented to the protected resource as evidence that the challenged operation was authorized. The IETF Secretariat -- This communication (including any attachments) is intended for the sole use of the intended recipient and may contain confidential, non-public, and/or privileged material. Use, distribution, or reproduction of this communication by unintended recipients is not authorized. If you received this communication in error, please immediately notify the sender and then delete all copies of this communication from your system.
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
