And this time without a typo in the email alias for draft authors... -yaroslav
On Thu, Jun 25, 2026 at 12:19 PM Yaroslav Rosomakho <[email protected]> wrote: > Dear OAuth enthusiasts, > > Pieter, Brian, Karl and I have submitted a new individual draft: OAuth > Transaction Authorization Challenge (draft-rosomakho-oauth-txn-challenge). > > This specification defines a mechanism for a protected resource to request > transaction-specific authorization before completing a particular > operation. The protected resource returns a signed transaction > authorization challenge, which is relayed through the agent(s) down to the > client. The client presents the challenge to the authorization server, > which validates it, obtains any required approval from a human user and/or > any additional relevant approving party, and issues an access token whose > granted authorization details describe the approved operation. > > The motivating use cases include agent-initiated actions requiring human > approval (aka "human-in-the-loop") and flexible integration with > organizational approval workflows. The mechanism is intended to complement > OAuth step-up authentication and CIBA by requesting authorization for a > specific transaction rather than stronger or fresher authentication alone. > > Questions, suggestions, concerns and overall feedback is very welcome! > > Thank you. > > -yaroslav > > ---------- Forwarded message --------- > A new version of Internet-Draft draft-rosomakho-oauth-txn-challenge-00.txt > has > been successfully submitted by Yaroslav Rosomakho and posted to the > IETF repository. > > Name: draft-rosomakho-oauth-txn-challenge > Revision: 00 > Title: OAuth Transaction Authorization Challenge > Date: 2026-06-25 > Group: Individual Submission > Pages: 33 > URL: > https://www.ietf.org/archive/id/draft-rosomakho-oauth-txn-challenge-00.txt > Status: > https://datatracker.ietf.org/doc/draft-rosomakho-oauth-txn-challenge/ > HTML: > https://www.ietf.org/archive/id/draft-rosomakho-oauth-txn-challenge-00.html > HTMLized: > https://datatracker.ietf.org/doc/html/draft-rosomakho-oauth-txn-challenge > > > Abstract: > > This document defines an OAuth mechanism for transaction-specific > authorization challenges. A protected resource can require > additional authorization for a particular operation by returning a > transaction authorization challenge. This is useful when requests > are mediated by agents, automated workflows, or delegated services > and the protected resource requires confirmation from a human user, > resource owner, or organizational authority. The client presents the > challenge to an authorization server, which validates the challenge, > obtains any required approval, and issues an OAuth 2.0 access token > whose granted authorization details, expressed using Rich > Authorization Requests, describe the approved operation. The access > token is then presented to the protected resource as evidence that > the challenged operation was authorized. > > > > The IETF Secretariat > > > -- This communication (including any attachments) is intended for the sole use of the intended recipient and may contain confidential, non-public, and/or privileged material. Use, distribution, or reproduction of this communication by unintended recipients is not authorized. If you received this communication in error, please immediately notify the sender and then delete all copies of this communication from your system.
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
