Hi All, We would like to share the use cases, gaps, and solutions to provide more details for both drafts.
1. Cross-Domain Transaction Tokens Datatracker: https://datatracker.ietf.org/doc/draft-liu-oauth-cross-domain-txn-token/ GitHub: https://github.com/NiYuan224/draft-liu-oauth-cross-domain-txn-token Use Case A smart-home healthcare workflow spans multiple domains: An AI camera detects an elderly fall, triggering a medical agent to verify vital signs via wearable devices; Upon confirmation, the medical agent invokes an emergency response service. Since the AI camera and the medical agent are from different service providers, such a use case requires secure, cross-domain authorization context propagation. Gap * Transaction Tokens works in a single domain. * Identity Chaining handles cross-domain identity and authorization propagation, but cannot propagate rich, structured workflow-related claims (i.e., txn, tctx, rctx, req_wl). • Our Solution Combine Transaction Tokens and Identity Chaining via two patterns: - Mode A (Txn-Token 1 -> JAG -> Access Token -> Txn-Token 2) - Mode B (Txn-Token 1 -> JAG -> Txn-Token 2) 1. Batch Authorization Delegation Datatracker: https://datatracker.ietf.org/doc/draft-ni-oauth-batch-authorization-delegation/ GitHub: https://github.com/NiYuan224/draft-ni-oauth-batch-authorization-delegation Use Case A cross-bank Coupon Agent of a leading payment company in China can coordinate multiple commercial bank’s agents to compare the best promotional discount from all of the user’s bank accounts for a single payment. It obtains a single batch authorization for query and payment permissions of all the user’s bank accounts, then decomposes these permissions, restricting each sub-agent to query only its respective bank’s promotional discounts. Gap * RAR (RFC 9396): Requests fine-grained permissions, but cannot bind them to different actors. * Token Exchange (RFC 8693): Defines privilege delegation relationship via the may_act claim, but the actor by default gains all of the permissions-- cannot link that actor to a specific subset of permissions. * No standard way to bind distinct permissions to many different designated actors. Our Solution We extend authorization_details with chunks of may_act fields, allowing each permission chunk to specify its designated actor. This enables the AS to issue a Batch Token with actor-bound permissions. Sub-agents can later exchange it for Downscoped Tokens filtered by the may_act field. We would highly appreciate your feedback on whether these use cases and gaps align with the WG's interests. Best regards, Yuan Ni, Peter and authors 发件人: Liuchunchi(Peter) <[email protected]> 发送时间: 2026年7月2日 12:31 收件人: Rifaat Shekh-Yusef <[email protected]>; oauth <[email protected]>; [email protected]; niyuan <[email protected]> 主题: request for slots //RE: [OAUTH-WG] Call for topics for Vienna Hi OAuth WG, Chairs, 1) We have a new draft on cross-domain transaction tokens. https://datatracker.ietf.org/doc/draft-liu-cross-domain-txn-token/ We have been discussing with several participants on and off line about this topic, most if not all of them expressed great interest. This document solves (or try to solve) the secure propagation of workflow-related contextual claims (txn, tctx, rctx, req_wl) across trust domains, which was not included in the previously existing transaction tokens draft, but now might be the time to discuss extending the design. Thus we wish to request 10+5 minutes of agenda time to present this at Vienna. Aware of Rifaat’s email on very large number of slot requests for agenda time, we will focus on use cases and gap analysis in telecom and finance sectors that we encounter. We will also invest time in implementing transaction token’s open source repository, if the working group thinks this direction is a good idea. 2) We also have a batch authorization delegation draft that focus on enabling a one-time batch authorization for downstream services. https://datatracker.ietf.org/doc/draft-ni-batch-authorization-delegation/ This is done by extending RAR with may_act fields to bind distinct permissions to designated actors. If time permits, we hope to request another 5 minutes to present this altogether. If not, we are also happy to be instructed to combine with or talk to other teams that have a similar scope, before vienna. Both drafts address real-world cross-domain, multi-step scenarios emerging in collaborative service ecosystems and AI Agents. We believe these directions are of strong interest to the WG and would welcome your valuable feedback. Best, Peter and Yuan ======= Internet-Draft draft-liu-cross-domain-txn-token-00.txt is now available. Title: Cross-domain Transaction Tokens Authors: Chunchi Peter Liu Yuan Ni Name: draft-liu-cross-domain-txn-token-00.txt Pages: 20 Dates: 2026-06-30 Abstract: This document describes a mechanism for Cross-Domain Transaction Tokens, which enables the safe maintenance and propagation of user identity, workload identities, and authorization context across multiple trust domains. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-liu-cross-domain-txn-token/ === Internet-Draft draft-ni-batch-authorization-delegation-00.txt is now available. Title: Batch Authorization Delegation Authors: Yuan Ni Chunchi Peter Liu Name: draft-ni-batch-authorization-delegation-00.txt Pages: 23 Dates: 2026-06-30 Abstract: This document describes a mechanism for Batch Authorization Delegation, which enables a batch of fine-grained, actor-bound permissions in a single request and securely delegates them to multiple collaborating actors. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ni-batch-authorization-delegation/ From: Rifaat Shekh-Yusef <[email protected]<mailto:[email protected]>> Sent: Sunday, June 21, 2026 6:43 AM To: oauth <[email protected]<mailto:[email protected]>> Subject: [OAUTH-WG] Call for topics for Vienna All, As per the preliminary agenda, we have two OAu=h sessions at: Thursday, 2:00-4:00pm Friday, 9:00-11:00am If =ou have not done so already, let us know, as soon as possible, if you have=a topic that you would like to present and discuss in Vienna. Regar=s, Rifaat & Hannes
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
