Dear George, Pieter, and Sean,

I read your draft (draft-fletcher-transaction-token-chaining-profile) with 
great interest. It is encouraging to see that our work on Cross‑Domain 
Txn‑Token (draft‑liu‑oauth‑cross‑domain‑txn‑token) shares the same core 
foundation—Identity Chaining combined with Txn‑Token.

Our draft mainly focuses on the secure propagation of workflow-related 
contextual claims (txn, tctx, rctx, req_wl) across trust domains. I am 
forwarding our recent WG session request below for your reference, which 
details our use case and gap analysis.

I would highly value your thoughts on whether our design aligns with or 
complements the scenarios you've been considering.

Best regards,

Yuan Ni, Peter and authors

发件人: niyuan <[email protected]>
发送时间: 2026年7月9日 11:11
收件人: Liuchunchi(Peter) <[email protected]>; Rifaat Shekh-Yusef 
<[email protected]>; oauth <[email protected]>; [email protected]
主题: [OAUTH-WG] 回复: request for slots //RE: Call for topics for Vienna


Hi All,

We would like to share the use cases, gaps, and solutions to provide more 
details for both drafts.

  1.  Cross-Domain Transaction Tokens
Datatracker: 
https://datatracker.ietf.org/doc/draft-liu-oauth-cross-domain-txn-token/
GitHub: https://github.com/NiYuan224/draft-liu-oauth-cross-domain-txn-token

Ÿ   Use Case

A smart-home healthcare workflow spans multiple domains: An AI camera detects 
an elderly fall, triggering a medical agent to verify vital signs via wearable 
devices; Upon confirmation, the medical agent invokes an emergency response 
service. Since the AI camera and the medical agent are from different service 
providers, such a use case requires secure, cross-domain authorization context 
propagation.

Ÿ   Gap

  *   Transaction Tokens works in a single domain.
  *   Identity Chaining handles cross-domain identity and authorization 
propagation, but cannot propagate rich, structured workflow-related claims 
(i.e., txn, tctx, rctx, req_wl).

•        Our Solution

Combine Transaction Tokens and Identity Chaining via two patterns:
-  Mode A (Txn-Token 1 -> JAG -> Access Token -> Txn-Token 2)
-  Mode B (Txn-Token 1 -> JAG -> Txn-Token 2)


  1.  Batch Authorization Delegation
Datatracker: 
https://datatracker.ietf.org/doc/draft-ni-oauth-batch-authorization-delegation/
GitHub:  
https://github.com/NiYuan224/draft-ni-oauth-batch-authorization-delegation

Ÿ   Use Case

A cross-bank Coupon Agent of a leading payment company in China can coordinate 
multiple commercial bank’s agents to compare the best promotional discount from 
all of the user’s bank accounts for a single payment. It obtains a single batch 
authorization for query and payment permissions of all the user’s bank 
accounts, then decomposes these permissions, restricting each sub-agent to 
query only its respective bank’s promotional discounts.

Ÿ   Gap

  *   RAR (RFC 9396): Requests fine-grained permissions, but cannot bind them 
to different actors.
  *   Token Exchange (RFC 8693): Defines privilege delegation relationship via 
the may_act claim, but the actor by default gains all of the permissions-- 
cannot link that actor to a specific subset of permissions.
  *   No standard way to bind distinct permissions to many different designated 
actors.

Ÿ   Our Solution

We extend authorization_details with chunks of may_act fields, allowing each 
permission chunk to specify its designated actor. This enables the AS to issue 
a Batch Token with actor-bound permissions. Sub-agents can later exchange it 
for Downscoped Tokens filtered by the may_act field.



We would highly appreciate your feedback on whether these use cases and gaps 
align with the WG's interests.

Best regards,

Yuan Ni, Peter and authors

发件人: Liuchunchi(Peter) <[email protected]<mailto:[email protected]>>
发送时间: 2026年7月2日 12:31
收件人: Rifaat Shekh-Yusef 
<[email protected]<mailto:[email protected]>>; oauth 
<[email protected]<mailto:[email protected]>>; 
[email protected]<mailto:[email protected]>; niyuan 
<[email protected]<mailto:[email protected]>>
主题: request for slots //RE: [OAUTH-WG] Call for topics for Vienna

Hi OAuth WG, Chairs,

1)  We have a new draft on cross-domain transaction tokens.  
https://datatracker.ietf.org/doc/draft-liu-cross-domain-txn-token/

We have been discussing with several participants on and off line about this 
topic, most if not all of them expressed great interest. This document solves 
(or try to solve) the secure propagation of workflow-related contextual claims 
(txn, tctx, rctx, req_wl) across trust domains, which was not included in the 
previously existing transaction tokens draft, but now might be the time to 
discuss extending the design.

Thus we wish to request 10+5 minutes of agenda time to present this at Vienna.

Aware of Rifaat’s email on very large number of slot requests for agenda time, 
we will focus on use cases and gap analysis in telecom and finance sectors that 
we encounter. We will also invest time in implementing transaction token’s open 
source repository, if the working group thinks this direction is a good idea.

2)  We also have a batch authorization delegation draft that focus on enabling 
a one-time batch authorization for downstream services. 
https://datatracker.ietf.org/doc/draft-ni-batch-authorization-delegation/ This 
is done by extending RAR with may_act fields to bind distinct permissions to 
designated actors.
If time permits, we hope to request another 5 minutes to present this 
altogether. If not, we are also happy to be instructed to combine with or talk 
to other teams that have a similar scope, before vienna.

Both drafts address real-world cross-domain, multi-step scenarios emerging in 
collaborative service ecosystems and AI Agents. We believe these directions are 
of strong interest to the WG and would welcome your valuable feedback.

Best,
Peter and Yuan

=======

Internet-Draft draft-liu-cross-domain-txn-token-00.txt is now available.



   Title:   Cross-domain Transaction Tokens

   Authors: Chunchi Peter Liu

            Yuan Ni

   Name:    draft-liu-cross-domain-txn-token-00.txt

   Pages:   20

   Dates:   2026-06-30



Abstract:



   This document describes a mechanism for Cross-Domain Transaction

   Tokens, which enables the safe maintenance and propagation of user

   identity, workload identities, and authorization context across

   multiple trust domains.



The IETF datatracker status page for this Internet-Draft is:

https://datatracker.ietf.org/doc/draft-liu-cross-domain-txn-token/

===

Internet-Draft draft-ni-batch-authorization-delegation-00.txt is now available.



   Title:   Batch Authorization Delegation

   Authors: Yuan Ni

            Chunchi Peter Liu

   Name:    draft-ni-batch-authorization-delegation-00.txt

   Pages:   23

   Dates:   2026-06-30



Abstract:



   This document describes a mechanism for Batch Authorization

   Delegation, which enables a batch of fine-grained, actor-bound

   permissions in a single request and securely delegates them to

   multiple collaborating actors.



The IETF datatracker status page for this Internet-Draft is:

https://datatracker.ietf.org/doc/draft-ni-batch-authorization-delegation/


From: Rifaat Shekh-Yusef 
<[email protected]<mailto:[email protected]>>
Sent: Sunday, June 21, 2026 6:43 AM
To: oauth <[email protected]<mailto:[email protected]>>
Subject: [OAUTH-WG] Call for topics for Vienna

All,

As per the preliminary agenda, we have two OAu=h sessions at:
Thursday, 2:00-4:00pm
Friday, 9:00-11:00am

If =ou have not done so already, let us know, as soon as possible, if you 
have=a topic that you would like to present and discuss in Vienna.

Regar=s,
 Rifaat & Hannes
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to