| Internet-Draft | OAuth Identity and Authorization Chainin | July 2025 |
| Schwenkschuster, et al. | Expires 4 January 2026 | [Page] |
This specification defines a mechanism to preserve identity and authorization information across trust domains that use the OAuth 2.0 Framework.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/.¶
Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-identity-chaining.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 4 January 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Applications often require access to resources that are distributed across multiple trust domains where each trust domain has its own OAuth 2.0 authorization server. A request may transverse multiple resource servers in multiple trust domains before completing. All protected resources involved in such a request need to know on whose behalf the request was originally initiated (i.e. the user), what authorization was granted and optionally which other resource servers were called prior to making an authorization decision. This information needs to be preserved, even when a request crosses one or more trust domains. This document refers to this as "chaining" and defines a common pattern for combining OAuth 2.0 Token Exchange [RFC8693] and the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants [RFC7523] to access resources across multiple trust domains while preserving identity and authorization information.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This specification does not define any new media types.¶
It is RECOMMENDED that any profile or deployment-specific implementation adopt explicit typing as defined in JSON Web Token Best Current Practices [RFC8725] and define a new media type [RFC2046] in the "Media Types" registry [IANA-MediaTypes] in the manner described in [RFC6838].¶
Authorization Servers SHOULD follow the Best Current Practice for OAuth 2.0 Security [RFC9700] for client authentication.¶
Authorization Servers SHOULD follow the The OAuth 2.1 Authorization Framework [I-D.draft-ietf-oauth-v2-1] for sender constraining tokens.¶
The authorization server in trust domain B SHOULD NOT issue refresh tokens to the client within the scope of this specification. When the access token has expired, clients SHOULD re-submit the original JWT Authorization Grant to obtain a new Access Token. If the JWT Authorization Grant has expired, the client SHOULD request a new grant from the authorization server in trust domain A before presenting it to the authorization server in trust domain B. The issuance of Refresh Tokens by the authorization server in trust domain B introduces a redundant credential requiring additional security measures, and creating unnecessary security risks. It also allows the client to obtain access tokens within trust domain B, even if the initial session in trust domain A has finished (e.g. the user has logged out or access has been revoked). This paragraph does not relate to the issuance of refresh tokens by the authorization server in trust domain A.¶
In addition to the privacy considerations outlined in [RFC8693] and [RFC7523], the following items are relevant to this specification:¶
OAuth federation involves the exchange of tokens and claims between disparate trust domains. If excessive or unnecessary user data is included in these tokens, it may lead to unintended privacy consequences. As noted in [RFC8693] and [RFC7523], deployments should determine the minimum amount of information necessary to complete the exchange and ensure that only that information is included in the token.¶
Inconsistent user privacy practices within OAuth federation can result from varying interpretations and implementations of the protocol across different domains. This inconsistency can lead to a lack of transparency and user control over what data is shared and with whom. To mitigate this, federation trust relationships between domains must be carefully established and maintained with user privacy in mind. This includes verifying that privacy policies are aligned across trust domains and clearly define how user data is collected, used, and protected.¶
This sections outlines some use cases where the identity and authorization chaining described in this document can be applied. The use cases described are not exhaustive, but are representative of the type of use cases enabled by this specification. Other use cases may also be supported by this specification.¶
A user attempts to access a service that is implemented as a number of on-premise and cloud-based microservices. Both the on-premise and cloud-based services are segmented by multiple trust boundaries that span one or more on-premise or cloud service environments. Every microservice can apply an authorization policy that takes the context of the original user, as well as intermediary microservices into account, irrespective of where the microservices are running and even when a microservice in one trust domain calls another service in another trust domain.¶
A continuous integration system needs to access external resources, for example to upload an artifact or to run tests. These resources are protected by different authorization servers. The identity information of the build, for example metadata such as commit hashes or repository, should be preserved and carried across the domain boundary. This not just prevents maintaining credentials it also allows fine grained access control at the resource.¶
A home devices company provides a "Camera API" to enable access to home cameras. Partner companies use this Camera API to integrate the camera feeds into their security dashboards. Using OAuth between the partner and the Camera API, a partner can request the feed from a home camera to be displayed in their dashboard. The user has an account with the camera provider. The user may be logged in to view the partner provided dashboard, or they may authorize emergency access to the camera. The home devices company must be able to independently verify that the request originated and was authorized by a user who is authorized to view the feed of the requested home camera.¶
A user that authenticated to an enterprise Identity Provider (IdP) does not have to sign-in to multiple SaaS applications if the SaaS applications are configured to trust the enteprise IdP. It is possible to extend this SSO relationship to API access by allowing the Client to contact the enterprise IdP and exchange the identity assertion (ID Token or SAML Token) that it previously received from the enteprise IdP for an authorization grant. The authorization grant can be used to obtain an access token from the SaaS application's authorization server, provided that a trust relationship has been established between the enterprise IdP which issues the authorization grant and the SaaS authorization server. As a result SaaS servers that trust the enterprise IdP do not require the user to complete an interactive delegated OAuth 2.0 flow to obtain an access token to access the SaaS provider's APIs.¶
This section contains two examples, demonstrating how this specification may be used in different environments with specific requirements. The first example shows the resource server acting as the client and the second example shows the authorization server acting as the client.¶
As part of completing a request, a resource server in trust domain A may need to access a resource server in trust domain B. This requires the resource server in trust domain A to obtain an Access Token from an authorization server in trust domain B, which it may then present to the resource server in trust domain B. A resource server in trust domain A may use the flows described in this specification by assuming the role of a client when attempting to access the resource server in trust domain B. Resource servers may act as clients if the following is true:¶
The resource server has the ability to determine the authorization server of the protected resource outside trust domain A.¶
The authorization server in trust domain B is reachable by the resource server in trust domain A and is able to perform the appropriate client authentication (if required).¶
The flow would look like this:¶
+-------------+ +---------------+ +-------------+ +---------+
|Authorization| |Resource Server| |Authorization| |Protected|
|Server | |Trust Domain A | |Server | |Resource |
|Trust | |(acting as | |Trust | |Trust |
|Domain A | | a client) | |Domain B | |Domain B |
+-------------+ +---------------+ +-------------+ +---------+
| | | |
| | (A) request protected resource |
| | metadata |
| | --------------------------------->|
| | <- - - - - - - - - - - - - - - - -|
| | | |
| (B) exchange token | | |
| [RFC 8693] | | |
|<--------------------| | |
| | | |
| (C) <authorization | | |
| grant> | | |
| - - - - - - - - - >| | |
| | | |
| | (D) present | |
| | authorization | |
| | grant [RFC 7523] | |
| |-------------------->| |
| | | |
| | (E) <access token> | |
| |<- - - - - - - - - - | |
| | | |
| | (F) access |
| | --------------------------------->|
| | | |
| | | |
The flow contains the following steps:¶
The resource server of trust domain A needs to access protected resource in trust domain B. It requires an access token to do so. In order to obtain the required access token, the resource server in trust domain A will act as a client.¶
(A) The resource server (acting as a client) in trust domain A requests protected resource metadata from the resource server in trust domain B as described in [RFC9728]. It uses the resource metadata to discover information about the authorization server for trust domain B. This step MAY be skipped if discovery is not needed and other means of discovery MAY be used. The protected resource in trust domain B returns its metadata along with the authorization server information in trust domain A.¶
(B) Once the resource server (acting as a client) in trust domain A identified the authorization server for trust domain B, it requests a JWT authorization grant for the authorization server in trust domain B from the authorization server in trust domain A (it's own authroization server). This happens via the token exchange protocol (See Token Exchange (Section 2.3)).¶
(C) If successful, the authorization server in trust domain A returns a JWT authorization grant to the resource server (acting as client) in trust domain A.¶
(D) The resource server (acting as client) in trust domain A presents the JWT authorization grant to the authroization server in trust domain B.¶
(E) The authroization server in trust domain B uses claims from the JWT authorization grant to identify the user and establish additional authorization context. If access is granted, the authroization server in trust domain B returns an access token.¶
(F) The resource server (acting as a client) in trust domain A uses the access token to access the protected resource in trust Domain B.¶
In some environments, there is a need to bind the access token issued by the authorization server in trust domain B to a private key held by the client in trust domain A. This is so that the resource server in trust domain B can verify the proof of possession of the private key of the client in trust domain A when the client in trust domain A presents the token to the resource server in trust domain B. Any application in trust domain A may act as a client, including applications that are resource servers in trust domain A and need to access resource servers in trust domain B in order to complete a request.¶
In the case where the resource server in trust domain A is acting as the client, the access token may be constrained using existing techniques as described in Security Considerations (See Sender Constraining Tokens (Section 5.2)).¶
The case where the authorization server in trust domain A is acting as a client is more complicated since the authorization server in trust domain A (acting as client) does not have access to the key material of the client on whose behalf the access token is being requested.¶
However, the trust relationship between the authorization server in trust domain A and the authorization server in trust domain B can be leveraged to sender constrain the access token issued by the authorization server in trust domain B. This can be achieved as follows.¶
The authorization server in trust domain A verifies proof of possession of the key presented by the client.¶
The authorization server in trust domain A then conveys the key of the client in trust domain A in the token request sent to the authorization server in trust domain B. This can, for example, be accomplished by including a "requested_cnf" claim that contains the "cnf" claim of the client in trust domain A, in the assertion authorization grant sent to the authorization server in trust domain B.¶
The authorization server in trust domain B then includes a "cnf" claim that matches the value of the "requested_cnf" claim included in the authorization grant in the returned access token.¶
The client in trust domain A that presents the access token must use the key matching the "cnf" claim to generate a DPoP proof or setup a MTLS session when presenting the access token to a resource server in in trust domain B.¶
The editors would like to thank Joe Jubinski, Justin Richer, Dean H. Saxe, and others (please let us know, if you've been mistakenly omitted) for their valuable input, feedback and general support of this work.¶
[[ To be removed from the final specification ]]¶
-05¶
Editorial pass on Appendix for consistency¶
Clarified introduction¶
Added security considerations for unconstrained authorization grants.¶
Updated some contributors' affiliation and contact information¶
Added examples in claims transcription text¶
Simplify some text in the JWT Authorization Grant section¶
Fix some toolchain complaints and other nitpicks¶
Added some Privacy Considerations¶
Move Mr. Parecki from acknowledgements to contributors in acknowledgement of his contributions¶
Added Authorization Server Metadata registry to publish supported Token Exchange requested token types¶
-04¶
Clarified diagrams and description of authorization server acting as a client.¶
Remove references to sd-jwt.¶
Added text to recommend use of explicit typing.¶
Added security consideration on preventing lateral moves.¶
Editorial updates to be consistent about the trust domain for a client, authorization server or resource server.¶
Added sender constraining of tokens to security considerations¶
-03¶
Editorial updates¶
-02¶
remove recommendation to not use RFC8693's requested_token_type¶
Corrected discrepancy between alphabetic numbering of the diagram and text in the resource acting as client example¶
-01¶
limit the authorization grant format to RFC7523 JWT¶
minor example fixes¶
editorial fixes¶
added Aaron Parecki to acknowledgements¶
renamed section headers to be more explicit¶
use more specific term "JWT authorization grant"¶
changed name to "OAuth Identity and Authorization Chaining Across Domains"¶
move use cases to appendix and add continuous integration use case¶
-00¶
initial working group version (previously draft-schwenkschuster-oauth-identity-chaining)¶