Hi all, We had a meeting today (notes here <https://hackmd.io/@rpc-sec-wg/HJNXYKkk0>) in which we discussed the question of what we should do if there is no incoming (external) token in the request to issue a Transaction Token <https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/> (TraT). We identified a few circumstances under which this can happen:
- The requesting service is triggered by a non-OAuth based flow such as email or an internal trigger - The client of the requesting service uses means other than an access token to authorize the call (e.g. MTLS) We identified a few possibilities listed below. Please note that the Transaction Tokens draft assumes that the TraT Service trusts the requesting service, so all the possibilities below assume this. Here are some possibilities we discussed: 1. *Request Details*: Put the subject information in the request_details parameter of the TraT request, and the subject_token value is set to "N_A" 2. *Self-Signed Token*: The requester generates a self-signed JWT that has the subject information and puts that in the subject_token value 3. *Separate Separate Endpoint*: The TraT service exposes a separate endpoint to issue TraTs when there is no incoming token, and that endpoint can be defined such that the request does not have a subject_token parameter. This endpoint is not a profile of OAuth Token Exchange 4. *Separate Endpoint Only*: Extending the thought above, the requester can always extract the content of the incoming token into the "request_details" parameter, so why do we need the Token Exchange endpoint We would like to understand how the group feels about these choices, or if you have other suggestions / thoughts on this topic. Thanks, Atul -- <https://sgnl.ai> Atul Tulshibagwale CTO <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust> <a...@sgnl.ai>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth