The Web Authorization Protocol (oauth) WG in the Security Area of the IETF is undergoing rechartering. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list ([email protected]) by 2026-05-31.
Web Authorization Protocol (oauth) ----------------------------------------------------------------------- Current status: Active WG Chairs: Hannes Tschofenig <[email protected]> Rifaat Shekh-Yusef <[email protected]> Assigned Area Director: Deb Cooley <[email protected]> Security Area Directors: Deb Cooley <[email protected]> Christopher Inacio <[email protected]> Mailing list: Address: [email protected] To subscribe: https://www.ietf.org/mailman/listinfo/oauth Archive: https://mailarchive.ietf.org/arch/browse/oauth/ Group page: https://datatracker.ietf.org/group/oauth/ Charter: https://datatracker.ietf.org/doc/charter-ietf-oauth/ The Web Authorization (OAuth) protocol is a delegation protocol that allows users to grant third-party applications limited access to their resources without sharing their long-term credentials, or even their identity. For example, a photo-sharing site that supports OAuth could allow its users to use a third-party printing website to print their private pictures, without allowing the printing site to gain full control of the user's account and without requiring the user to share their long-term credentials with the printing site. As automated agents increasingly act on behalf of users, organizations, or both, these delegation patterns become increasingly involved and complex. The OAuth 2.0 protocol framework already includes: - A procedure for enabling a client to register with an authorization server. - A protocol for obtaining authorization tokens from an authorization server with the resource owner's consent. - Protocols for presenting these authorization tokens to protected resources for access. This framework has been enhanced with functionality for interworking with legacy identity infrastructure, token revocation, token exchange, dynamic client registration, token introspection, and standardized formats like JSON Web Token (JWT). It also includes specifications to mitigate security attacks, such as Proof Key for Code Exchange (PKCE), native app support, step-up authentication, and Demonstrating Proof of Possession (DPoP). ##Work Program The working group is now tackling these topics which will be published primarily as Standards Track or BCPs: - Consolidation: Finalizing OAuth 2.1 to consolidate the core framework and incorporate established security best practices into a single baseline. - Digital Credentials: Completing Selective Disclosure for JSON Web Tokens (SD-JWT), SD-JWT-based Verifiable Credentials (SD-JWT VC), and Token Status List (TSL) to support privacy-preserving attribute disclosure. - Complex Delegation: Developing new mechanisms or/and extensions for authorization of automated agents working on behalf of users, including addressing scenarios where automated agents act across multiple administrative domains. - First-Party Integration: Standardizing patterns for first-party applications to provide a secure, interoperable alternative to proprietary extensions. - Security Maintenance: Maintaining and updating Best Current Practices (BCPs) for browser-based and native applications to address evolving web security models. ##Coordination To ensure interoperability and avoid duplication of effort, the working group will coordinate with: - WIMSE (Workload Identity in Multi-System Environments): On the application of OAuth-based tokens (e.g., Token Exchange and DPoP) for service-to-service and multi-hop workload identities. - Secure Patterns for Internet CrEdentials (SPICE): on the application of SD-CWT and other CBOR related work. - EU Digital Identity Wallet: To ensure that SD-JWT and related credential formats remain compatible with broader architectural requirements for digital wallets and verifiable presentations. Milestones: Jul 2026 - Submit “SD-JWT-based Verifiable Digital Credentials (SD-JWT VC)” to the IESG Dec 2026 - Submit “OAuth 2.1 Authorization Framework’ to IESG Dec 2026 - Submit “Transaction Tokens” to the IESG _______________________________________________ IETF-Announce mailing list -- [email protected] To unsubscribe send an email to [email protected]
