For all practical purposes, it is not likely that an enterprise IdP will want to publish a list of all possible Resource Authorization Servers and scopes that are configured. We do not expect the IdP's Authorization Server Metadata to include data from other trust domains.
There is an open issue to discuss how a Client can discover the possible Resources it can obtain an ID-JAG for from the IdP: https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/issues/52 The current thinking is that this would be better accomplished by defining a new API resource at the IdP, analogous to "userinfo", which returns a list of resources supported based on the context of the user presented in the request. This could then also include the list of scopes per resource. Aaron On Fri, Dec 5, 2025 at 12:10 AM Judith Kahrer <judith.kahrer= [email protected]> wrote: > Hello, > > while studying draft 01 of the Identity Assertion JWT Authorization Grant, > I started wondering how the fact that the IdP Authorization Server handles > scopes for a different trust domain impacts the ecosystem like the > authorization server metadata. > To my understanding the IdP Authorization Server supports scopes for a > different - possibly multiple - trust domains. Doesn't that affect the > meaning of the scopes_supported property in the authorization server > metadata? Shouldn't the IdP Authorization Server in its authorization > server metadata also include which trust domains and what scopes for those > trust domains it supports? Currently, section 6 "Authorization Server (IdP) > Metadata" only specifies the urn:ietf:params:oauth:token-type:id-jag as a > value for identity_chaining_requested_token_types_supported. I get the > feeling that this is not enough. What do you think? > > Best regards, > Judith Kahrer > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
