+1 on the proposal Jean-François “Jeff” Lombardo | Amazon Web Services
Architecte Principal de Solutions, Spécialiste de Sécurité Principal Solution Architect, Security Specialist Montréal, Canada Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. From: Karl McGuinness <[email protected]> Sent: December 5, 2025 12:12 PM To: Brian Campbell <[email protected]> Cc: Aaron Parecki <[email protected]>; Judith Kahrer <[email protected]>; oauth <[email protected]> Subject: [EXT] [OAUTH-WG] Re: Identity Assertion JWT Authorization Grant - RAR CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque. +1 I think it helps connect the dots for folks that don't have all the specs paged into context. I was going to add a non-normative example in a future update as I already have been asked this a few times. I can open a Github issue to track. -Karl On Fri, Dec 5, 2025 at 8:52 AM Brian Campbell <[email protected]<mailto:[email protected]>> wrote: Agree with Aaron's perspective here. But it might be useful to have a small note saying as much. I wonder if we should also consider describe/define using the authorization_details claim in the ID-JAG similar to scope? On Fri, Dec 5, 2025 at 9:24 AM Aaron Parecki <[email protected]<mailto:[email protected]>> wrote: Yes, RAR can definitely be layered onto this flow. Section 3 of RAR says "The authorization_details authorization request parameter can be used to specify authorization requirements in all places where the scope parameter is used for the same purpose" https://datatracker.ietf.org/doc/html/rfc9396#section-3 It's not strictly necessary to list authorization_details as a supported parameter in the Token Exchange request and in the ID-JAG claims in order to use it in those places, as they are already extensible. However if you think it would be helpful to have an explicit pointer to RAR I can definitely add it. Aaron On Fri, Dec 5, 2025 at 12:26 AM Judith Kahrer <[email protected]<mailto:[email protected]>> wrote: Hi, I have another thought about processing the ID-JAG... The ID-JAG is a grant. As such, shouldn't it support RAR (RFC 9396<https://datatracker.ietf.org/doc/html/rfc9396#name-authorization-request>)? For example, add authorization_details as an optional claim in the list of claims in section 3 and as a parameter to the relevant request and responses. Best regards, Judith _______________________________________________ OAuth mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> _______________________________________________ OAuth mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ OAuth mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
