+1 to the overall proposal and Brian's suggestion. I think it's always beneficial to explicitly call out such things, if nothing else just to note that there are no particular complications when combining the specs.
Cheers, Frederik On Sun, 7 Dec 2025 at 22:59, Lombardo, Jeff <jeffsec= [email protected]> wrote: > +1 on the proposal > > > > *Jean-François “Jeff” Lombardo* | Amazon Web Services > > > > Architecte Principal de Solutions, Spécialiste de Sécurité > Principal Solution Architect, Security Specialist > Montréal, Canada > > *Commentaires à propos de notre échange? **Exprimez-vous **ici* > <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$> > *.* > > > > *Thoughts on our interaction? Provide feedback **here* > <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$> > *.* > > > > *From:* Karl McGuinness <[email protected]> > *Sent:* December 5, 2025 12:12 PM > *To:* Brian Campbell <[email protected]> > *Cc:* Aaron Parecki <[email protected]>; Judith Kahrer > <[email protected]>; oauth <[email protected]> > *Subject:* [EXT] [OAUTH-WG] Re: Identity Assertion JWT Authorization > Grant - RAR > > > > *CAUTION*: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > *AVERTISSEMENT*: Ce courrier électronique provient d’un expéditeur > externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous > ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas > certain que le contenu ne présente aucun risque. > > > > +1 > > > > I think it helps connect the dots for folks that don't have all the specs > paged into context. I was going to add a non-normative example in a future > update as I already have been asked this a few times. I can open a Github > issue to track. > > > > -Karl > > > > On Fri, Dec 5, 2025 at 8:52 AM Brian Campbell <bcampbell= > [email protected]> wrote: > > Agree with Aaron's perspective here. But it might be useful to have a > small note saying as much. I wonder if we should also consider > describe/define using the authorization_details claim in the ID-JAG similar > to scope? > > > > On Fri, Dec 5, 2025 at 9:24 AM Aaron Parecki <aaron= > [email protected]> wrote: > > Yes, RAR can definitely be layered onto this flow. Section 3 of RAR says > "The authorization_details authorization request parameter can be used to > specify authorization requirements in all places where the scope parameter > is used for the same purpose" > https://datatracker.ietf.org/doc/html/rfc9396#section-3 > > > > It's not strictly necessary to list authorization_details as a supported > parameter in the Token Exchange request and in the ID-JAG claims in order > to use it in those places, as they are already extensible. However if you > think it would be helpful to have an explicit pointer to RAR I can > definitely add it. > > > > Aaron > > > > > > On Fri, Dec 5, 2025 at 12:26 AM Judith Kahrer <judith.kahrer= > [email protected]> wrote: > > Hi, > > > > I have another thought about processing the ID-JAG... The ID-JAG is a > grant. As such, shouldn't it support RAR (RFC 9396 > <https://datatracker.ietf.org/doc/html/rfc9396#name-authorization-request> > )? > For example, add authorization_details as an optional claim in the list > of claims in section 3 and as a parameter to the relevant request and > responses. > > Best regards, > Judith > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
