Apologies for the last-minute feedback. Here are some issues that I've gathered while implementing TTS for Keycloak, from the conference sessions etc.:
- Security considerations for subject_token validation: guidance on token revocation checks using different methods https://github.com/oauth-wg/oauth-transaction-tokens/issues/321 - request_context handling: recommendation to accept request_context only from specific workloads and for specific calls https://github.com/oauth-wg/oauth-transaction-tokens/issues/322 - Elaborate on the authn parameter values https://github.com/oauth-wg/oauth-transaction-tokens/issues/323 - Minor bugs and typos https://github.com/oauth-wg/oauth-transaction-tokens/issues/324 - "Downscoping" transaction tokens to particular target workloads https://github.com/oauth-wg/oauth-transaction-tokens/issues/325 - Implementing cross-domain transaction tokens https://github.com/oauth-wg/oauth-transaction-tokens/issues/326 - Dmitry On Fri, Mar 27, 2026 at 12:20 PM Rifaat Shekh-Yusef via Datatracker < [email protected]> wrote: > This message starts a WG Last Call for: > draft-ietf-oauth-transaction-tokens-08 > > This Working Group Last Call ends on 2026-04-10 > > Abstract: > Transaction Tokens (Txn-Tokens) are designed to maintain and > propagate user identity, workload identity and authorization context > throughout the Call Chain within a trusted domain during the > processing of external requests (e.g. such as API calls) or requests > initiated internally within the trust domain. Txn-Tokens ensure that > this context is preserved throughout the Call Chain thereby enhancing > security and consistency in complex, multi-service architectures. > > File can be retrieved from: > > Please review and indicate your support or objection to proceed with the > publication of this document by replying to this email keeping > [email protected] > in copy. Objections should be explained and suggestions to resolve them are > highly appreciated. > > Authors, and WG participants in general, are reminded of the Intellectual > Property Rights (IPR) disclosure obligations described in BCP 79 [1]. > Appropriate IPR disclosures required for full conformance with the > provisions > of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any. > Sanctions available for application to violators of IETF IPR Policy can be > found at [3]. > > Thank you. > > [1] https://datatracker.ietf.org/doc/bcp78/ > [2] https://datatracker.ietf.org/doc/bcp79/ > [3] https://datatracker.ietf.org/doc/rfc6701/ > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-oauth-transaction-tokens-08.html > > A diff from the previous version is available at: > > https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-transaction-tokens-08 > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
