(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard,
Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this
type of RFC indicated in the title page header?
The draft-ietf-oauth-token-exchange-10 is a Standards Track document that extends OAuth
2.0 and defines a new protocol for Security Token Service (STS) to be used by OAuth elements
(e.g. Clients, Resource Servers, etc) to exchange one token for another.
(2) The IESG approval announcement includes a Document Announcement Write-Up.
Please provide such a Document Announcement Write-Up. Recent examples can be
found in the "Action" announcements for approved documents. The approval
announcement contains the following sections:
This specification defines a protocol for an HTTP- and JSON- based Security Token
Service (STS) by defining how to request and obtain security tokens from OAuth 2.0
authorization servers, including security tokens employing impersonation and delegation.
The specification extends the scope of the Authorization Server (AS) to act as an STS to
allow the AS to exchange one token for another. The working group thinks that this is a
useful Standards Track document.
Working Group Summary:
The WG document is the result of the merge of two individual documents that tried to
address this issue of token exchange: draft-jones-oauth-token-exchange and draft-
The scope of the first few revisions of the document was limited, and there was a long
discussion of addressing a Token Chaining use case:
The WG document was extended to address the Token Chaining use case.
The individual and WG documents were reviewed by a large number of participants, with
lively and long discussions on the mailing list and during the WG meetings.
One participant, Denis (firstname.lastname@example.org), raised some privacy & security concerns with
the WG document, which was not shared by the rest of the group. Denis was encouraged
by the group to write a draft on the subject to allow for a better and clear understanding
of his concerns, or discuss the security issues in the context of the OAuth Security Topics
The document has been implemented by Salesforce, Microsoft, Box, Indigo IAM, Unity
IdM, and partial implementation by RedHat.
The document shepherd is Rifaat Shekh-Yusef.
The responsible Area Director is Eric Rescorla.
(3) Briefly describe the review of this document that was performed by the Document
Shepherd. If this version of the document is not ready for publication, please explain
why the document is being forwarded to the IESG.
The document shepherd has reviewed several versions of this document, including the last one,
feels the document is ready.
(4) Does the document Shepherd have any concerns about the depth or breadth of the
reviews that have been performed?
The document shepherd has no concerns with the level of reviews, as the document was
discussed and reviewed by many participants.
(5) Do portions of the document need review from a particular or from broader
perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or
internationalization? If so, describe the review that took place.
Security review is always needed and appreciated.
(6) Describe any specific concerns or issues that the Document Shepherd has with this
document that the Responsible Area Director and/or the IESG should be aware of? For
example, perhaps he or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any event, if the WG has
discussed those issues and has indicated that it still wishes to advance the document,
detail those concerns here.
The document shepherd has no such concerns.
(7) Has each author confirmed that any and all appropriate IPR disclosures required
for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.
If not, explain why?
(8) Has an IPR disclosure been filed that references this document? If so, summarize
any WG discussion and conclusion regarding the IPR disclosures.
No such IPR disclosures.
(9) How solid is the WG consensus behind this document? Does it represent the strong
concurrence of a few individuals, with others being silent, or does the WG as a whole
understand and agree with it?
There is a solid support for this document from the WG, with the exception of the individual
(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If
so, please summarise the areas of conflict in separate email messages to the
Responsible Area Director. (It should be in a separate email because this questionnaire
is publicly available.)
No such threat or discontent, with the exception of the individual mentioned above with his
privacy and security concerns.
(11) Identify any ID nits the Document Shepherd has found in this document. (See
http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate
checks are not enough; this check needs to be thorough.
One nit found:
** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259)
(12) Describe how the document meets any required formal review criteria, such as
the MIB Doctor, media type, and URI type reviews.
No such reviews are necessary.
(13) Have all references within this document been identified as either normative or
(14) Are there normative references to documents that are not ready for advancement
or are otherwise in an unclear state? If such normative references exist, what is the
plan for their completion?
No such references.
(15) Are there downward normative references (see RFC 3967)? If so, list these
downward references to support the Area Director in the Last Call procedure.
No such references.
(16) Will publication of this document change the status of any existing RFCs? Are
those RFCs listed on the title page header, listed in the abstract, and discussed in the
introduction? If the RFCs are not listed in the Abstract and Introduction, explain why,
and point to the part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document, explain why the WG
considers it unnecessary.
No status change of any existing RFCs.
(17) Describe the Document Shepherd's review of the IANA considerations section,
especially with regard to its consistency with the body of the document. Confirm that
all protocol extensions that the document makes are associated with the appropriate
reservations in IANA registries. Confirm that any referenced IANA registries have been
clearly identified. Confirm that newly created IANA registries include a detailed
specification of the initial contents for the registry, that allocations procedures for
future registrations are defined, and a reasonable name for the new registry has been
suggested (see RFC 5226).
The IANA section is complete and correct.
(18) List any new IANA registries that require Expert Review for future allocations.
Provide any public guidance that the IESG would find useful in selecting the IANA
Experts for these new registries.
No new IANA registries.
(19) Describe reviews and automated checks performed by the Document Shepherd to
validate sections of the document written in a formal language, such as XML code, BNF
rules, MIB definitions, etc.
The document contains JSON-based examples, and these were validated using JSONLint.