OAuth 2.0 Token Exchange
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: firstname.lastname@example.org, The IESG <email@example.com>, Rifaat Shekh-Yusef <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, firstname.lastname@example.org, email@example.com Subject: Protocol Action: 'OAuth 2.0 Token Exchange' to Proposed Standard (draft-ietf-oauth-token-exchange-19.txt) The IESG has approved the following document: - 'OAuth 2.0 Token Exchange' (draft-ietf-oauth-token-exchange-19.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
Technical Summary: This specification defines a protocol for an HTTP- and JSON- based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. The specification extends the scope of the Authorization Server (AS) to act as an STS to allow the AS to exchange one token for another. The working group thinks that this is a useful Standards Track document. Working Group Summary: The WG document is the result of the merge of two individual documents that tried to address this issue of token exchange: draft-jones-oauth-token-exchange and draft- campbell-oauth-sts. The scope of the first few revisions of the document was limited, and there was a long discussion of addressing a Token Chaining use case: https://mailarchive.ietf.org/arch/msg/oauth/pQRiMz0NjwcAG9Jazm8Aex40UX8/?qid=e6b492516cfa24bebbf8996009413d62 The WG document was extended to address the Token Chaining use case. The individual and WG documents were reviewed by a large number of participants, with lively and long discussions on the mailing list and during the WG meetings. One participant, Denis (firstname.lastname@example.org), raised some privacy & security concerns with the WG document, which was not shared by the rest of the group. Denis was encouraged by the group to write a draft on the subject to allow for a better and clear understanding of his concerns, or discuss the security issues in the context of the OAuth Security Topics document. Document Quality: The document has been implemented by Salesforce, Microsoft, Box, Indigo IAM, Unity IdM, and partial implementation by RedHat. https://medium.com/box-developer-blog/introducing-token-exchange-for-box-platform-3dcf7ab891b8 https://indigo-dc.gitbooks.io/iam/content/doc/user-guide/oauth_token_exchange.html http://www.unity-idm.eu/documentation/unity-2.1.0/manual.html#_token_exchange http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange Personnel: The document shepherd is Rifaat Shekh-Yusef. The responsible Area Director is Roman Danyliw.