OAuth 2.0 Token Exchange
draft-ietf-oauth-token-exchange-19

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: rdd@cert.org, The IESG <iesg@ietf.org>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, draft-ietf-oauth-token-exchange@ietf.org, rifaat.ietf@gmail.com, oauth@ietf.org, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, oauth-chairs@ietf.org, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'OAuth 2.0 Token Exchange' to Proposed Standard (draft-ietf-oauth-token-exchange-19.txt)

The IESG has approved the following document:
- 'OAuth 2.0 Token Exchange'
  (draft-ietf-oauth-token-exchange-19.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/


Technical Summary:
  This specification defines a protocol for an HTTP- and JSON- based Security Token 
  Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 
  authorization servers, including security tokens employing impersonation and delegation.
  The specification extends the scope of the Authorization Server (AS) to act as an STS to 
  allow the AS to exchange one token for another. The working group thinks that this is a 
  useful Standards Track document.

Working Group Summary:
  The WG document is the result of the merge of two individual documents that tried to 
  address this issue of token exchange: draft-jones-oauth-token-exchange and draft-
  campbell-oauth-sts.
  The scope of the first few revisions of the document was limited, and there was a long 
  discussion of addressing a Token Chaining use case:
  https://mailarchive.ietf.org/arch/msg/oauth/pQRiMz0NjwcAG9Jazm8Aex40UX8/?qid=e6b492516cfa24bebbf8996009413d62
  The WG document was extended to address the Token Chaining use case. 

  The individual and WG documents were reviewed by a large number of participants, with 
  lively and long discussions on the mailing list and during the WG meetings.

  One participant, Denis (denis.ietf@free.fr), raised some privacy & security concerns with 
  the WG document, which was not shared by the rest of the group. Denis was encouraged 
  by the group to write a draft on the subject to allow for a better and clear understanding 
  of his concerns, or discuss the security issues in the context of the OAuth Security Topics 
  document.

Document Quality:
  The document has been implemented by Salesforce, Microsoft, Box, Indigo IAM, Unity 
  IdM, and partial implementation by RedHat.
     https://medium.com/box-developer-blog/introducing-token-exchange-for-box-platform-3dcf7ab891b8
     https://indigo-dc.gitbooks.io/iam/content/doc/user-guide/oauth_token_exchange.html
     http://www.unity-idm.eu/documentation/unity-2.1.0/manual.html#_token_exchange
     http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange

Personnel:
  The document shepherd is Rifaat Shekh-Yusef. 
  The responsible Area Director is Roman Danyliw.