Skip to main content
OAuth Identity and Authorization Chaining Across Domains
Approval announcement
OAuth Identity and Authorization Chaining Across Domains
draft-ietf-oauth-identity-chaining-08
Approval announcement
Draft of message to be sent after approval:
Announcement
Ballot Text
Technical Summary This specification defines a mechanism to preserve identity and authorization information across trust domains that use the OAuth 2.0 Framework. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-identity-chaining. Working Group Summary There was strong support for this work. Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type, or other Expert Review, what was its course (briefly)? In the case of a Media Type Review, on what date was the request posted? There are many implementations: KeyCloak 26.5 https://www.keycloak.org/2026/01/jwt-authorization-grant Ping Identity has implementations based on existing functionality supporting those specs. Okta https://developer.okta.com/blog/2025/09/03/cross-app-access Auth0 https://auth0.com/docs/secure/call-apis-on-users-behalf/xaa Okta Open Source https://github.com/oktadev/okta-cross-app-access-mcp Okta Standalone implementation https://xaa.dev/ Basic testing implementation https://motd.xaa.rocks/ WSO2 Identity Server has some basic building blocks https://is.docs.wso2.com/en/latest/references/grant-types/#jwt-bearer-grant https://is.docs.wso2.com/en/latest/references/grant-types/#token-exchange-grant This work is related to the work in WIMSE. Many people active in OAUTH are also active in WIMSE. There are no expert reviews required - no Yang, no MIB, no media types, etc. There are no downrefs. JSONLint was used to validate the JSON examples. Personnel The Document Shepherd for this document is Rifaat Shekh-Yusef. The Responsible Area Director is Deb Cooley. IANA Note (Insert IANA Note here or remove section)