OAuth Identity and Authorization Chaining Across Domains
draft-ietf-oauth-identity-chaining-12

• Status
• IESG evaluation record
• IESG writeups
• Email expansions
• History

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, debcooley1@gmail.com, draft-ietf-oauth-identity-chaining@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rfc-editor@rfc-editor.org, rifaat.s.ietf@gmail.com
Subject: Protocol Action: 'OAuth Identity and Authorization Chaining Across Domains' to Proposed Standard (draft-ietf-oauth-identity-chaining-10.txt)

The IESG has approved the following document:
- 'OAuth Identity and Authorization Chaining Across Domains'
  (draft-ietf-oauth-identity-chaining-10.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Christopher Inacio and Deb Cooley.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/

Ballot Text

Technical Summary

   This specification defines a mechanism to preserve identity and
   authorization information across trust domains that use the OAuth 2.0
   Framework.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Discussion of this document takes place on the Web Authorization
   Protocol Working Group mailing list (oauth@ietf.org), which is
   archived at https://mailarchive.ietf.org/arch/browse/oauth/.

   Source for this draft and an issue tracker can be found at
   https://github.com/oauth-wg/oauth-identity-chaining.

Working Group Summary

  There was strong support for this work.

Document Quality

There are many implementations: 
   KeyCloak 26.5
   https://www.keycloak.org/2026/01/jwt-authorization-grant

   Ping Identity has implementations based on existing functionality supporting 
   those specs. 

   Okta
   https://developer.okta.com/blog/2025/09/03/cross-app-access

   Auth0
   https://auth0.com/docs/secure/call-apis-on-users-behalf/xaa

   Okta Open Source
   https://github.com/oktadev/okta-cross-app-access-mcp

   Okta Standalone implementation
   https://xaa.dev/

   Basic testing implementation 
   https://motd.xaa.rocks/

   WSO2 Identity Server has some basic building blocks
   https://is.docs.wso2.com/en/latest/references/grant-types/#jwt-bearer-grant
   https://is.docs.wso2.com/en/latest/references/grant-types/#token-exchange-grant

  This work is related to the work in WIMSE.  Many people active in OAUTH are also active in WIMSE.
  
  There are no expert reviews required - no Yang, no MIB, no media types, etc.
  There are no downrefs.
  JSONLint was used to validate the JSON examples.

Personnel

   The Document Shepherd for this document is Rifaat Shekh-Yusef. The
   Responsible Area Director is Deb Cooley.

IANA Note

  (Insert IANA Note here or remove section)

RFC Editor Note