Skip to content

Allow for alternatives to RFC8693 #254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Allow for alternatives to RFC8693 #254

wants to merge 6 commits into from

Conversation

PieterKas
Copy link
Collaborator

See #189

@PieterKas PieterKas requested a review from tulshi as a code owner September 18, 2025 11:35
@PieterKas PieterKas requested review from bc-pi and gffletch September 18, 2025 11:35
@PieterKas
Copy link
Collaborator Author

@tulshi or @gffletch - I resolved coonflict - please approve and I can merge.

gffletch
gffletch reviewed Sep 23, 2025
View reviewed changes
gffletch
gffletch reviewed Sep 23, 2025
View reviewed changes
Copy link
Collaborator

@gffletch gffletch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want to leave the door open for people to define their own mechanisms for obtaining a transaction token, then I think we should just say up front...

This specification defines a method to obtain a transaction token remotely over HTTP. Other methods used to obtain a transaction token conforming to this specification are out of scope and may be defined by other specifications.

Then we can say... if the transaction token request is made according to this specification it MUST ...

bc-pi
bc-pi reviewed Sep 23, 2025
View reviewed changes
bc-pi
bc-pi reviewed Sep 23, 2025
View reviewed changes
bc-pi
bc-pi reviewed Sep 23, 2025
View reviewed changes
@PieterKas PieterKas requested a review from gffletch September 29, 2025 12:23
tulshi
tulshi reviewed Sep 29, 2025
View reviewed changes
draft-ietf-oauth-transaction-tokens.md

### Initial Creation
Txn-Tokens are typically created when a workload is invoked using an endpoint that is externally visible, and is authorized using a separate mechanism, such as an OAuth {{RFC6749}} access token. This workload then performs an OAuth 2.0 Token Exchange {{RFC8693}} to obtain a Txn-Token. To do this, it invokes a special Token Service (the Txn-Token Service) and provides context that is sufficient for it to generate a Txn-Token. The context information provided to the Txn-Token Service MAY include:
Txn-Tokens are typically created when a workload is invoked using an endpoint that is externally visible, and is authorized using a separate mechanism, such as an OAuth {{RFC6749}} access token. The externally visible endpoint exchanges the external authorization token for a transaction token before sending it to the workload. The transaction token may be obtained through a local interface, or it may be requested from a remote server.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to update this language to take care of the case where there is no external authorization token. The part of the sentence "...exchanges the authorization token for a transaction token" reads like you assume there will always be an external authorization token

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tulshi I think if you have no token, you send a selff-signed token, or even an unsigned token. Perhaps we just change the "authorisation token" to "token"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This whole paragraph is couched with "typically" to start with, "Txn-Tokens are typically created ... " so I don't think the case where there is no external authorization token is being precluded.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tulshi - Following on from our conversation, I had a second read of this section.

  1. I thinkBrian's point is valid - the paragraph is descriptive of a typical case, nnot normative or constraining.
  2. As written, it describes the initial transaction token creation, so does not preclude the creation of a replacement transaction token (or other uses for creating an initial token).

@PieterKas PieterKas requested a review from tulshi September 30, 2025 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gffletch gffletch Awaiting requested review from gffletch

@tulshi tulshi Awaiting requested review from tulshi tulshi is a code owner

1 more reviewer

@bc-pi bc-pi bc-pi approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@PieterKas @gffletch @tulshi @bc-pi