Document changes urn:uuid:f04f48d3-8cae-5ead-9d8f-a8a3b6178f97 2026-04-22T19:14:42.342670+00:00 urn:datatracker-ietf-org:event:1139128 2026-04-22T06:41:18.008843+00:00 2026-04-22T06:41:18.008843+00:00 Meiling Chen New version available: <b>draft-chen-oauth-rar-agent-extensions-01.txt</b> new_revision none active idexists OAuth 2.0 Rich Authorization Requests (RAR) [RFC9396] defines a syntax for clients to request fine-grained permissions. While powerful, this mechanism lacks standardized methods for clients to express three critical contextual dimensions prevalent in modern automated systems: the high-level user intent driving the request, the required security policy under which the request should be evaluated, and the binding of the authorization's lifecycle to an external process. This document extends the RAR framework to address these gaps. It first defines a new authorization_details type, *intent_request*, to facilitate goal-oriented authorization. Second, it introduces two new parameters for the authorization_details object: *policy_context*, to request authorization under a specific assurance level, and *lifecycle_binding*, to tie the validity of the authorization grant to the state of an external entity. These extensions enable authorization servers to make more intelligent, secure, and context-aware decisions, particularly in ecosystems involving autonomous agents and complex, long-running tasks. 01 urn:datatracker-ietf-org:event:1139127 2026-04-22T06:41:18.006612+00:00 2026-04-22T06:41:18.006612+00:00 Meiling Chen New version accepted (logged-in submitter: Meiling Chen) new_submission none active idexists urn:datatracker-ietf-org:event:1139126 2026-04-22T06:41:17.949598+00:00 2026-04-22T06:41:17.949598+00:00 Meiling Chen Uploaded new revision new_submission none active idexists urn:datatracker-ietf-org:event:1139105 2026-04-22T04:45:15.519537+00:00 2026-04-22T04:45:15.519537+00:00 Gareth Oliver New version available: <b>draft-gco-oauth-delegate-sd-jwt-00.txt</b> new_revision none active idexists This document specifies an extension to Selective Disclosure JSON Web Tokens to support further delegation from the Holder to a Delegate Holder. This is done by allowing the Key Binding JWT to also be an SD-JWT, optionally with its own Key Binding. This has particular applicability to Agentic systems. 00 urn:datatracker-ietf-org:event:1139104 2026-04-22T04:45:15.517305+00:00 2026-04-22T04:45:15.517305+00:00 Gareth Oliver New version accepted (logged-in submitter: Gareth Oliver) new_submission none active idexists urn:datatracker-ietf-org:event:1139103 2026-04-22T04:43:50.534870+00:00 2026-04-22T04:43:50.534870+00:00 Gareth Oliver Uploaded new revision new_submission none active idexists urn:datatracker-ietf-org:event:1138960 2026-04-21T13:08:44.172830+00:00 2026-04-21T13:08:44.172830+00:00 Gunter Van de Velde [Ballot Position Update] New position, No Objection, has been recorded for Gunter Van de Velde changed_ballot_position ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138822 2026-04-20T20:12:59.758590+00:00 2026-04-20T20:12:59.758590+00:00 Michael Jones New version available: <b>draft-ietf-oauth-rfc7523bis-10.txt</b> new_revision ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub This document updates RFC7521, RFC7522, RFC7523 and RFC9126 with respect to the treatment of audience values in OAuth 2.0 Client Assertion Authentication and Assertion-based Authorization Grants to address a security vulnerability identified in the previous requirements for those audience values in multiple OAuth 2.0 specifications. 10 urn:datatracker-ietf-org:event:1138821 2026-04-20T20:12:59.756292+00:00 2026-04-20T20:12:59.756292+00:00 Brian Campbell New version approved new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138820 2026-04-20T20:12:52.411332+00:00 2026-04-20T20:12:52.411332+00:00 (System) Request for posting confirmation emailed to previous authors: Brian Campbell <bcampbell@pingidentity.com>, Chuck Mortimore <charliemortimore@gmail.com>, Filip Skokan <panva.ip@gmail.com>, Michael Jones <michael_b_jones@hotmail.com> new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138819 2026-04-20T20:12:52.106143+00:00 2026-04-20T20:12:52.106143+00:00 Michael Jones Uploaded new revision new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138808 2026-04-20T16:19:01.086043+00:00 2026-04-20T16:19:01.086043+00:00 Gorry Fairhurst [Ballot Position Update] New position, No Objection, has been recorded for Gorry Fairhurst changed_ballot_position ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138750 2026-04-20T11:14:05.631528+00:00 2026-04-20T11:14:05.631528+00:00 Paul Bastian New version available: <b>draft-ietf-oauth-status-list-20.txt</b> new_revision ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviewers-ok changed iesg-eva sub-pub This specification defines a status mechanism called Token Status List (TSL), data structures and processing rules for representing the status of tokens secured by JSON Object Signing and Encryption (JOSE) or CBOR Object Signing and Encryption (COSE), such as JWT, SD-JWT, CBOR Web Token, and ISO mdoc. It also defines an extension point and a registry for future status mechanisms. 20 urn:datatracker-ietf-org:event:1138749 2026-04-20T11:14:05.629346+00:00 2026-04-20T11:14:05.629346+00:00 Paul Bastian New version approved new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviewers-ok changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138748 2026-04-20T11:13:54.367235+00:00 2026-04-20T11:13:54.367235+00:00 (System) Request for posting confirmation emailed to previous authors: Christian Bormann <chris.bormann@gmx.de>, Paul Bastian <paul.bastian@posteo.de>, Tobias Looker <tobias.looker@mattr.global> new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviewers-ok changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138747 2026-04-20T11:13:54.084636+00:00 2026-04-20T11:13:54.084636+00:00 Paul Bastian Uploaded new revision new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviewers-ok changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138551 2026-04-18T22:40:52.400171+00:00 2026-04-18T22:40:52.400171+00:00 Gustavo Valverde Changed document external resources from: None to:<br><br>github_repo https://github.com/gustavovalverde/zentity (Zentity)<br>webpage https://zentity.xyz/ (Zentity) changed_document none active idexists urn:datatracker-ietf-org:event:1138550 2026-04-18T22:40:51.760478+00:00 2026-04-18T22:40:51.760478+00:00 Gustavo Valverde New version available: <b>draft-valverde-oauth-veil-00.txt</b> new_revision none active idexists VEIL (Verified Ephemeral Identity Layer) is a security profile of OAuth 2.1 for privacy-preserving identity verification. It separates claims into two tracks: proof claims (boolean verification results, compliance flags, assurance levels) travel through standard token claims, while identity claims (name, date of birth, address, nationality) travel only through an ephemeral, single-consume channel that keeps personally identifiable information off long-lived tokens. Subject identifiers are pairwise by default. Consent records are HMAC-protected. Step-up authentication scales with operation sensitivity. VEIL is the base profile for domain-specific extensions. 00 urn:datatracker-ietf-org:event:1138549 2026-04-18T22:40:51.758672+00:00 2026-04-18T22:40:51.758672+00:00 Gustavo Valverde New version accepted (logged-in submitter: Gustavo Valverde) new_submission none active idexists urn:datatracker-ietf-org:event:1138547 2026-04-18T22:40:46.458118+00:00 2026-04-18T22:40:46.458118+00:00 Gustavo Valverde Changed document external resources from: None to:<br><br>github_repo https://github.com/gustavovalverde/zentity (Zentity)<br>webpage https://zentity.xyz/ (Zentity) changed_document none active idexists urn:datatracker-ietf-org:event:1138546 2026-04-18T22:40:45.715167+00:00 2026-04-18T22:40:45.715167+00:00 Gustavo Valverde New version available: <b>draft-valverde-oauth-pact-00.txt</b> new_revision none active idexists PACT (Private Agent Consent and Trust Profile) is a security profile of OAuth 2.1 for privacy-preserving agent delegation. It extends VEIL and composes OIDC CIBA Core 1.0 and OAuth Token Exchange (RFC 8693). PACT defines a durable-host plus ephemeral-session control plane, a delegation token claim vocabulary, runtime identity proofs using Ed25519 JWTs, capability grants with typed constraints and usage limits, risk-graduated consent routing, and claim narrowing on token exchange to non-agent audiences. 00 urn:datatracker-ietf-org:event:1138545 2026-04-18T22:40:45.713022+00:00 2026-04-18T22:40:45.713022+00:00 Gustavo Valverde New version accepted (logged-in submitter: Gustavo Valverde) new_submission none active idexists urn:datatracker-ietf-org:event:1138548 2026-04-18T22:39:27.714968+00:00 2026-04-18T22:39:27.714968+00:00 Gustavo Valverde Uploaded new revision new_submission none active idexists urn:datatracker-ietf-org:event:1138544 2026-04-18T22:38:34.601263+00:00 2026-04-18T22:38:34.601263+00:00 Gustavo Valverde Uploaded new revision new_submission none active idexists urn:datatracker-ietf-org:event:1138409 2026-04-17T15:41:43.937642+00:00 2026-04-17T15:41:43.937642+00:00 Morgan Condie Placed on agenda for telechat - 2026-04-30 scheduled_for_telechat ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138384 2026-04-17T12:09:05.027795+00:00 2026-04-17T12:09:05.027795+00:00 Deb Cooley Ballot has been issued sent_ballot_announcement ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138383 2026-04-17T12:09:04.664332+00:00 2026-04-17T12:09:04.664332+00:00 Deb Cooley [Ballot Position Update] New position, Yes, has been recorded for Deb Cooley changed_ballot_position ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138382 2026-04-17T12:09:04.647233+00:00 2026-04-17T12:09:04.647233+00:00 Deb Cooley Created "Approve" ballot created_ballot ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138381 2026-04-17T12:09:04.290296+00:00 2026-04-17T12:09:04.290296+00:00 Deb Cooley IESG state changed to <b>IESG Evaluation</b> from Waiting for AD Go-Ahead changed_state ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138316 2026-04-17T04:34:13.413140+00:00 2026-04-17T04:34:13.413140+00:00 Gio Moros New version available: <b>draft-moros-oauth-browser-session-handoff-00.txt</b> new_revision none active idexists This document specifies a usage profile that composes OAuth 2.0 Token Exchange [RFC8693] with a short-lived, single-use authorization code to establish an authenticated browser session at a Relying Party (RP) on behalf of a user authenticated at an Identity Provider (IdP) operating an independent OAuth 2.0 Security Token Service (STS). The server-to-server leg uses RFC 8693 to convey user identity and authorization context to the RP's STS, which issues an RP-scoped access token. A short-lived opaque code is then used to mediate delivery of session state into the user's browser without ever exposing the access token on the front channel. The profile is designed to avoid the class of front-channel token leakage (browser history, HTTP Referer header, intermediary access logs) that motivated the deprecation of the OAuth 2.0 implicit grant in [RFC9700]. The profile also defines a minimum claims contract on the RP-issued access token to enable stateless authorization enforcement at the RP without synchronous callbacks to the IdP. 00 urn:datatracker-ietf-org:event:1138315 2026-04-17T04:34:13.410963+00:00 2026-04-17T04:34:13.410963+00:00 (System) New version approved new_submission none active idexists urn:datatracker-ietf-org:event:1138314 2026-04-17T04:31:27.374595+00:00 2026-04-17T04:31:27.374595+00:00 Gio Moros Request for posting confirmation emailed to submitter and authors: Gio Moros <Geomoherna@gmail.com>, Gio Moros <Gio@midaslabs.ca> new_submission none active idexists urn:datatracker-ietf-org:event:1138313 2026-04-17T04:30:40.859490+00:00 2026-04-17T04:30:40.859490+00:00 Gio Moros Uploaded new revision new_submission none active idexists urn:datatracker-ietf-org:event:1138271 2026-04-16T22:27:12.557031+00:00 2026-04-16T22:27:12.557031+00:00 Michael Jones New version available: <b>draft-ietf-oauth-rfc7523bis-09.txt</b> new_revision ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub This document updates RFC7521, RFC7522, RFC7523 and RFC9126 with respect to the treatment of audience values in OAuth 2.0 Client Assertion Authentication and Assertion-based Authorization Grants to address a security vulnerability identified in the previous requirements for those audience values in multiple OAuth 2.0 specifications. 10 urn:datatracker-ietf-org:event:1138270 2026-04-16T22:27:12.554900+00:00 2026-04-16T22:27:12.554900+00:00 (System) New version approved new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138269 2026-04-16T22:27:05.735177+00:00 2026-04-16T22:27:05.735177+00:00 (System) Request for posting confirmation emailed to previous authors: Brian Campbell <bcampbell@pingidentity.com>, Chuck Mortimore <charliemortimore@gmail.com>, Filip Skokan <panva.ip@gmail.com>, Michael Jones <michael_b_jones@hotmail.com> new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138268 2026-04-16T22:27:05.356952+00:00 2026-04-16T22:27:05.356952+00:00 Michael Jones Uploaded new revision new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138262 2026-04-16T21:12:35.340881+00:00 2026-04-16T21:12:35.340881+00:00 Ashay Raut This document now replaces <b>draft-oauth-transaction-tokens-for-agents</b> instead of None changed_document none active idexists urn:datatracker-ietf-org:event:1138261 2026-04-16T21:12:34.996017+00:00 2026-04-16T21:12:34.996017+00:00 Ashay Raut New version available: <b>draft-araut-oauth-transaction-tokens-for-agents-00.txt</b> new_revision none active idexists This document specifies an extension to the OAUTH-TXN-TOKENS (https://drafts.oauth.net/oauth-transaction-tokens/draft-ietf-oauth- transaction-tokens.html) to support agent context propagation within Transaction Tokens for agent-based workloads. The extension defines the use of the act field to identify the agent performing the action, and leverages the existing sub field (as defined in the base Transaction Tokens specification) to represent the principal. The sub field is populated according to the rules specified in OAUTH-TXN- TOKENS (https://drafts.oauth.net/oauth-transaction-tokens/draft-ietf- oauth-transaction-tokens.html), based on the 'subject_token' provided in the token request. For autonomous agents operating independently, the sub field represents the agent itself. These mechanisms enable services within the call graph to make more granular access control decisions, thereby enhancing security. 00 urn:datatracker-ietf-org:event:1138260 2026-04-16T21:12:34.993852+00:00 2026-04-16T21:12:34.993852+00:00 Ashay Raut New version approved new_submission none active idexists urn:datatracker-ietf-org:event:1138259 2026-04-16T21:10:49.728966+00:00 2026-04-16T21:10:49.728966+00:00 Ashay Raut Request for posting confirmation emailed to submitter and authors: Ashay Raut <asharaut@amazon.com> new_submission none active idexists urn:datatracker-ietf-org:event:1138258 2026-04-16T21:09:48.702468+00:00 2026-04-16T21:09:48.702468+00:00 Ashay Raut Uploaded new revision new_submission none active idexists urn:datatracker-ietf-org:event:1138239 2026-04-16T18:04:44.462374+00:00 2026-04-16T18:04:44.462374+00:00 (System) IANA Review state changed to <b>Version Changed - Review Needed</b> from IANA - Not OK changed_state ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138238 2026-04-16T18:04:44.209168+00:00 2026-04-16T18:04:44.209168+00:00 Michael Jones New version available: <b>draft-ietf-oauth-rfc7523bis-08.txt</b> new_revision ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub This document updates RFC7521, RFC7522, RFC7523 and RFC9126 with respect to the treatment of audience values in OAuth 2.0 Client Assertion Authentication and Assertion-based Authorization Grants to address a security vulnerability identified in the previous requirements for those audience values in multiple OAuth 2.0 specifications. 10 urn:datatracker-ietf-org:event:1138237 2026-04-16T18:04:44.204937+00:00 2026-04-16T18:04:44.204937+00:00 Brian Campbell New version approved new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138236 2026-04-16T18:04:15.027688+00:00 2026-04-16T18:04:15.027688+00:00 (System) Request for posting confirmation emailed to previous authors: Brian Campbell <bcampbell@pingidentity.com>, Chuck Mortimore <charliemortimore@gmail.com>, Filip Skokan <panva.ip@gmail.com>, Michael Jones <michael_b_jones@hotmail.com> new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1138235 2026-04-16T18:04:14.610797+00:00 2026-04-16T18:04:14.610797+00:00 Michael Jones Uploaded new revision new_submission ietf oauth Rifaat Shekh-Yusef Deb Cooley active reviews-assigned changed iesg-eva sub-pub urn:datatracker-ietf-org:event:1137991 2026-04-15T19:38:05.238161+00:00 2026-04-15T19:38:05.238161+00:00 Sreyantha Mora New version available: <b>draft-mora-oauth-entity-profiles-01.txt</b> new_revision none active idexists This specification introduces Entity Profiles as a mechanism to categorize OAuth 2.0 entities—clients and subjects—based on their operational context. Entity Profiles provide structured descriptors for the client initiating the OAuth flow and the subject represented in tokens. This document defines new JWT Claim names and metadata parameters for use in JWTs issued or consumed in OAuth flows, including but not limited to access tokens, ID tokens, JWT authorization grant assertions, and transaction tokens, as well as in token introspection responses, dynamic client registration, and Authorization Server metadata. It also defines vocabulary for classifying acting entities within delegation chains. 01 urn:datatracker-ietf-org:event:1137990 2026-04-15T19:38:05.235931+00:00 2026-04-15T19:38:05.235931+00:00 (System) New version approved new_submission none active idexists urn:datatracker-ietf-org:event:1137989 2026-04-15T19:37:24.282975+00:00 2026-04-15T19:37:24.282975+00:00 (System) Request for posting confirmation emailed to previous authors: Pamela Dingle <pamela.dingle@microsoft.com>, Sreyantha Mora <sreyanthmora@microsoft.com> new_submission none active idexists