You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-transaction-tokens.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -355,7 +355,7 @@ JWT claims as well as defines new claims. These claims are described below:
355
355
`purp`:
356
356
: REQUIRED A String defining the purpose or intent of this transaction.
357
357
358
-
`azd`:
358
+
`tctx`:
359
359
: OPTIONAL A JSON object that contains values that remain immutable throughout the call chain.
360
360
361
361
`rctx`:
@@ -373,17 +373,17 @@ The JSON value of the `rctx` claim MAY include any values the Txn-Token Service
373
373
* `authn` The authentication method used to identify the requester. Its value is a StringOrURI that uniquely identifies the method used.
374
374
* `req_wl` The requesting workload. A StringOrURI that uniquely identifies the computational entity that requested the Txn-Token. This entity MUST be within the Trust Domain of the Txn-Token. If a replacement Txn-Token has been requested, then this claim will be an array of StringOrURIs representing the different workloads that have requested Txn-Tokens as part of the transaction processing.
The Txn-Token SHOULD contain an `azd` claim. The value of this claim is a JSON object that contains name/value pairs (wherein the value could itself be an object), which together assert the details that remain immutable through the call-chain where this Txn-Token is used.
376
+
### Transaction Context {#transaction-context}
377
+
The Txn-Token SHOULD contain an `tctx` claim. The value of this claim is a JSON object that contains name/value pairs (wherein the value could itself be an object), which together assert the details that remain immutable through the call-chain where this Txn-Token is used.
378
378
379
379
Txn-Tokens are primarily used to assure identity and context for a transaction, and the content of this field is a critical part of that context.
380
380
381
-
Whereas the `rctx` field contains environmental values related to the request, the `azd` field contains the actual authorizaton details that are determined by the TTS. These values are used by services using the Txn-Token to reliably obtain specific parameters needed to perform their work. The content of the `azd` field is determined by the Txn-Token Service and they may be computed internally or from parameters it receives from the service that requests the Txn-Token.
381
+
Whereas the `rctx` field contains environmental values related to the request, the `tctx` field contains the actual authorizaton details that are determined by the TTS. These values are used by services using the Txn-Token to reliably obtain specific parameters needed to perform their work. The content of the `tctx` field is determined by the Txn-Token Service and they may be computed internally or from parameters it receives from the service that requests the Txn-Token.
382
382
383
-
The following is a non-normative example of an `azd` claim:
383
+
The following is a non-normative example of an `tctx` claim:
384
384
385
385
~~~ json
386
-
"azd": {
386
+
"tctx": {
387
387
"action": "BUY", // parameter of external call
388
388
"ticker": "MSFT", // parameter of external call
389
389
"quantity": "100", // parameter of external call
@@ -424,7 +424,7 @@ The figure below {{figleaftxtokenbody}} shows a non-normative example of the JWT
424
424
"req_wl": "apigateway.trust-domain.example"// the internal entity that requested the Txn-Token
425
425
},
426
426
"purp": "trade.stocks",
427
-
"azd": {
427
+
"tctx": {
428
428
"action": "BUY", // parameter of external call
429
429
"ticker": "MSFT", // parameter of external call
430
430
"quantity": "100", // parameter of external call
@@ -466,7 +466,7 @@ To request a Txn-Token the workload invokes the OAuth 2.0 {{RFC6749}} token endp
466
466
The following additional parameters MAY be present in a Txn-Token Request:
467
467
468
468
* `request_context` OPTIONAL. This parameter contains a base64url encoded JSON object which represents the context of this transaction. The parameter SHOULD be present and how the Transaction Token Service uses this parameter is out of scope for this specification.
469
-
* `request_details` OPTIONAL. This parameter contains a base64url encoded JSON object which represents additional details of the transaction that MUST remain immutable throughout the processing of the transaction by multiple workloads.
469
+
* `request_details` OPTIONAL. This parameter contains a base64url encoded JSON object which represents additional details of the transaction that MUST remain immutable throughout the processing of the transaction by multiple workloads. The Transaction Token Service uses this information to construct the `tctx` claim.
470
470
471
471
The requesting workload MUST authenticate its identity to the Transaction Token Service. The exact client authentication mechanism used is outside the scope of this specification.
472
472
@@ -533,7 +533,7 @@ The Transaction Token Service MUST evaluate the value specified in the `scope` p
533
533
534
534
If a `request_context` parameter is present in the Txn-Token Request, the data SHOULD be added to the `rctx` object of the Txn-Token. In addition, the Transaction Token Service SHOULD add the authenticated requesting workload identifier in the `rctx` object as the `req_wl` claim.
535
535
536
-
If a `request_details` parameter is present in the Txn-Token Request, then the Transaction Token Service SHOULD propagate the data from the `request_details` object into the claims in the `azd` object as authorized by the Transaction Token Service authorization policy for the requesting client.
536
+
If a `request_details` parameter is present in the Txn-Token Request, then the Transaction Token Service SHOULD propagate the data from the `request_details` object into the claims in the `tctx` object as authorized by the Transaction Token Service authorization policy for the requesting client.
537
537
538
538
The Transaction Token Service MAY provide additional processing and verification that is outside the scope of this specification.
539
539
@@ -644,7 +644,7 @@ A workload may accidently send a transaction token request to a service that is
644
644
# Privacy Considerations {#Privacy}
645
645
646
646
## Obfuscation of Personal Information
647
-
Some `rctx` claims may be considered personal information in some jurisdictions
647
+
Some `rctx` and `tctx` claims may be considered personal information in some jurisdictions
648
648
and if so their values need to be obfuscated. For example, originating IP address
649
649
(`req_ip`) is often considered personal information and in that case must be
650
650
protected through some obfuscation method (e.g. salted SHA256).
@@ -675,8 +675,8 @@ This specification registers the following token type identifiers to the "OAuth
675
675
676
676
## JWT Claims Registry Contents
677
677
678
-
* Claim Name: `azd`
679
-
* Claim Description: The authorization context details
678
+
* Claim Name: `tctx`
679
+
* Claim Description: The transaction authorization details
680
680
* Change Controller: IETF
681
681
* Specification Document: Section {{txn-token-claims}} of this specification
0 commit comments