- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 23 Jul 2025 03:20:25 +1200
- To: ietf-http-wg@w3.org
On 22/07/25 06:28, Atul Tulshibagwale wrote: > Hello, > We are currently working on a draft for Transaction Tokens <https:// > datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/>, which > envisions a new HTTP Request Header called "Txn-Token" <https:// > www.ietf.org/archive/id/draft-ietf-oauth-transaction- > tokens-05.html#name-txn-token-http-header>. The header value is expected > to be a JWT. Taking a brief looks at the document ... > 2.1. What are Transaction Tokens? > > Txn-Tokens are short-lived, signed JWTs [RFC7519] that assert the > identity of a user or a workload and assert an authorization context. So, if I am reading that correctly these are a cross between login credentials and a session ID. I am wondering why these credentials are using a custom header instead of being sent as part of HTTP Authentication (request) and Authentication-Info (response) headers. There is a lot of HTTP security behaviour that can be leveraged just by using the Authn headers instead of re-inventing the wheel. Cheers Amos
Received on Tuesday, 22 July 2025 15:20:33 UTC