| Internet-Draft | Domain-Authorized Issuer Trust Method | July 2026 |
| McGuinness | Expires 5 January 2027 | [Page] |
This document defines the Domain-Authorized Issuer (DAI) Trust
Method: a subject_namespace_authorization Trust Method for the
OAuth Identity Assertion Trust Framework in which the owner of a
subject namespace (typically a DNS domain) publishes a policy
listing the OAuth authorization servers it authorizes to assert
identities in that namespace. The mechanism uses the DNS-based
authority-publication pattern operators already deploy for CAA,
MTA-STS, SPF, and DKIM. A Resource Authorization Server uses the
published policy to verify that an identity assertion's issuer is
authorized for the asserted subject namespace.¶
The lookup defined by this document is verifier-side: given an identity assertion in hand, the Resource Authorization Server locates the Subject Authority's issuer authorization policy. Client-side discovery of which Assertion Issuer to use before an assertion exists is a separate use case and is deferred to future work.¶
This document also defines the Issuer Authorization Policy wire format that the Trust Method consumes. The parent trust framework specification owns the generic Trust Policy document, Trust Method category structure, cross-category combination rule, and Subject Authority Determination concept.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/.¶
Source for this draft and an issue tracker can be found at https://github.com/mcguinness/draft-mcguinness-oauth-id-assertion-framework.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 5 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
OAuth deployments using identity-assertion grants (e.g., ID-JAG, or generic JWT-bearer assertions carrying an identity claim; see [TRUST-FRAMEWORK]) need to answer "is this Assertion Issuer authorized to assert about subjects in this namespace?". An issuer authenticated by federation membership is not, by that membership alone, entitled to assert about subjects in any particular namespace; the namespace owner is the only authoritative source of that delegation.¶
The Domain-Authorized Issuer (DAI) Trust Method lets the owner of a
DNS-namable subject namespace publish, in DNS, the set of Assertion
Issuers it authorizes for its namespace. The DNS record can carry
the authorized issuers inline (for simple deployments) or point at
an HTTPS-hosted JSON document containing richer policy (validity
windows, format restrictions, tenant binding, multiple issuers).
Authority is established by control of the publication channel:
whoever can publish at _oauth-issuer-policy.{domain} is itself
the Subject Authority for {domain}. The pattern follows CAA
[RFC8659], MTA-STS [RFC8461], SPF, and DKIM
(Appendix A.1).¶
DAI is consumed by Resource Authorization Servers at assertion verification time: given an identity assertion, the RAS uses the Subject Authority's published policy to decide whether the asserting issuer is authorized for the subject's namespace.¶
DAI is non-transitive by design. The Issuer Authorization Policy is a flat list of Assertion Issuer identifiers; a Subject Authority that wants to authorize an Assertion Issuer publishes its identifier directly. The depth-1 bound and its security implications are covered in [TRUST-FRAMEWORK] §Open-World Delegation and Bounded Transitivity and §Transitive Authorization is Bounded.¶
DAI is also independent of OpenID Federation: a Subject Authority can publish DAI records and a Resource Authorization Server can evaluate them without any federation infrastructure.¶
DAI is a concrete profile of [TRUST-FRAMEWORK] for OAuth identity assertions: the Subject Authority is the Authority Holder; the Issuer Authorization Policy is the Delegation Artifact; the DNS record (or DNS pointer plus HTTPS document) is one publication channel; the Assertion Issuer is the Delegate. Lookup state classification and fail-closed requirements follow [TRUST-FRAMEWORK] §Lookup States and Fail-Closed.¶
DAI extends [TRUST-FRAMEWORK], which owns the Trust Policy
document format, Trust Method machinery, Subject Authority
Determination, and OAuth grant-profile bindings. This document
defines the Issuer Authorization Policy document
(Section 3), the DNS and HTTPS publication channels
(Section 4.1), the lookup procedure (Section 5),
the verification rules (Section 6), the
domain_authorized_issuer Trust Method, and an HTTPS-only
deployment variant (Section 8.2).
A bridge to the Email Verification Protocol's DNS records and a
client-side discovery use case are sketched as future extensions
in Appendix B.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses terminology from [TRUST-FRAMEWORK]: Resource Authorization Server, Assertion Issuer, Subject Authority, Trust Policy, Issuer Authorization Policy, Authority Holder, Delegate, Delegation Artifact, and Validator. Subject Identifier formats follow [RFC9493].¶
One term is specific to this document:¶
The Trust Method defined by this document, in which a Subject Authority publishes, over DNS and HTTPS, the set of Assertion Issuers it authorizes for its namespace.¶
The Issuer Authorization Policy is a Delegation Artifact: a Subject
Authority (Authority Holder for a subject namespace) uses it to
delegate the right to assert identities in its namespace to one or
more named Assertion Issuers. Each authorized_issuers entry is a
delegation; valid_from and valid_until bound the delegation in
time; tenant constrains the delegation to a specific tenant of a
shared issuer; subject_identifier_formats constrains the
delegation to specific Subject Identifier formats. The verification
procedure (Section 6) validates whether a given identity
assertion is covered by a current delegation; absent a matching
delegation, the Assertion Issuer is not authorized for the asserted
namespace regardless of any other property of the assertion.¶
The Issuer Authorization Policy is a JSON object served over HTTPS.
Publishers MUST serve it with media type application/json;
consumers additionally accept any media type using the structured
+json suffix (Section 5.1). It has the following members:¶
subject_authorityREQUIRED. String. The Subject Authority identifier this policy
applies to. For DNS-domain Subject Authorities the publisher MUST
write this value in A-label (ASCII) form per [RFC5891], mirroring
the authority= directive (Section 4.3). Consumers MUST
verify this value matches the Subject Authority computed in
[TRUST-FRAMEWORK] §Subject Authority Determination after applying
the comparison rules for that Subject Authority form.¶
authorized_issuersREQUIRED. JSON array of authorized issuer objects, which MAY be
empty. An empty array is an explicit denial: the Subject Authority
authoritatively authorizes no issuer. The retrieval of such a policy
is Affirmative (Section 5.1); the denial takes effect at
verification, where no entry can match (Section 6),
subject to mode. Consumers MUST NOT fall through to any other
channel on encountering a denial. Each object has:¶
issuerREQUIRED. String. The Assertion Issuer identifier. For OAuth
authorization server issuer identifiers, this value MUST be an
absolute HTTPS URL with no fragment component. The URL MAY contain a
path component. No normalization is applied before comparison: the
value and the JWT iss claim are compared by exact case-sensitive
string equality (octet-for-octet), consistent with [RFC8414]
issuer-identifier comparison. Consequently https://a and
https://a/ are distinct issuers, and no trailing-slash or
percent-encoding normalization is performed. Query components are
NOT RECOMMENDED because many issuer metadata profiles do not use
them. Issuer identifiers whose string form contains a ; cannot be
expressed in the inline DNS form (Section 4.3) and MUST be
published via the HTTPS document instead.¶
tenantOPTIONAL. Non-empty string. The issuer-side tenant identifier
authorized for this Subject Authority, corresponding to a top-level
tenant claim carried by the assertion (in ID-JAG, [ID-JAG] §6.1).
When present, the assertion's top-level tenant claim MUST be
present and MUST exactly match this value using case-sensitive
string comparison; an assertion that lacks the tenant claim or
carries a different value does not match this entry. When absent,
no tenant constraint applies. Grant profiles that do not carry a
tenant claim (e.g., the generic JWT-bearer grant of [RFC7523])
match only entries that omit tenant. Tenant values are
issuer-specific and MUST NOT be compared across issuers. To
authorize multiple tenants of the same shared issuer, publish one
entry per (issuer, tenant) pair. Guidance for shared-issuer
multi-tenant Identity Providers is in Section 9.10.¶
subject_identifier_formatsOPTIONAL. JSON array of Subject Identifier format names ([RFC9493]) this Assertion Issuer is authorized for. If omitted, the Assertion Issuer is authorized for any format that resolves to this Subject Authority.¶
valid_fromOPTIONAL. [RFC3339] date-time. The delegation MUST NOT be treated
as valid before this time. A consumer MAY apply a small clock-skew
tolerance (≤5 minutes), consistent with JWT nbf conventions
([RFC7519] Section 4.1.5). This tolerance applies only to
valid_from; it MUST NOT be applied to valid_until to extend a
delegation past its stated end.¶
valid_untilOPTIONAL. [RFC3339] date-time. The delegation MUST NOT be treated as valid at or after this time. No clock-skew tolerance is permitted on this bound.¶
modeOPTIONAL. String, either enforce or monitor; default enforce
when absent. In monitor mode the policy is provisional: consumers
evaluate it and log the outcome but do not reject assertions on the
basis of a mismatch (Section 6.1). A policy whose mode value
is any other string is malformed; an unrecognized future mode MUST NOT be silently treated as either defined value.¶
last_updatedOPTIONAL. [RFC3339] date-time at which the policy was last published.¶
signed_policyOPTIONAL. Signed JWT containing policy members as claims, using the
representation defined in [TRUST-FRAMEWORK] §Signed Policy Metadata. This member
follows the signed metadata pattern used by [RFC8414] and
[RFC9728].
Its presence does not by itself require all consumers to support
signed policy processing; consumers apply the requirements in
[TRUST-FRAMEWORK] §Signed Policy Metadata and any local policy
that requires object-level integrity. A Subject Authority that needs
to force signature processing lists signed_policy in crit.
Per the key-resolution requirement of [TRUST-FRAMEWORK] §Signed
Policy Metadata, the verification key for this profile MUST be
resolved through one of: a key published under DNSSEC-signed
records for the Subject Authority, or a key configured out of
band at the consumer. Both channels are independent of the
DNS/HTTPS path that carries the policy document; the trust
assumption is, respectively, DNSSEC validation to the Subject
Authority's zone, or the consumer's own key-provisioning process.
This document does not define a DNS record format for key
publication; deployments using the DNSSEC-published-key option do
so via a mechanism agreed with their consumers until one is
standardized.¶
critOPTIONAL. Array of member names a consumer MUST understand to process the policy safely, as defined in [TRUST-FRAMEWORK] §Critical Members. A consumer that fails to recognize, or does not implement processing for, one or more listed members MUST treat the policy as malformed.¶
Consumers MUST ignore unrecognized members, except those named in
crit. A document containing duplicate member names (at the top level
or within an authorized_issuers entry object) is malformed and MUST
be rejected. The following validation rules apply; a policy failing
any of them is malformed:¶
| Member | Required type / structure | Additional rule |
|---|---|---|
subject_authority
|
string, required | matches the computed Subject Authority |
authorized_issuers
|
array of objects, required (MAY be empty for explicit denial) | each element has issuer
|
issuer
|
string, required | syntactically valid issuer identifier for the applicable grant profile |
tenant
|
string, optional | non-empty (see member definition) |
subject_identifier_formats
|
array of strings, optional | |
valid_from, valid_until, last_updated
|
[RFC3339] date-time, optional | |
mode
|
string, optional | exactly enforce or monitor; any other value is malformed |
signed_policy
|
string, optional | signed JWT as defined in [TRUST-FRAMEWORK] §Signed Policy Metadata |
crit
|
array of strings, optional | non-empty; every listed member recognized and implemented, else malformed ([TRUST-FRAMEWORK] §Critical Members) |
For OAuth authorization server issuer identifiers, a non-HTTPS URL,
a relative URL, or a URL with a fragment component is a malformed
issuer value.¶
Example:¶
{
"subject_authority": "example.com",
"authorized_issuers": [
{
"issuer": "https://idp.example.com",
"subject_identifier_formats": ["email"],
"valid_until": "2027-01-01T00:00:00Z"
},
{
"issuer": "https://accounts.shared.example",
"tenant": "example.com",
"subject_identifier_formats": ["email"]
}
],
"last_updated": "2026-05-01T00:00:00Z"
}
¶
A Subject Authority publishes the Issuer Authorization Policy
through one of the publication channels defined in
Section 4.1. Throughout this document, {A} denotes
the Subject Authority rendered as a DNS name (A-label form,
Section 4.3). DNS publication uses the TXT record at
_oauth-issuer-policy.{A}, following the pattern of CAA, MTA-STS,
SPF, and DKIM (Appendix A.1). HTTPS publication uses
the default well-known URL on the Subject Authority's own host.¶
This document defines three publication channels. A Subject Authority chooses based on operational constraints; all produce semantically equivalent policy validated by the same lookup procedure (Section 5). The canonical lookup procedure consults DNS first and uses the HTTPS well-known channel only when DNS authoritatively indicates absence.¶
| Channel | DNS form | Document | Authority binding | When to use |
|---|---|---|---|---|
| 1: DNS-Inline | TXT with issuer= (Section 4.3) |
None (carried in TXT) | DNS control of {A}
|
Common case: authorize an issuer for a namespace with no rich policy |
| 2: Authority-Hosted HTTPS | TXT with uri=
|
HTTPS-hosted JSON under Subject Authority's operational control | DNS control of {A} AND TLS on the authority-operated host |
Rich policy (validity windows, format restrictions, tenant binding) at a controlled origin |
| 3: Default HTTPS Well-Known | No DNS record | HTTPS-hosted JSON at https://{A}/.well-known/oauth-issuer-policy
|
TLS on {A}
|
Subject Authority has well-known HTTPS infrastructure but no DAI DNS record |
A Subject Authority MAY publish a JSON document at the default
HTTPS well-known URL on its own host (Section 4.4), either
as the sole publication (Channel 3) or alongside a DNS record. A
Subject Authority with no DAI DNS record relies on the natural
negative-authoritative DNS response to bring consumers to the
well-known URL (Section 5).¶
Operators are encouraged to publish the DNS record where practical because it matches the operational model of the prior-art mechanisms in Appendix A.1 and because consumer lookup behavior is DNS-first.¶
The Subject Authority publishes one or more DNS TXT records at
_oauth-issuer-policy.{A}, where {A} is the Subject
Authority rendered as a DNS name. Internationalized names are converted
to A-labels per [RFC5891] before the prefix is prepended. DNS lookup
names are formed without a trailing dot for comparison purposes; the
wire-format root label is not part of the Subject Authority value.¶
The string segments of a TXT record ([RFC1035]) are concatenated without separator and interpreted as ASCII text (a record containing a non-ASCII octet is malformed, since all defined directive values are ASCII by construction).¶
A record is recognized if the version token v=oauth-issuer-policy1
(case-sensitive) appears at the start, terminated by end of record, by
optional whitespace, or by a ; separator; leading whitespace before
the token is permitted. The version token matches only that exact
string: a different token (for example, a future
v=oauth-issuer-policy2) is not recognized, so the record is treated
as unrecognized (not malformed) and is ignored by the recognition
rule. Records that do not begin with a supported version token MUST be
ignored. A v= directive appearing anywhere other than the start of
a recognized record makes the record malformed (Section 5.1).¶
The remainder of a recognized record is a sequence of name=value
directives separated by ;. Parsing rules:¶
Whitespace (space and horizontal tab) immediately before and after each directive is ignored. A value MUST NOT contain whitespace or non-ASCII characters; the directive values defined here (domain names in A-label form and absolute HTTPS URLs) are ASCII by construction.¶
Directive names are case-insensitive ASCII. Values are case-sensitive and preserved as written.¶
A directive splits into name and value at the first =. Subsequent
= characters are part of the value.¶
The value runs to the next ; or end of record. The character ;
MUST NOT appear in a value (see the issuer-identifier constraint in
Section 3).¶
CR, LF, and NUL MUST NOT appear in a value.¶
An empty directive (two consecutive ; separators with no
intervening name=value) makes the record malformed
(Section 5.1).¶
Unrecognized directives MUST be ignored.¶
The parsing rules above are summarized in the following ABNF ([RFC5234] with the case-sensitive string extension of [RFC7405]) for implementer convenience; the prose above is normative if any disagreement exists.¶
record = OWS version OWS *( ";" directive ) [ ";" OWS ] version = %s"v=oauth-issuer-policy1" directive = OWS name "=" value OWS name = 1*( ALPHA / DIGIT / "_" / "-" ) value = *vchar-no-semi vchar-no-semi = %x21-3A / %x3C-7E ; VCHAR (%x21-7E) minus ";" OWS = *( SP / HTAB )¶
The following directives are defined:¶
authority=AREQUIRED. The Subject Authority identifier this record claims to
bind. The publisher MUST write this value in A-label (ASCII) form
per [RFC5891]; consumers compare it against the Subject Authority
computed from the query name (also in A-label form) using the
case-insensitive ASCII comparison rules in [TRUST-FRAMEWORK] §Subject Authority Determination.
Records whose authority= value does not match are discarded (see
the lookup procedure in Section 5). A recognized record
containing more than one authority= directive is malformed
(Section 5.1).¶
uri=URLOPTIONAL. An HTTPS URL identifying an Issuer Authorization Policy
document. The URL MAY be on a different host than A. MUST use the
https:// scheme and MUST NOT contain a fragment component.¶
issuer=ISSUER_URLOPTIONAL. An Assertion Issuer identifier authorized by the Subject
Authority for A. For OAuth authorization server issuer identifiers,
the value MUST be an absolute HTTPS URL and MUST NOT contain a
fragment component. MAY appear multiple times within a record and
across records.¶
mode=MODEOPTIONAL. Either enforce or monitor; default enforce when
absent (Section 6.1). At most one mode= directive per record;
a second is malformed. If any remaining record after authority=
filtering carries mode=, all remaining records MUST carry mode=
with the same value; a mix of differing or partially present mode=
directives across records is malformed. A mode= value other than
the two defined values is malformed.¶
A recognized record MUST contain at least one uri= directive or at
least one issuer= directive. Recognized records containing neither
MUST be treated as malformed (see Section 5.1).¶
A Subject Authority MUST publish records for at most one version of
this mechanism at a time. This document defines only
oauth-issuer-policy1. Future versions that are not
understood by a consumer are ignored by the recognition rule above.¶
The default Issuer Authorization Policy URL is:¶
https://{A}/.well-known/oauth-issuer-policy
¶
where {A} is the Subject Authority value rendered as a host (A-label
form for internationalized names). The URL uses the https scheme,
the host {A}, the default HTTPS port (443), and the well-known path
[RFC8615]; it has no userinfo, port, query, or fragment component. A
Subject Authority whose form has no host representation (none is
defined in this document beyond the email-derived DNS domain) cannot
use the default well-known channel. Consumers fetch this URL with an
HTTP GET over HTTPS with TLS server authentication and interpret the
response body as the JSON document defined in Section 3.¶
A URL obtained from a DNS uri= directive is fetched the same way;
the host serving the URL is responsible for TLS server authentication
of itself, not of A.¶
For every policy fetch defined here (the default well-known URL, a
uri= target, and the HTTPS-only mode of
Section 8.2), and for any redirect
followed from one, the consumer MUST NOT connect to a host that
resolves to a non-globally-routable address; see Section 9.11.¶
HTTP redirect handling is fixed so that two consumers reach the same outcome and so that a redirect cannot silently move the authority anchor to a host the Subject Authority does not control:¶
Consumers MUST follow HTTPS redirects up to a limit of 5 hops; a request that would exceed 5 hops, or that loops, is classified as Indeterminate (Section 5.1).¶
Every redirect target MUST use the https scheme and MUST NOT
contain a fragment component.¶
Every redirect target MUST remain within the same registrable
domain as the initial fetch host (the Subject Authority {A} for
the default well-known channel; the uri= pointer's host for the
pointer channel), where the registrable domain is computed with
the Public Suffix List algorithm of [TRUST-FRAMEWORK] §Subject
Authority Determination (ICANN and PRIVATE divisions) applied to
the A-label host. A redirect to a different registrable domain
MUST NOT be followed and is classified as Indeterminate;
cross-registrable-domain policy hosting is expressed only through
the uri= pointer, where the delegation is published in DNS and
visible to the Subject Authority.¶
The final response MUST have HTTP status 200 and a media type of
application/json or any media type using the structured +json
suffix (media type parameters ignored); any other final status is
classified per Section 5.1.¶
The document retrieved from either the default well-known URL or a
DNS uri= pointer is the Issuer Authorization Policy defined in
Section 3; consumers MUST NOT interpret any other JSON shape
as an Issuer Authorization Policy. Consumers MUST validate the
complete policy as a unit; a malformed entry makes the whole policy
malformed, not just the offending entry.¶
Bounds (a response exceeding any bound is classified per
Section 5.1): consumers MUST accept a policy document of at least
64 KiB and MAY reject one larger; publishers MUST keep the document
within 64 KiB. Consumers MUST accept at least 100 authorized_issuers
entries and MAY reject more. Consumers SHOULD apply an overall fetch
timeout and SHOULD limit JSON nesting depth (the defined document has a
fixed shallow structure). Consumers SHOULD send a conditional request
(for example, If-None-Match) when they hold a cached policy, treating
a 304 response per Section 5.1.¶
The document's shape and members are defined, with an example, in Section 3.¶
To retrieve the Issuer Authorization Policy for a Subject Authority A,
a Resource Authorization Server performs the following steps. The
procedure consults DNS first and falls back to the HTTPS well-known
URL only on negative-authoritative outcomes.¶
DNS at _oauth-issuer-policy.{A} and HTTPS at the default well-known
URL are two publication channels of the same Subject Authority.
Consulting HTTPS after DNS returns negative-authoritative is NOT an
Authority Source fallback in the sense forbidden by
[TRUST-FRAMEWORK] §Lookup States and Fail-Closed; the
abstract Negative state is reached only when both channels return
absence (Section 5.1). The abstract no-fallback rule continues
to forbid falling through to a DIFFERENT Subject Authority's policy.¶
This is the canonical procedure used by the
domain_authorized_issuer Trust Method. The HTTPS-only lookup mode
defined in Section 8.2 skips DNS
entirely and retrieves only from the HTTPS well-known URL.¶
Query the DNS TXT resource record set at
_oauth-issuer-policy.{A}. Classify the response as:¶
negative-authoritativeNXDOMAIN, or NOERROR with an empty answer section or with no recognized records after parsing.¶
indeterminateSERVFAIL, REFUSED, timeout, truncation with no successful retry, or any other failure that prevents a definitive negative result.¶
affirmativeNOERROR with at least one recognized record after parsing.¶
If the DNS response is affirmative:¶
a. Discard recognized records whose authority= directive does
not match A under the Subject Authority comparison rules in
[TRUST-FRAMEWORK] §Subject Authority Determination. If any recognized record is missing an
authority= directive, treat the response as malformed. If
all recognized records are discarded because of authority=
mismatch, treat the response as malformed. (A malformed
outcome is classified as Indeterminate, Section 5.1.)¶
Before continuing, validate the remaining recognized records
against the directive rules in Section 4.3. This includes
rejecting malformed uri= or issuer= values, and records with
neither uri= nor issuer=. Any such condition is a malformed
outcome.¶
b. If any remaining record contains a uri= directive:¶
If more than one distinct uri= value is present across the
remaining records, treat as malformed.¶
Otherwise fetch the JSON policy from that URL per
Section 4.4. The fetched document is the Issuer
Authorization Policy, including its mode. All issuer=
and mode= directives across all records are ignored:
their values do not contribute to the policy, but the
directive-validity rules of Section 4.3 (including
mode= consistency) were already applied in step 2a, so a
record set malformed under those rules never reaches this
step.¶
c. Otherwise (no uri= present), construct a virtual Issuer
Authorization Policy with subject_authority set to A and
one entry in authorized_issuers for each distinct issuer=
value across the remaining records. Entry order carries no
semantics (Section 6); the deduplicated values form
a set. The virtual policy's mode is the common mode= value
of the remaining records, or enforce when none carries
mode= (Section 4.3). Entries have no tenant,
subject_identifier_formats, valid_from, or valid_until.
The virtual policy is processed identically to one fetched over
HTTPS, except that its cache lifetime is derived from DNS TTLs
as described in Section 7.¶
If the DNS response is negative-authoritative, fetch the policy
from the default HTTPS well-known URL per Section 4.4.¶
If the DNS response is indeterminate, lookup has failed.
Consumers MUST NOT fall back to HTTPS, since an attacker who
suppresses DNS responses could otherwise force the consumer onto a
path the attacker has compromised separately.¶
Two distinct situations remove DNS from the picture, with different
outcomes. A deployment whose Trust Policy selects the HTTPS-only
lookup mode (Section 8.2) never consults
DNS by design; note that a Subject Authority publishing only inline
DNS records (a common pattern) is unfindable under that mode. By
contrast, under the canonical DNS-first mode specified here, a
Resource Authorization Server that cannot resolve DNS (resolver
failure, untrusted resolution path) treats the lookup as
indeterminate and rejects the assertion, fail-closed; it MUST NOT
improvise a fallback to the HTTPS channel.¶
DAI lookup outcomes map onto the Affirmative / Negative / Indeterminate lookup states of the Authority Delegation Model ([TRUST-FRAMEWORK] §Lookup States and Fail-Closed). The normative requirements (fail closed on Negative and Indeterminate; no fallback to a different Authority Source; bounded cache reuse on transient Indeterminate) apply unchanged; this section maps the concrete DAI outcomes onto those states.¶
| State | DAI outcomes |
|---|---|
| Affirmative | A well-formed Issuer Authorization Policy was retrieved (inline DNS, DNS pointer + HTTPS fetch, or HTTPS well-known URL), its subject_authority matches A, and its structural validation succeeds; this includes a policy whose authorized_issuers array is empty (explicit denial, evaluated in Section 6). HTTPS responses, when applicable, are 200 OK with a media type of application/json or a +json-suffixed type. A 304 (Not Modified) response to a conditional request validating a held cached policy within the absolute ceiling of Section 7 renews its freshness and is classified as the held policy's state; it does not reset the absolute cache-entry age. |
| Negative | DNS negative-authoritative followed by HTTPS 404 or 410 at the well-known URL; HTTPS 404 or 410 reached from a DNS uri= pointer; or, under the HTTPS-only lookup mode (Section 8.2), HTTPS 404 or 410 at the well-known URL. No policy is published at the location(s) the lookup consults. |
| Indeterminate | Any other outcome, fail-closed by default. See enumeration below. |
The Indeterminate state covers:¶
DNS-side: SERVFAIL, REFUSED, timeout, truncation with no successful retry.¶
HTTPS transport: TLS error, connection failure, redirect loop, non-HTTPS redirect target.¶
HTTPS response: 5xx; 4xx other than 404 and 410 (for example
401, 403, 405, 429, 451); 2xx other than 200; a 3xx that is not a
followed redirect (Section 4.4) and not a 304 validating a
held cached policy; unsupported media type; a body larger than the
size limit, or containing more authorized_issuers entries than
the consumer's entry limit (Section 4.5).¶
DNS record validation: authority= missing from any recognized
record; all recognized records discarded for authority= mismatch;
more than one authority= or mode= in a record; differing or
partially present mode= values across remaining records; a
mode= value other than enforce or monitor; a recognized
record with neither uri= nor issuer=; multiple distinct uri=
values; an empty or otherwise malformed directive.¶
HTTPS document validation: body that is not a syntactically
valid Issuer Authorization Policy; a mode value other than
enforce or monitor; subject_authority that does
not match A.¶
Any outcome not explicitly mapped to Affirmative or Negative above MUST be treated as Indeterminate.¶
The following deterministic conflict rules apply:¶
Multiple recognized TXT records containing no uri= directive
are merged into a single virtual policy. issuer= values across
records are deduplicated into a set; order carries no semantics
(Section 5, step 2c).¶
If any recognized record contains a uri= directive after
authority= filtering, the HTTPS document at the single uri=
target is authoritative and all issuer= directives across all
records are ignored (Section 5, step 2b). More than one distinct
uri= value is malformed.¶
If both DNS and the HTTPS well-known URL are populated with differing content, DNS is authoritative when it returns an Affirmative response. Consumers do not consult or reconcile the HTTPS well-known URL in that case.¶
Multiple authorized_issuers entries for the same issuer value but
different tenant values are independent authorizations. Entries with
tenant do not shadow entries without tenant for the same issuer.¶
Only the Subject Authority computed by the extraction procedure for the assertion's Subject Identifier applies. Another Subject Authority's policy cannot grant authority over that subject.¶
If the assertion's claims conflict with the matched policy entry, the assertion fails the Trust Method.¶
Consumers MUST treat both Negative and Indeterminate as assertion rejection. A fresh cached Affirmative policy MAY be used during transient Indeterminate on the live channel, subject to Section 7; the cache lifetime MUST NOT be extended by repeated Indeterminate retrievals.¶
When the domain_authorized_issuer Trust Method is evaluated, the
Resource Authorization Server MUST:¶
Determine the Subject Authority from the assertion's Subject Identifier per [TRUST-FRAMEWORK] §Subject Authority Determination. If the format is not registered in [TRUST-FRAMEWORK] §Subject Authority Extraction Procedures Registry, reject the assertion.¶
Retrieve the Issuer Authorization Policy by applying the procedure in Section 5. Negative and Indeterminate outcomes (Section 5.1) MUST result in rejection, except that a fresh cached policy MAY be used when the live retrieval is Indeterminate.¶
Verify the policy's subject_authority matches the computed
Subject Authority. (Virtual policies satisfy this by
construction.)¶
Determine whether any entry in authorized_issuers matches. An
entry matches when ALL of the following hold:¶
a. issuer equals the JWT iss claim under case-sensitive URL
string comparison (the comparison rule fixed in
Section 3).¶
b. If the entry contains a tenant member, its value exactly
matches the assertion's top-level tenant claim (in ID-JAG,
[ID-JAG] §6.1) under case-sensitive string comparison. An
entry with tenant does not match an assertion that lacks the
tenant claim; an entry without tenant matches regardless of
any tenant claim in the assertion. Under a grant profile that
carries no tenant claim, any tenant claim physically present
in the assertion MUST be ignored for entry matching.¶
c. If the entry contains subject_identifier_formats, the Subject
Identifier format of the assertion's subject is listed.¶
d. If valid_from or valid_until are present, the current time
is within the validity window (with the skew rules of
Section 3).¶
Under a policy whose mode is enforce (the default), the Trust
Method is satisfied when step 3 succeeds and at least one entry
matches under (a)-(d); under monitor, see Section 6.1.
Entry order in authorized_issuers carries no semantics: the
outcome is the boolean "does any entry match," so two consumers
evaluating the same policy against the same assertion reach the
same result regardless of array order or of which matching entry
they examine first.¶
Steps 1 and 2 are prerequisites; their failure causes assertion
rejection per Section 5.1 unconditionally and is not classified
as a Trust Method satisfaction outcome. When the Trust Method is not
satisfied and, as a result, the cross-category combination rule
([TRUST-FRAMEWORK] §Cross-Category Combination Rule) is not met,
the Resource Authorization Server MUST reject the assertion with an
OAuth invalid_grant error.¶
A Subject Authority deploying its first policy cannot easily know
whether its issuer list is complete; an omission breaks sign-in for
its users. Monitor mode, following the deployment pattern of the
DMARC [RFC7489] p=none policy, lets the Subject Authority
publish, observe, and then enforce.¶
When the retrieved policy's mode is monitor (Section 3):¶
The consumer MUST evaluate steps 3 and 4 normally, and SHOULD log every evaluation under the monitored policy (Subject Authority, assertion issuer, matched or mismatched, timestamp) so the Subject Authority can be informed out of band.¶
If no entry matches (including the empty-array explicit-denial case), the Trust Method is nevertheless satisfied: the consumer MUST NOT reject the assertion on the basis of the mismatch.¶
If an entry matches, the outcome is identical to enforce mode.¶
Monitor mode affects only the evaluation of a successfully retrieved policy. It does not alter lookup-state classification: Indeterminate outcomes still fail closed (the consumer cannot know the mode of a policy it could not retrieve), and Negative outcomes are unchanged.¶
Monitor mode provides no protection: while it is in effect, any authenticated issuer is accepted for the namespace exactly as if no policy were enforced, with logging as the only difference. It is a transitional state; Subject Authorities SHOULD move to enforce mode promptly once the observed mismatches are resolved (see Section 11 for the rollout sequence and Section 9.6 for the downgrade risk).¶
An aggregate reporting mechanism by which consumers deliver
monitored-mismatch reports to the Subject Authority (analogous to
DMARC's rua) is deferred; see Appendix B.¶
Cache lifetimes for the Issuer Authorization Policy:¶
Consumers SHOULD respect HTTP Cache-Control on HTTPS documents
and DNS TTL on records. The DNS inline form's virtual-policy
lifetime is the minimum TTL of the constructing records. For
the DNS pointer form, the effective lifetime is the lesser of
the pointer's DNS TTL and the fetched document's HTTP cache
lifetime.¶
Subject Authorities SHOULD publish records and HTTPS policies with a steady-state TTL of at most 1 hour, reducing further during an active revocation.¶
Consumers MUST enforce an absolute local cache ceiling on the age
of any cached policy entry (recommended: 24 hours) regardless of TTL
or Cache-Control. A cached entry older than the ceiling MUST NOT be
used and MUST be re-fetched.¶
Serving stale cache during outages is separately bounded. Consumers
MAY serve a fresh cached Affirmative policy (one within its normal
TTL/Cache-Control lifetime) when a live retrieval is
Indeterminate. Independently of the absolute ceiling above,
consumers MUST NOT serve a cached policy across a continuous run of
Indeterminate live results lasting longer than 1 hour: once the
most recent successful (Affirmative or Negative) live retrieval is
more than 1 hour old, the consumer MUST stop serving the cached
policy and treat the lookup as Indeterminate (reject). Any successful
live retrieval resets this 1-hour outage window. This bound prevents
an attacker who can sustain denial of service against the policy
endpoint from extending revocation latency up to the 24-hour ceiling.¶
Negative results SHOULD be cached, subject to the same ceiling, to bound lookup work under load (Section 9.11). Consumers whose threat model includes brief publication-channel takeover SHOULD cap negative-cache lifetime at a shorter value (recommended: 5 minutes) so that a Negative cached during a takeover does not hide the legitimate Authority Holder's later publication; the same shorter cap SHOULD apply to a cached explicit-denial policy (Section 3).¶
Indeterminate outcomes MAY be cached for a short period (recommended: no more than 5 minutes) to absorb retry storms; an Indeterminate cache entry MUST NOT be treated as a policy and never satisfies the Trust Method.¶
This document defines domain_authorized_issuer as a
subject_namespace_authorization Trust Method of [TRUST-FRAMEWORK].
DNS at _oauth-issuer-policy.{authority} is the primary publication
channel, with the HTTPS well-known URL as fallback. The Trust Method
registers in the Identity Assertion Issuer Trust Methods registry
([TRUST-FRAMEWORK] §Identity Assertion Issuer Trust Methods Registry).¶
Within domain_authorized_issuer, a Resource Authorization Server
selects one lookup mode:¶
Canonical DNS-first lookup is the default. The Resource
Authorization Server queries _oauth-issuer-policy.{A} first and
falls back to the HTTPS well-known URL on negative-authoritative
DNS responses (Section 5). The "no DNS record, only HTTPS
document" Subject Authority case is therefore already covered
without the HTTPS-only variant.¶
HTTPS-only lookup is an explicit deployment variant. Use it when local policy distrusts DNS-published authority entirely and requires authority retrieval over TLS-authenticated HTTPS only. Inline DNS records and DNS pointer forms are rejected.¶
Resource Authorization Servers MUST NOT evaluate both lookup modes
as alternatives for the same assertion. Doing so creates an
availability-driven fallback: an attacker who can drive the DNS
lookup to indeterminate (resolver denial-of-service, BGP
disruption) could force fallthrough to HTTPS-only evaluation,
defeating the fail-closed property of the DNS-first lookup.¶
The Issuer Authorization Policy is a security-critical document. Its integrity determines which Assertion Issuers can assert identities in the Subject Authority's namespace.¶
HTTPS retrieval integrity rests on TLS server authentication of the policy host; the inline DNS form rests on DNS resolution alone; the pointer form rests on both. Subject Authorities concerned about TLS misissuance are encouraged to publish CAA records [RFC8659] for the policy-hosting domain and to monitor Certificate Transparency logs.¶
The HTTPS-only lookup mode
(Section 8.2) substitutes TLS-server
authentication for DNS-published authority. The threat surfaces
differ from the canonical DNS-first lookup of
domain_authorized_issuer:¶
DNS-record attacks (Section 9.4) do NOT affect authority retrieval; the TXT record is not fetched.¶
Apex-hostname resolution still uses DNS. A DNS-redirect of the apex combined with TLS misissuance substitutes the policy; CAA records and Certificate Transparency monitoring are the primary defenses (Section 9.2).¶
The DNS pointer form's policy-host risk (Section 9.5) does not apply; the policy is served from the Subject Authority's own apex origin.¶
Subject Authorities that cannot control the apex web origin (apex hosted on a marketing CDN with no path control) cannot participate via this mode.¶
The trade-off between the two lookup modes is discussed in Appendix A.4.¶
An adversary who can substitute a forged DNS response (off-path
resolver spoofing, authoritative nameserver hijack, registrar
account compromise, BGP hijack, recursive cache poisoning) can
substitute the Subject Authority's policy: add an attacker-
controlled Assertion Issuer to the inline form, redirect a uri=
pointer, or force indeterminate outcomes to benefit a cached
attacker-friendly policy. The pointer form additionally depends on
TLS authentication of the pointed-at host: TLS does not mitigate
the DNS compromise that selected that host.¶
Absent DNSSEC or an authenticated resolver path, the inline DNS form's integrity is no stronger than the recursive resolver path between consumer and authoritative server. Deployments needing a stronger guarantee SHOULD sign the zone with DNSSEC or use the HTTPS document form with the controls of [TRUST-FRAMEWORK] §Shared Infrastructure and Hosted Well-Known Paths; the inline form's "common case" simplicity (Section 4.1) is an operability tradeoff, not an integrity guarantee.¶
Required framework defenses:¶
Consumers MUST discard records whose authority= does not match
the queried Subject Authority. This is the wildcard mitigation:
a permissive parent-zone wildcard cannot authorize subdomains
because consumers reject records lacking the matching
authority= directive.¶
Consumers MUST verify TLS for any host named by uri=.¶
Consumers MUST bound cache lifetimes (Section 7; recommended absolute ceiling 24 hours).¶
Consumers performing DNSSEC validation MUST treat validation
failure as indeterminate, not negative-authoritative, to
prevent signature-strip downgrade to HTTPS fallback.¶
Subject Authorities SHOULD sign _oauth-issuer-policy.{A} with
DNSSEC, and consumers that do not validate DNSSEC SHOULD use a
trustworthy resolver path (DoH/DoT to a vetted resolver).¶
Forged-Negative downgrade: a negative-authoritative DNS result
(NXDOMAIN/NODATA) triggers the HTTPS well-known fallback
(Section 5). A consumer that does not validate DNSSEC cannot
distinguish a forged negative answer from a genuine one, so an
attacker able to both spoof a negative DNS response and serve (or
redirect to) the victim's apex HTTPS origin can suppress a
legitimately published inline record and substitute an
attacker-controlled HTTPS policy. Consumers that do not validate
DNSSEC and expect a Subject Authority to publish inline records
SHOULD NOT honor a Negative-to-HTTPS transition for that authority
without an authenticated resolver path; where the Subject Authority's
publication channel is configured or discoverable, treat an
unexpected Negative with the same suspicion as Indeterminate.¶
Operational defenses Subject Authorities are encouraged to apply: registrar account lock; monitoring of the record set and policy document for unexpected changes; cross-region/cross-resolver checks to detect localized substitution; avoiding wildcard TXT records in zones participating in this mechanism.¶
The DNS pointer form lets the Subject Authority move rich policy from DNS into an HTTPS document. In this version, the pointed-to host is expected to be under the Subject Authority's operational control. General shared-infrastructure risks (multi-tenant CDNs, cache rules, dangling origins) are covered in [TRUST-FRAMEWORK] §Shared Infrastructure and Hosted Well-Known Paths. Three DAI-specific points:¶
The pointer target is trusted fully for the policy contents and is appropriate only when the host is operated for, or otherwise controlled by, the Subject Authority.¶
Both the DNS-side authority= directive and the JSON-side
subject_authority member MUST match the queried Subject
Authority. Each binding is published through a different control
path; one missing check would let a compromise of either party
claim arbitrary namespaces.¶
The uri= pointer is a long-lived trust delegation. Subject
Authorities SHOULD reduce DNS TTLs in advance of any planned
change of policy host.¶
An attacker who can modify the published policy has a stealthier
option than adding their own issuer: flipping mode from enforce
to monitor. The policy remains present and superficially intact,
but enforcement is silently off (Section 6.1). A variant
targets signed policies: because unsigned members absent from the
signed JWT are not conflict-checked ([TRUST-FRAMEWORK] §Signed
Policy Metadata), an attacker who can edit the outer document but
not the JWT can inject an unsigned mode: monitor beside an intact
signature. Subject Authorities publishing signed_policy SHOULD
therefore include mode among the signed claims, so that an
injected outer value is rejected as a conflict. Consumers SHOULD
surface mode transitions for a given Subject Authority in their
logs, and Subject Authorities SHOULD monitor their published records
for unexpected mode changes with the same rigor as for issuer-list
changes (Section 11). Because monitor mode accepts any
authenticated issuer for the namespace, a policy observed in monitor
mode for an extended period SHOULD be treated by operators on both
sides as a misconfiguration signal.¶
The lookup procedure (Section 5) is deterministic across the common conflict scenarios that arise when multiple records or sources coexist. Determinism is a security property: two verifiers receiving the same DNS and HTTPS responses MUST reach the same conclusion about what (if any) policy applies. An attacker with partial control of one publication channel cannot exploit interpretive ambiguity at the consumer.¶
Common conflict scenarios and their deterministic dispositions are specified in Section 5.1.¶
Authentication. The inline DNS form has no signing mechanism; its authority binding is DNS control. The HTTPS document form relies on DNS selection plus TLS to the selected policy host.¶
Scope. A Resource Authorization Server MUST NOT use a matched Issuer Authorization Policy to establish trust for subjects outside that Subject Authority's namespace.¶
Inline-form features. The inline DNS form expresses only
"issuer X is authorized for Subject Authority A." Deployments
needing tenant, subject_identifier_formats, valid_from,
valid_until, or explicit denial (an empty authorized_issuers
array, Section 3) MUST use the HTTPS or DNS pointer form;
a recognized inline record with no issuer= is malformed, so the
inline form cannot publish an empty delegation set.¶
domain_authorized_issuer evaluates only the email's registrable
domain. The local-part is unauthenticated by this Trust Method: it
attests that the Assertion Issuer may assert about emails in the
namespace, not that any specific local-part is correct. Resource
Authorization Servers that normalize local-parts (case folding,
plus-address stripping, alias collapsing) inherit those assumptions
from the Assertion Issuer; an attacker controlling an
issuer-accepted alias can land on a different normalized user.
Either disable local-part normalization or verify the local-part
through a mechanism outside this document. See also
[TRUST-FRAMEWORK] §Scope of Namespace Authorization.¶
The shared-issuer case and its tenant binding are demonstrated
in the Shared Issuer Variant of the End-to-End Example. Two
security points apply:¶
Unconstrained-listing risk. A Subject Authority that lists
a shared issuer with no tenant value authorizes every tenant
of that Identity Provider, almost never the intent. Subject
Authorities listing a shared issuer SHOULD include tenant.
Resource Authorization Servers SHOULD log a warning when
accepting under an unconstrained entry and SHOULD consider
rejecting as a matter of local policy.¶
Tenant-isolation dependency. The tenant binding is a
wire-format expression of trust, not a cryptographic guarantee.
The Resource Authorization Server verifies match against the
Subject Authority's chosen tenant value, but cannot verify the
Identity Provider's tenant-isolation implementation. A
tenant-isolation defect (cross-tenant minting bug,
misconfigured admin operation) defeats the wire-format check.
Subject Authorities SHOULD prefer per-tenant issuer identifiers
where offered and treat shared-issuer listings as long-lived
delegations requiring due diligence on the Identity Provider's
tenant-isolation guarantees.¶
Grant profiles without a tenant claim. Under a grant
profile that carries no tenant claim (e.g., the generic
JWT-bearer grant, [TRUST-FRAMEWORK] §Generic JWT-Bearer
Assertion Grant), only entries that omit tenant can match, so
tenant-scoped authorization is not expressible. A Subject
Authority relying on a shared multi-tenant Assertion Issuer
SHOULD NOT authorize that issuer for such a grant unless
per-tenant issuer identifiers are used.¶
The domain_authorized_issuer lookup can be triggered before the
Assertion Issuer is known to be trustworthy: the assertion signature
validates against the issuer's own key, which an attacker operating
their own authorization server controls. An attacker can therefore
drive lookups at will, creating three risks:¶
Reflection/amplification and cache exhaustion. A flood of
assertions carrying distinct Subject Authorities
(email: x@{random}.example) makes the Resource Authorization
Server issue a live DNS query, and on a Negative result an HTTPS
fetch, per distinct authority, turning it into a request amplifier
aimed at third-party DNS/HTTPS infrastructure and filling its own
cache with distinct-authority entries. Consumers MUST bound lookup
work: enforce per-Subject-Authority and global rate limits and
bound concurrent outstanding lookups. Consumers SHOULD cache
Negative and Indeterminate outcomes per Section 7, and MAY
impose a maximum number of distinct-authority lookups per unit
time, shedding load by treating excess as Indeterminate
(fail-closed).¶
Server-Side Request Forgery. Every HTTPS policy fetch resolves
a host the attacker may control: the Subject Authority {A} for
the default well-known fetch (the attacker presents an assertion
whose namespace is a domain it owns, then points that domain's apex
A/AAAA records at an internal address), the uri= pointer's host,
the well-known host under the HTTPS-only mode, and any redirect
target. The fetch occurs regardless of whether the body validates,
enabling blind internal probing through timing and error
differentials. For every such fetch, consumers MUST NOT connect to
a host that resolves to a private-use, loopback, link-local,
unique-local, or otherwise non-globally-routable IPv4 or IPv6
address, MUST cap redirects and response size (Section 4.4,
Section 4.5), and SHOULD apply a fetch
timeout. The same-registrable-domain constraint on redirects
(Section 4.4) further limits redirect-based SSRF.¶
Cost asymmetry. A single small assertion can cause a full DNS+HTTPS round trip. Consumers SHOULD prefer cached results and SHOULD NOT perform a live lookup until the assertion has passed the cheaper grant-profile validation checks (signature, audience, expiry; [TRUST-FRAMEWORK] §Resource Authorization Server Processing step 2).¶
The lookup is verifier-side and per-verification, so it leaks metadata in two directions:¶
To the resolver path. A DNS query for
_oauth-issuer-policy.{A} exposes the Subject Authority {A} being
evaluated (and its timing) to every resolver and on-path observer.
It does not carry the full subject identifier for formats such as
email, but the authority plus timing can reveal organizational
relationships and login activity. Resource Authorization Servers
SHOULD use a privacy-preserving resolver path (DoH/DoT to a vetted
resolver) and SHOULD NOT perform the lookup until it is needed for a
concrete verification decision.¶
To the Subject Authority. For the HTTPS well-known and uri=
channels, the Subject Authority's own server (or its chosen policy
host) observes the Resource Authorization Server's egress IP address
and the timing of each fetch, learning which Resource Authorization
Servers its namespace's users are authenticating to; the
authoritative DNS operator for {A} observes per-lookup timing over
DNS. An employer acting as its own Subject Authority can thereby
obtain a near-real-time signal of where employees sign in. Caching
(Section 7) is the primary mitigation: it coarsens timing and
collapses repeated lookups, so consumers SHOULD cache to the bounds
permitted rather than re-fetching per verification.¶
Publishing a DAI record makes DNS/HTTPS control a real-time input to sign-in authorization: a lapse in the record or its host can stop legitimate assertions from being accepted, and an unauthorized change can authorize an attacker. Subject Authorities SHOULD operate the record and any policy host with the same rigor as other sign-in-path infrastructure. Specific guidance:¶
Rollout. Deploy in three phases: publish with mode=monitor
(Section 6.1); observe logged mismatches until the issuer
list is known complete (forgotten regional tenants and departing
Identity Providers surface here rather than as sign-in outages);
then switch to enforce. Before enforcing, Subject Authorities
SHOULD sign the zone with DNSSEC or publish via the HTTPS document
form, since enforce-mode decisions carry the full weight of the
publication channel's integrity (Section 9.4).¶
Change management and TTLs. Reduce DNS TTLs in advance of any
planned change to the record or uri= pointer (Section 9.5),
and choose steady-state TTLs balancing propagation speed against
resolver load and the consumer cache bounds of Section 7.¶
Rotation. To rotate an authorized issuer, publish the new
authorized_issuers entry alongside the old one and remove the old
entry only after the old issuer is decommissioned and caches have
expired; overlapping validity windows (valid_from/valid_until)
make the transition observable and bounded.¶
Monitoring. Monitor the record set and any HTTPS policy document for unexpected changes, and perform cross-region/cross-resolver checks to detect localized substitution (Section 9.4).¶
Availability. Because Negative and Indeterminate outcomes fail closed (Section 5.1), loss of the record or policy host blocks sign-in for the namespace; provision the authoritative DNS and any policy host for availability accordingly.¶
Zone hygiene. Avoid wildcard TXT records in zones participating
in this mechanism (Section 9.4); a wildcard
with a non-matching authority= causes recognized-but-discarded
records and can push a lookup to Indeterminate.¶
Registers the following entry in the IANA "Underscored and Globally Scoped DNS Node Names" registry per [RFC8552] and [RFC8553], for use by this document:¶
TXT¶
_oauth-issuer-policy¶
This document, Section 4.3¶
This document registers the following entry in the Identity Assertion Issuer Trust Methods registry ([TRUST-FRAMEWORK] §Identity Assertion Issuer Trust Methods Registry):¶
| Identifier | Categories | Parameters | Change Controller | Reference |
|---|---|---|---|---|
domain_authorized_issuer
|
subject_namespace_authorization
|
lookup (string, OPTIONAL; value https_only selects the HTTPS-only lookup variant) |
IETF | This document |
IANA is requested to establish a new registry titled "OAuth Issuer
Authorization Policy DNS Directives" under the "OAuth Parameters"
registry group, for the name=value directives carried in the DNS
TXT record (Section 4.3).¶
Registration policy: Specification Required [RFC8126].¶
Each entry contains a Directive Name (character set [a-z0-9_-]), a
Description, a Change Controller, and a Reference. Designated Expert
instructions: the expert verifies the directive name is unique, its
value syntax is specified within the ABNF value production of
Section 4.3 (ASCII, no ;, no whitespace), and its
multiplicity and duplicate-handling rules are stated.¶
Initial entries:¶
| Directive Name | Description | Change Controller | Reference |
|---|---|---|---|
v
|
Version token; MUST appear first | IETF | This document |
authority
|
Subject Authority this record binds (A-label) | IETF | This document |
uri
|
HTTPS URL of an Issuer Authorization Policy document | IETF | This document |
issuer
|
An authorized Assertion Issuer identifier | IETF | This document |
mode
|
Enforcement mode: enforce (default) or monitor
|
IETF | This document |
IANA is requested to establish a new registry titled "OAuth Issuer Authorization Policy Members" under the "OAuth Parameters" registry group, for the JSON members of the Issuer Authorization Policy document (Section 3).¶
Registration policy: Specification Required [RFC8126].¶
Each entry contains a Member Name, a Description, a Change Controller,
and a Reference. Designated Expert instructions: the expert verifies
the member name does not collide with an existing member, its JSON
type and semantics are specified, and any decision-affecting member
states how a consumer that does not recognize it behaves (the default
is to ignore unrecognized members; a member requiring fail-closed
handling uses the crit mechanism of [TRUST-FRAMEWORK] §Critical
Members).¶
Initial entries:¶
| Member Name | Description | Change Controller | Reference |
|---|---|---|---|
subject_authority
|
Subject Authority this policy applies to | IETF | This document |
authorized_issuers
|
Array of authorized issuer objects | IETF | This document |
issuer
|
Authorized Assertion Issuer identifier (within an entry) | IETF | This document |
tenant
|
Issuer-side tenant identifier (within an entry) | IETF | This document |
subject_identifier_formats
|
Permitted Subject Identifier formats (within an entry) | IETF | This document |
valid_from
|
Delegation start time (within an entry) | IETF | This document |
valid_until
|
Delegation end time (within an entry) | IETF | This document |
mode
|
Enforcement mode: enforce (default) or monitor
|
IETF | This document |
last_updated
|
Policy publication time | IETF | This document |
signed_policy
|
Signed JWT of the policy members | IETF | This document; [TRUST-FRAMEWORK] §Signed Policy Metadata |
crit
|
Names decision-affecting members a consumer MUST understand or reject the document | IETF | This document; [TRUST-FRAMEWORK] §Critical Members |
This appendix is non-normative.¶
The DNS node name, well-known URI suffix, and version token name the
document they locate (the Issuer Authorization Policy), not the
identity framework consuming it. The wire format is
subject-class-agnostic: no member or directive is specific to email
or identity assertions; the subject class is expressed through
subject_identifier_formats ([RFC9493]), and the identity-specific
machinery lives in [TRUST-FRAMEWORK], whose own well-known URI is
identity-scoped for that reason. A future Subject Identifier format
with a DNS-publishable Subject Authority reuses
domain_authorized_issuer and this same record
([TRUST-FRAMEWORK] §Future Extensions); an identity-scoped name
would force a second record at a second DNS name. One per-domain
policy surface, extended through registered members rather than new
names, follows the oauth-authorization-server metadata precedent.¶
Shared-issuer multi-tenant Identity Providers (Google Workspace, Auth0 in some configurations, Microsoft Entra B2B in some flows) serve many customer tenants under a single issuer URL. The deployment reality is that these Identity Providers are common; authorizing them without tenant binding effectively authorizes every tenant of the Identity Provider for the namespace, which is almost never the intent.¶
The tenant member on authorized_issuers[] entries binds
authorization to the specific tenant identifier the Identity
Provider populates in the top-level tenant claim defined in
[ID-JAG] §6.1. The binding makes the Subject Authority's choice
of authorized tenant observable on the wire and verifiable per
assertion. It does not eliminate the trust assumption on the
Identity Provider's tenant-isolation enforcement; it makes the
assumption explicit and auditable. See Section 9.10.¶
A generic claim-matching mechanism (matching arbitrary JWT claims
against publisher-specified values) was considered as an
alternative. First-class tenant was preferred because the claim
name is standardized in [ID-JAG], the deployment intent is
unambiguous, and the wire-format expression is simpler than a
generic claim-matching object.¶
Canonical DNS-first lookup and HTTPS-only lookup are not strictly
ordered by security strength; they trade different risks.
HTTPS-only lookup is resilient to TXT-record attacks but depends on
apex-hostname resolution plus the public CA trust system; a DNS
redirect combined with TLS misissuance defeats it.
domain_authorized_issuer in the inline form is resilient to TLS
misissuance against the apex because the authority artifact is the
TXT record itself; an attacker needs DNS-write or DNSSEC-bypass
capability. The DNS pointer form and HTTPS fallback inherit
TLS-misissuance risk on the pointed-at host while also depending
on DNS for selection.¶
A Subject Authority with strong DNSSEC and weak TLS-issuance controls favors the inline DNS form. A Subject Authority with strong CAA/CT monitoring and limited DNS control favors HTTPS-only.¶
The framework supports an HTTPS-hosted Issuer Authorization Policy at a well-known URL on the Subject Authority's host. This serves two purposes:¶
Backward-compatibility runway. Subject Authorities that
cannot or do not yet operate the DNS record can participate via
HTTPS publication only. The lookup procedure consults the HTTPS
well-known URL when the DNS query returns
negative-authoritative (Section 5).¶
Richer policy expression. The HTTPS form supports the full Issuer Authorization Policy JSON schema (validity windows, tenant binding, format restrictions) that the inline DNS form cannot express.¶
DNS remains the entry point; HTTPS is consulted only as fallback
when the DNS query returns negative-authoritative. This preserves
the DNS-authority pattern as the primary channel while
accommodating deployment variations.¶
This appendix is non-normative. It sketches features intentionally deferred from this document; future specifications may register them.¶
Monitor mode (Section 6.1) relies on consumer-side logging with
out-of-band delivery to the Subject Authority. A future extension can
define an aggregate reporting mechanism, analogous to DMARC's rua:
a policy member naming a reporting endpoint, a report format
(observed issuers, match/mismatch counts, time window), and delivery
requirements. It is deferred because report formats and transport
carry privacy and abuse considerations (a reporting endpoint learns
which Resource Authorization Servers a namespace's users sign in to,
concentrating the metadata discussed in Section 10) that deserve
their own document.¶
An authorized_issuers entry authorizes an issuer for a namespace
without constraining which Resource Authorization Servers may accept
the resulting assertions; a compromised-but-listed issuer can assert
the namespace's users to any consumer ([TRUST-FRAMEWORK] §Scope of
Namespace Authorization). A future permitted_audiences member on
entries would let a Subject Authority bound that blast radius by
enumerating or pattern-matching acceptable audiences. It is deferred
because audience identifiers are grant-profile-specific and an
enumerable audience set does not exist for the open-world deployments
this mechanism targets; a workable design likely needs audience
patterns and an interaction rule with the assertion's aud claim.¶
The Email Verification Protocol [I-D.hardt-email-verification]
defines a DNS TXT record at _email-verification.{domain} whose
iss= value names an authorized issuer for the namespace, using
a bare hostname rather than a full HTTPS issuer identifier. A
future Trust Method (provisionally email_verification_dns)
could let a Resource Authorization Server honor those records
without requiring the Subject Authority to also publish an
_oauth-issuer-policy record.¶
The bridge is deferred because it forces the reader to learn a
second record format, a different issuer-identifier shape
(bare-origin only, no path component), and a different
email-domain semantics (the Email Verification Protocol parses
the email's raw domain part, whereas this document normalizes to
the registrable domain via the Public Suffix List). It is also
deferred because [I-D.hardt-email-verification] is progressing
on its own timeline independent of this document. Deployments wanting the bridge can either publish
both records (an _oauth-issuer-policy record satisfying
domain_authorized_issuer plus their existing
_email-verification record for other consumers) or wait for the
future Trust Method specification.¶
The same DAI records that let a Resource Authorization Server
verify an assertion can also let a client discover which Assertion
Issuer is authoritative for a subject identifier's namespace
before any assertion exists: given alice@acme.example, a client
can query _oauth-issuer-policy.acme.example, retrieve the Issuer
Authorization Policy, and resolve an authorized issuer's
authorization server metadata to find its token endpoint (entry
order carries no semantics, so issuer selection would need to be
specified by the profiling document).¶
This client-side use case is deferred from the first version of DAI because it adds a second mental model (back-channel discovery vs. verification at token exchange), introduces privacy concerns distinct from verification (the discovery query reveals the queried Subject Authority to DNS resolvers and to the policy host before any user interaction), and is not on the Resource Authorization Server implementer's critical path. A future specification can profile the discovery flow with appropriate privacy guidance and integration with OAuth Authorization Server Metadata [RFC8414] and OpenID Connect Discovery [OIDC-DISCOVERY].¶
This appendix is non-normative and will be removed before publication.¶
-00¶
initial draft¶