| Internet-Draft | Mission Status | June 2026 |
| McGuinness | Expires 25 December 2026 | [Page] |
The Mission-Bound Authorization for OAuth 2.0 profile
[I-D.draft-mcguinness-oauth-mission] (the "issuance profile") binds
issued authority to a durable, human-approved Mission and gates
issuance on Mission state, but it observes Mission state only through
token lifetime and optional token introspection. This document
defines the Mission state-management surfaces it defers: a canonical
Mission Status operation (keyed by mission_id), a management
endpoint for explicit lifecycle transitions (revoke, suspend, resume,
complete), graduated revocation-enforcement classes, and signed
status evidence. Each capability is independently optional; an
implementation MAY adopt any subset, and one that adopts none remains
a conforming issuance profile. This document does not restate the base
profile.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://mcguinness.github.io/draft-mcguinness-oauth-mission/draft-mcguinness-oauth-mission-status.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-mcguinness-oauth-mission-status/.¶
Source for this draft and an issue tracker can be found at https://github.com/mcguinness/draft-mcguinness-oauth-mission.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 25 December 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The issuance profile [I-D.draft-mcguinness-oauth-mission] makes a
Mission a first-class OAuth artifact: a structured, human-approved,
integrity-bound task whose authority bounds and outlives every token
an agent derives. It is, by design, a minimum-viable issuance layer.
It gates derivation on Mission state, carries the mission claim on
every derived token, and offers only OPTIONAL token introspection
([I-D.draft-mcguinness-oauth-mission], Section "Mission State via
Token Introspection") as a way for a Resource Server to observe
Mission state. It explicitly leaves the canonical Mission Status
surface (keyed by mission_id), a standardized management endpoint
for lifecycle transitions, signed status evidence, and graduated
revocation enforcement to future work.¶
This document specifies those deferred surfaces as OPTIONAL extensions that build on the issuance profile. The capabilities are:¶
A dedicated Mission Status operation
(Section 3), which any consumer holding a mission_id
resolves, with responses signed as a JWS [RFC7515].¶
An extension to OAuth token introspection that carries a Mission projection, which a deployment MAY return as a [RFC9701]-signed response (Section 4).¶
A Mission Lifecycle endpoint (Section 5)
for explicit revoke, suspend, resume, and complete
transitions, distinct from [RFC7009] token revocation.¶
Revocation Enforcement Classes (Section 6) that let a deployment advertise how promptly Mission state changes take effect.¶
Authorization Server metadata members (Section 7) advertising the endpoints and classes above.¶
Each capability is independently optional. An implementation states which it supports through the metadata of Section 7 and the conformance language of Section 10. An implementation that supports none of them is unaffected and remains a conforming issuance profile.¶
This document does not restate the base profile. The Mission Intent,
authority derivation, the mission_resource_access authorization
details type, the mission claim, the integrity anchors, Mission-bound
token issuance, the subset rule, and lifecycle gating are all defined
in [I-D.draft-mcguinness-oauth-mission] and are referenced, not
re-specified, here.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses the terms defined in the issuance profile
[I-D.draft-mcguinness-oauth-mission], in particular Mission,
Mission Issuer (Authorization Server, the Mission origin), Resource
AS, Authority Set, the mission claim, mission_id, and the
mission_resource_access authorization details type. It additionally
uses:¶
A signed payload returned by the dedicated Mission Status operation (Section 3), reporting a Mission's current state and the audience-scoped evidence a consumer needs.¶
All JSON shown in this document is non-normative and illustrative; the member definitions in the surrounding text are authoritative. HTTP message examples follow the conventions of [RFC9110]; long URLs and form parameters are wrapped for display. JWT and JWS examples are shown as decoded JSON with separate header objects; on the wire the JWS Compact Serialization [RFC7515] applies.¶
This section is OPTIONAL. The issuance profile's stateless baseline needs no dedicated status surface ([I-D.draft-mcguinness-oauth-mission], Section "Mission Lifecycle and Gating"); a deployment that does not stand up this operation, and a consumer that does not use it, are unaffected.¶
The dedicated Mission Status operation is the canonical status surface
the issuance profile defers. Unlike token introspection
(Section 4), which answers "is this
token's authorization still good," the Status operation answers "what
is the state of this Mission" keyed by the mission_id alone. Any
consumer holding a mission_id -- including an auditor or a
cross-domain Resource AS -- resolves it without holding a token the AS
issued.¶
The Mission Issuer publishes its Mission Status endpoint URL in
Authorization Server metadata (Section 7) as
mission_status_endpoint, which a consumer resolves from a
credential's mission.origin. The endpoint MUST be served over TLS
1.2 or later (TLS 1.3 RECOMMENDED), following the recommendations of
[RFC9325].¶
The request is an HTTPS POST with an
application/x-www-form-urlencoded body containing:¶
mission:REQUIRED. A string. The canonical mission_id.¶
audience:REQUIRED. A string. The audience identifier of the requesting consumer.¶
nonce:REQUIRED. A string. A client-generated nonce binding the
response to this request. It MUST be unique per request within the
response lifetime; a consumer MUST reject a response whose nonce
does not equal the one it sent. This is a standard client challenge:
echoing it in the signed response anti-replay-binds that response to
this specific request.¶
The request MUST be authenticated. The AS MUST support, and the client MUST use, exactly one of the following per request:¶
mTLS client authentication [RFC8705]. The AS validates the
client's X.509 certificate against its configured trust anchors and
the client's registered tls_client_auth metadata.¶
DPoP-bound bearer token [RFC9449]. The client presents a
Mission-Status-scoped DPoP-bound token in the Authorization
header with a DPoP proof header; the token's cnf.jkt MUST match
the proof key thumbprint.¶
Private-key-JWT client authentication [RFC7523]. The client
presents a signed JWT assertion as client_assertion.¶
Plain Basic or POST client authentication MUST NOT be used for this
endpoint. The AS MUST refuse a request not authenticated by one of the
three mechanisms with unauthorized (HTTP 401). The AS advertises the
supported mechanisms under mission_status_auth_methods_supported
(Section 7).¶
On success the AS returns a JWS Compact Serialization [RFC7515]
signed with a key published in the AS's jwks_uri. The JWS header
carries typ of application/mission-status-response+jwt (registered
in Section 11) and a kid identifying the signing key.¶
[RFC9701] signed introspection responses are scoped to token
introspection and do not apply to a lookup keyed by mission_id; the
dedicated operation therefore uses a new media type and a JWS, not
[RFC9701] (see Section 8.4). Implementations MUST NOT
use [RFC9701] for the dedicated operation.¶
The signed payload reports the Mission's current state and the audience-scoped evidence the consumer needs.¶
Decoded JWS header:¶
{
"alg": "ES256",
"kid": "sa-key-2026-q3",
"typ": "application/mission-status-response+jwt"
}
¶
Decoded JWS payload:¶
{
"iss": "https://as.example.com",
"aud": "https://erp.example.com",
"sub": "client_erp-recon-agent",
"nonce": "nonce_K9pV4nT2sR7mB1xQ",
"iat": 1797840000,
"exp": 1797840060,
"mission": {
"id": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-",
"origin": "https://as.example.com",
"authority_hash":
"sha-256:l3KvZ4mP5x0wQrR6tY2nD9bM7sX1cF8gH2vJ4kE5pNQ",
"state": "active",
"expires_at": "2026-11-02T08:15:00Z",
"policy_version": "deploy-policy:v17",
"mission_expiry": "2026-12-31T23:59:59Z",
"version": 1
},
"authorization_details": [
{ "type": "mission_resource_access",
"resource": "https://erp.example.com",
"actions": ["invoices.read", "journal-entries.write"] }
]
}
¶
The members are:¶
The signed JWT envelope iss, aud, sub, nonce, iat, exp.
The aud is the response's audience binding and the nonce its
request binding. exp bounds the validity of the signed response
itself; how long the consumer MAY rely on the reported state is
given separately by mission.expires_at below.¶
mission: the mission object, the same shape as the mission
claim of [I-D.draft-mcguinness-oauth-mission] (Section "The
mission Claim") with status members added. It carries:¶
id, origin: the subject Mission's identifier and origin.¶
authority_hash: the issuance profile's consent commitment over
the Authority Set ([I-D.draft-mcguinness-oauth-mission], Section
"Integrity Anchors").¶
state: the current Mission lifecycle state. With this extension
the state space is active, revoked, expired
([I-D.draft-mcguinness-oauth-mission], Section "Mission Lifecycle
and Gating"), extended with suspended and completed when the
Mission Lifecycle endpoint (Section 5) is
deployed.¶
expires_at: an [RFC8259] string giving the point until which
the consumer MAY rely on the reported state without re-checking,
governing caching (Section 3.5). It is
report-freshness metadata, carried in mission so it travels with
state even on the introspection projection, which has no signed
envelope to carry it (Section 4).¶
policy_version, mission_expiry, version: the derivation
policy version, the Mission expiry, and the Mission record version
at the time of the response.¶
authorization_details: the audience-scoped Authority Set entries
relevant to the requesting audience, as the mission_resource_access
shape of [I-D.draft-mcguinness-oauth-mission] (Section "Mission
Authority"), carried at the top level as a sibling of mission (as
on the token and in the introspection response). Entries addressed
to other audiences MUST NOT be disclosed.¶
A consumer MUST verify, before honoring a response:¶
the JWS signature against a current jwks_uri entry for the
origin AS;¶
iss equals the expected AS issuer URL;¶
aud equals the consumer's own audience identifier;¶
sub equals the requesting client's identifier;¶
nonce equals the request's nonce; and¶
iat is not in the future and exp is not in the past, with up to
30 seconds clock-skew tolerance.¶
Consumers SHOULD cache a response keyed on (mission_id, audience)
until mission.expires_at. Consumers MUST NOT use a cached response
after mission.expires_at, with up to 30 seconds skew tolerance for
the active state only and no tolerance for terminal states.¶
Consumers SHOULD honor a stale-while-revalidate window of up to twice
the response lifetime when the AS is unreachable, provided deployment
policy permits degraded-mode operation within the AS's advertised
mission_max_stale_seconds (Section 7).¶
A mission_id is never a bearer capability. The AS MUST authenticate
the requester and authorize it for the requested mission_id and
audience.¶
Unknown mission_id values and known-but-unauthorized references MUST
produce indistinguishable responses (HTTP 404 with a generic
not-found body; see Section 3.7). The AS MUST NOT vary
response timing, payload size, or headers in a way that distinguishes
the two cases.¶
Mission Status responses use the following symbols, mapped to HTTP
status codes. ok, terminated, and suspended are successful
outcomes returned with a signed Mission Status Response; the remaining
symbols are hard errors. The body of a hard error is a JSON object
[RFC8259].¶
| Symbol | HTTP | Description |
|---|---|---|
ok
|
200 | Mission found and visible. |
unauthorized
|
401 | Request not authenticated. |
not_found
|
404 | Reference does not exist OR is not visible. |
terminated
|
200 | Mission is revoked, completed, or expired. |
suspended
|
200 | Mission is suspended. |
rate_limited
|
429 | Consumer is rate-limited. |
unavailable
|
503 | AS temporarily cannot serve status. |
Terminal and suspended states return HTTP 200 with the signed Mission
Status Response carrying state. Hard errors (unauthorized,
not_found, rate_limited, unavailable) return the matching HTTP
status with a JSON body:¶
The body MUST contain error, error_description, and nonce, and
MUST NOT contain any member that would let a caller distinguish
unknown from unauthorized references. For rate_limited, the response
SHOULD include a Retry-After header [RFC9110] and a retry_after
body member in seconds.¶
This section is OPTIONAL and is a thin delta over the token
introspection of [I-D.draft-mcguinness-oauth-mission] (Section
"Mission State via Token Introspection"). That section already
defines a mission member on the introspection response carrying
id, origin, authority_hash, and (from the Mission origin) the
lifecycle state, together with the caller-authorization,
minimization, and origin-only-reports-state rules. This document does
not restate those rules.¶
This extension adds the following to that projection:¶
An introspection response that carries a Mission projection is
protected by TLS, as for token introspection generally
([I-D.draft-mcguinness-oauth-mission], Section "Mission State via
Token Introspection"). Where the projection's integrity and origin
need to be verifiable independently of the transport -- for example
when the response transits intermediaries or is retained for audit --
the AS SHOULD return it as a [RFC9701]-signed response, advertised
through the standard introspection_signing_alg_values_supported
metadata [RFC8414].¶
When the responding AS is the Mission origin, the projection MAY
additionally carry expires_at, an [RFC8259] string giving the
point until which the consumer MAY rely on the reported state
without re-checking, governed by the caching rule of
Section 3.5.¶
This projection and the dedicated Mission Status Response
(Section 3.4) carry Mission facts in a mission object
of the same shape: the open mission claim object of
[I-D.draft-mcguinness-oauth-mission] (Section "The mission Claim")
with status members (state, expires_at, and, on the dedicated
response, policy_version, mission_expiry, version) added. This
projection populates the subset a token-holding consumer needs; the
dedicated response populates more. Either way a consumer reads the
same fact from the same place.¶
Example [RFC9701]-signed introspection response (decoded payload),
for a token whose Mission is active:¶
{
"iss": "https://as.example.com",
"aud": "https://erp.example.com",
"iat": 1797840000,
"exp": 1797840060,
"active": true,
"client_id": "s6BhdRkqt3",
"sub": "user_3p2q8mN1a0kV7tR",
"scope": "openid",
"mission": {
"id": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-",
"origin": "https://as.example.com",
"authority_hash":
"sha-256:l3KvZ4mP5x0wQrR6tY2nD9bM7sX1cF8gH2vJ4kE5pNQ",
"state": "active",
"expires_at": "2026-11-02T08:15:00Z"
}
}
¶
A consumer holding only a mission_id, or one that needs signed
evidence independent of a specific token (an auditor or a cross-domain
Resource AS), uses the dedicated Mission Status operation
(Section 3); the introspection projection is purely a
same-call convenience for token-holding consumers and is never the
sole Mission Status path.¶
This section is OPTIONAL. The issuance profile lets the Subject,
Approver, or an administrator revoke a Mission by an authenticated,
deployment-defined means and defers a standardized management API and
the richer suspend, resume, and complete operations
([I-D.draft-mcguinness-oauth-mission], Section "Revocation"). This
section standardizes that management surface.¶
The AS publishes its Mission Lifecycle endpoint URL in Authorization
Server metadata (Section 7) as mission_lifecycle_endpoint,
distinct from [RFC7009] token revocation. The endpoint MUST be
served over TLS 1.2 or later (TLS 1.3 RECOMMENDED), following the
recommendations of [RFC9325].¶
Adopting this endpoint extends the issuance profile's lifecycle state
space ([I-D.draft-mcguinness-oauth-mission], Section "Mission
Lifecycle and Gating") with two additional states: suspended (a
non-terminal paused Mission that derives no tokens until resumed) and
completed (a terminal state recording successful completion).
Issuance gating treats any state other than active as
non-deriving, exactly as the base profile gates on active.¶
The endpoint accepts authenticated POST requests with a form-urlencoded body:¶
mission:REQUIRED. A string. The canonical mission_id.¶
operation:REQUIRED. A string. One of revoke, suspend,
resume, complete.¶
reason:OPTIONAL. A string. A human-readable reason recorded in audit, maximum 1024 characters.¶
nonce:REQUIRED. A string. A client-generated nonce.¶
The operations are:¶
The lifecycle endpoint uses the same authentication mechanisms as the
Mission Status endpoint (Section 3.2): mTLS,
DPoP-bound bearer, or private-key JWT. The AS advertises the supported
mechanisms under mission_lifecycle_auth_methods_supported
(Section 7).¶
Revoke request:¶
Revoke success response: the AS returns the updated status as a signed Mission Status Response (Section 3.4):¶
Decoded JWS payload:¶
{
"iss": "https://as.example.com",
"aud": "https://erp.example.com",
"sub": "user_3p2q8mN1a0kV7tR",
"nonce": "nonce_8Y3vN0sM6tP1xR9bQ5",
"iat": 1797843200,
"exp": 1797843260,
"mission": {
"id": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-",
"origin": "https://as.example.com",
"authority_hash":
"sha-256:l3KvZ4mP5x0wQrR6tY2nD9bM7sX1cF8gH2vJ4kE5pNQ",
"state": "revoked",
"expires_at": "2026-11-02T09:11:40Z",
"policy_version": "deploy-policy:v17",
"mission_expiry": "2026-12-31T23:59:59Z",
"version": 2
}
}
¶
The AS records the operation, actor, time, and any reason in its
audit log; the response confirms the outcome through state and the
incremented version, which advances on each AS-recorded state change.¶
Lifecycle operations MUST be idempotent on the pair (mission,
operation). A repeated request that does not change state returns
success without side effect, returning the current Mission Status
Response.¶
A Mission revocation through this endpoint cascades to credentials
derived from the Mission per the AS's advertised enforcement classes
(Section 6). The AS MAY additionally invoke
[RFC7009] token revocation for specific outstanding tokens when it
knows their jti. [RFC7009] alone does NOT revoke a Mission; the
lifecycle endpoint is the authoritative Mission state change.¶
This section is OPTIONAL. The issuance profile bounds outstanding self-contained tokens by their lifetime and OPTIONAL token introspection ([I-D.draft-mcguinness-oauth-mission], Section "Revocation"). This section lets a deployment advertise, in graduated classes, how promptly a Mission state change takes effect at the Resource Server, so a consumer can choose a token lifetime and enforcement posture to match.¶
A deployment advertises its enforcement classes under
mission_enforcement_classes_supported (Section 7). The defined
classes are:¶
issuance: Mission state is consulted at each derivation event
(the token endpoint, refresh, Token Exchange). Already-issued,
self-contained tokens are NOT invalidated; they remain valid until
natural expiry. This is the issuance profile's baseline behavior.¶
introspection: token introspection
(Section 4) returns active: false for a token
whose Mission state disallows use, even if the token itself has not
expired.¶
event_driven: the Mission Issuer emits Mission lifecycle
Security Event Tokens that propagate state changes to consumers over
a Shared Signals stream, as defined in
[I-D.draft-mcguinness-oauth-mission-signals].¶
per_request: high-assurance Resource Servers query the Mission
Status operation (Section 3) or validate sufficiently fresh
state for each consequential request.¶
A deployment also advertises mission_max_stale_seconds
(Section 7), the maximum tolerated interval for revocation
propagation.¶
Where Mission revocation propagation matters but only the issuance
class is deployed, Mission-bound access tokens SHOULD use TTLs aligned
with the declared mission_max_stale_seconds. Standard OAuth defaults
(3600 seconds) may be too long; 60 to 300 seconds is typical for
issuance-only deployments where revocation matters. Deployments with
event_driven or per_request enforcement MAY use longer TTLs
because revocation propagates out of band.¶
This section is OPTIONAL and applies only to a deployment that adopts
one or more of the extensions above. An AS advertises the surfaces it
supports through the following members of its Authorization Server
metadata document [RFC8414], in addition to the issuance profile's
mission_bound_authorization_supported
([I-D.draft-mcguinness-oauth-mission], Section "Authorization Server
Metadata"). Unlike the issuance profile, which advertises only that
boolean, this document defines OAuth AS metadata members for the
endpoints and classes it introduces, so a consumer discovers them
through standard [RFC8414] discovery.¶
mission_status_endpoint:OPTIONAL. A string containing a URL. The URL of the dedicated Mission Status operation (Section 3). Present when the AS supports it.¶
mission_status_auth_methods_supported:OPTIONAL. An array of strings. The authentication mechanisms the Status endpoint
accepts, each one of mtls, dpop_bearer, private_key_jwt
(Section 3.2).¶
mission_lifecycle_endpoint:OPTIONAL. A string containing a URL. The URL of the Mission Lifecycle endpoint (Section 5). Present when the AS supports it.¶
mission_lifecycle_auth_methods_supported:OPTIONAL. An array of strings. The authentication mechanisms the Lifecycle endpoint accepts, with the same value space as the Status methods.¶
mission_enforcement_classes_supported:OPTIONAL. An array of strings. One or more of issuance, introspection,
event_driven, per_request (Section 6).¶
mission_max_stale_seconds:OPTIONAL. An integer. The maximum tolerated interval, in seconds, for revocation propagation (Section 6).¶
DPoP and mTLS support for issued credentials are read from the
standard dpop_signing_alg_values_supported [RFC9449] and
tls_client_certificate_bound_access_tokens [RFC8705] metadata;
this document defines no separate sender-constraint member. When the
introspection projection (Section 4) is signed, the
signing is discovered through the standard
introspection_signing_alg_values_supported metadata.¶
A discovery response from
https://as.example.com/.well-known/oauth-authorization-server,
showing the issuance profile members plus the extension members of
this document:¶
The security considerations of the issuance profile [I-D.draft-mcguinness-oauth-mission] apply in full. This section covers threats specific to the extensions defined here.¶
Per the anti-oracle property (Section 3.6), the AS
MUST NOT let a caller distinguish an unknown mission_id from a
known-but-unauthorized one at the Status or Lifecycle endpoint. The
error shape of Section 3.7 mitigates this by requiring
identical body content, identical HTTP status, and timing- and
size-invariance between the two cases. An implementation that leaks
the distinction exposes the Mission space to enumeration.¶
A Mission Status Response is bound to (caller sub, audience,
nonce, issuance time). Replay against a different caller or audience,
or beyond mission.expires_at, is detectable by signature
verification and by verifying the bindings; a consumer MUST verify all
six checks of Section 3.4 before honoring a response. A
response cached and replayed by the same caller within
mission.expires_at is equivalent to a fresh response; a consumer MUST NOT use a cached response after mission.expires_at, with the skew
tolerance of Section 3.5.¶
The Status endpoint is on the consumption path of every Mission-bound
credential validation in deployments with per_request enforcement.
The AS MUST implement per-consumer rate limiting (returning
rate_limited, Section 3.7) and SHOULD encourage
consumer-side caching (Section 3.5) to reduce traffic.¶
When the introspection projection is signed
(Section 4), it uses [RFC9701], which is scoped to
token introspection. The dedicated Mission Status operation uses a new
media type (application/mission-status-response+jwt, Section 11) and a
JWS [RFC7515], because [RFC9701] does not apply to a lookup keyed by
mission_id. Implementations MUST NOT use [RFC9701] for the
dedicated operation, and MUST NOT accept an unsigned response from the
dedicated Mission Status operation in place of the signed form it
requires.¶
The AS signs Mission Status and Lifecycle responses with a key from
its jwks_uri. The AS MUST retain the public JWK for every kid it
has signed such a response under, indexed by kid, for at least the
Mission record retention period -- even after the key is rotated out
of the live jwks_uri -- so an archived
application/mission-status-response+jwt remains verifiable for audit
and dispute. The AS MAY expose retired verification keys through a
deployment-defined audit interface but MUST NOT serve them as active
keys at jwks_uri.¶
This document inherits OAuth 2.0 Best Current Practice [RFC9700] for the OAuth surfaces it composes with; implementers MUST follow current OAuth security guidance.¶
The privacy considerations of the issuance profile [I-D.draft-mcguinness-oauth-mission] apply in full. This section covers privacy specific to the extensions here.¶
The Mission Status operation (Section 3) and the
introspection projection (Section 4) disclose
Mission state, the
authority_hash, and the audience-scoped authorization_details to
the authenticated, authorized requester. A deployment MUST treat both
as Mission information-disclosure surfaces with the same privacy
posture, audience-filtering the disclosed authority so a consumer
never sees entries addressed to other audiences
(Section 3.4).¶
The AS records Status and Lifecycle requests -- containing
mission_id, audience, caller, and timing -- in audit logs.
Deployments MUST treat these logs as PII sinks per the issuance
profile's privacy considerations.¶
An implementation conforms to the issuance profile [I-D.draft-mcguinness-oauth-mission] first. Each extension in this document is independently OPTIONAL; an implementation names the ones it supports (for example, "issuance profile with Mission Status and Mission Lifecycle"), and an implementation that supports none of them is still a conforming issuance profile.¶
An implementation claiming an extension MUST meet its requirements:¶
Mission Status: serve the dedicated Mission Status operation
(Section 3) with JWS-signed responses
(application/mission-status-response+jwt), the authentication of
Section 3.2, the anti-oracle property
(Section 3.6), and the error shape of
Section 3.7; and advertise mission_status_endpoint.¶
Introspection projection: carry the Mission projection on the introspection response (Section 4), returning it as a [RFC9701]-signed response where end-to-end integrity is required.¶
Mission Lifecycle: serve the management endpoint
(Section 5), gate the suspended and
completed states it introduces exactly as the base profile gates
on non-active state, and advertise mission_lifecycle_endpoint.¶
Revocation Enforcement Classes: honestly advertise the classes
it implements (Section 6) and
mission_max_stale_seconds.¶
This document requests IANA actions for OAuth AS metadata members and a media type. It defines no new registry: the authentication-method and enforcement-class value spaces are closed sets defined inline; a registry is the natural vehicle should future revisions need enforcement-class extensibility.¶
IANA is requested to register one media type per [RFC6838].¶
Type name: application¶
Subtype name: mission-status-response+jwt¶
Required parameters: none¶
Optional parameters: none¶
Encoding considerations: binary; JWS Compact Serialization¶
Interoperability considerations: see this document¶
Published specification: this document¶
Applications that use this media type: OAuth Mission-Bound consumers¶
Fragment identifier considerations: not applicable¶
Restrictions on usage: none¶
Provisional registration: no¶
Magic number(s): none¶
File extension(s): none¶
Macintosh file type code(s): none¶
Person & email address to contact: Karl McGuinness public@karlmcguinness.com¶
Intended usage: COMMON¶
Author/Change controller: IETF¶
This document registers no new Well-Known URI. The metadata members of
Section 7 are added to the OAuth Authorization Server Metadata
document at /.well-known/oauth-authorization-server [RFC8414].¶
The author thanks the implementers and reviewers of the Mission-Bound Authorization work for feedback that shaped these extensions.¶