Internet-Draft OAuth Mission Cross-Domain July 2026
McGuinness Expires 8 January 2027 [Page]
Workgroup:
Web Authorization Protocol
Internet-Draft:
draft-mcguinness-oauth-mission-cross-domain-latest
Published:
Intended Status:
Standards Track
Expires:
Author:
K. McGuinness
Independent

Mission Cross-Domain Projection for OAuth 2.0

Abstract

The Mission-Bound Authorization for OAuth 2.0 profile binds issued authority to a durable, human-approved Mission held by a single Authorization Server, the Mission Issuer. This document specifies that profile's optional cross-domain projection: a single hop that lets an Authorization Server in another trust domain, a Resource AS, honor a Mission it did not issue. The Mission Issuer projects audience-scoped Mission authority in a short-lived, sender-constrained cross-domain grant of the OAuth identity chaining architecture; the Resource AS validates the grant and mints its own local tokens, preserving the Mission binding unchanged. The Identity Assertion Authorization Grant (ID-JAG) is the recommended grant profile. Single-domain deployments of the base profile are unaffected by this document.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-cross-domain.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-mcguinness-oauth-mission-cross-domain/.

Source for this draft and an issue tracker can be found at https://github.com/mcguinness/mission-bound-authorization.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 8 January 2027.

Table of Contents

1. Introduction

The issuance profile [I-D.draft-mcguinness-oauth-mission] makes a Mission a durable, human-approved, integrity-bound OAuth authorization artifact: one Authorization Server, the Mission Issuer, approves it, records it, and derives every token under it. That profile is deliberately single-domain: the AS that holds the Mission is the AS that issues for it.

Real tasks cross trust domains. An agent reconciling invoices may need a partner's ERP, behind a partner Authorization Server the home AS does not control and whose accounts it does not manage. This document specifies cross-domain projection: the originating Mission Issuer projects a Mission's authority, audience-scoped and integrity-anchored, to an Authorization Server in another trust domain, which honors it by minting local tokens for its own resources. The projection is a single hop, issuer to Resource AS; chaining a Mission across more than one trust-domain boundary remains future work ([I-D.draft-mcguinness-oauth-mission], Section "Non-Goals").

Two roles carry the model. The Mission Issuer (the Mission's issuer) remains the only party that creates, holds, and gates the Mission. A Resource AS honors a Mission it did not issue: it validates the projected grant, applies its own local policy, and mints its own tokens, preserving the Mission binding unchanged. A Resource AS is never the Mission Issuer.

2. Status: An OPTIONAL Extension

This document is the Cross-Domain capability named by the base profile's conformance model ([I-D.draft-mcguinness-oauth-mission], Section "Conformance"). The capability is OPTIONAL: a deployment whose Missions never leave their issuing AS does not implement this document, and the base profile is complete without it.

Two external dependencies set its deployment posture. The OAuth identity chaining architecture [I-D.draft-ietf-oauth-identity-chaining] is approved for publication and in the RFC Editor queue; the Identity Assertion Authorization Grant [I-D.draft-ietf-oauth-identity-assertion-authz-grant] is a working-group document. This document profiles them and cannot advance ahead of them; confining them here keeps the base profile free of in-progress cross-domain dependencies.

3. Conventions and Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

This document uses the terms of the base profile [I-D.draft-mcguinness-oauth-mission]: Mission, Mission Issuer (the Mission's issuer), Mission Intent, Authority Set, Subject, mission claim, derived token, derivation, the subset rule, and lifecycle gating. Authority Set entries are [RFC9396] authorization_details objects. All JSON shown in this document is non-normative and illustrative; the member definitions in the surrounding text are authoritative.

Resource AS:

An Authorization Server in another trust domain that honors a Mission it did not issue, minting its own tokens for its resources from a cross-domain grant. A Resource AS is never the Mission Issuer.

Cross-domain grant:

The short-lived JWT authorization grant the Mission Issuer issues toward a Resource AS (Section 6), carrying audience-scoped Mission authority and the mission claim. It is a Mission-bound token in the sense of the base profile.

Local token:

An access token a Resource AS mints for its own resources from a cross-domain grant (Section 7).

4. Cross-Domain Projection

A Mission is approved and held by one Mission Issuer (its issuer). This document lets a single Mission be honored by Authorization Servers in other trust domains, so a Mission can span more than one AS, using the cross-domain authorization grant of the OAuth identity chaining architecture [I-D.draft-ietf-oauth-identity-chaining]: the issuer AS issues, through an [RFC8693] token exchange, a short-lived JWT authorization grant audienced to the target Authorization Server, which the client redeems there with the [RFC7523] JWT-bearer grant.

This document calls that artifact the cross-domain grant and attaches Mission context to it (Section 6). The Identity Assertion Authorization Grant (ID-JAG) [I-D.draft-ietf-oauth-identity-assertion-authz-grant] is the RECOMMENDED profile of the cross-domain grant, and every example in this document uses it; another identity-chaining JWT authorization grant profile that meets the requirements of Section 6 MAY be used instead. Where a requirement elsewhere in this document names the ID-JAG, it is illustrating with the recommended profile and applies equally to any conforming cross-domain grant.

This document is a thin Mission-bound profile of the cross-domain grant, not merely mission-claim carriage: beyond attaching and validating Mission context, it imposes two security requirements on the grant for Mission-bound use, proof-of-possession and single use (Section 6, Section 7). The grant's own format, signing, and token-exchange envelope remain defined by the cross-domain grant profile (ID-JAG in the recommended case) and its underlying [RFC8693] and [RFC7523]; this document does not redefine them. The two added requirements are a floor: the cross-domain grant is the highest-authority credential crossing a trust boundary, and its profile does not by itself guarantee them.

In this model there is exactly one Mission Issuer per Mission (the issuer) and one or more Resource ASes in other domains that mint their own tokens for their resources. A Resource AS is never the Mission Issuer and MUST NOT create or alter a Mission.

5. Audience-Scoped Authority

When projecting authority toward a Resource AS, the Mission Issuer includes only the Authority Set entries whose resource that Resource AS is authoritative for, under the deployment's resource-to-AS mapping. Entries for other Resource ASes MUST NOT be disclosed.

6. Issuing the Cross-Domain Grant

Issuing a cross-domain grant is a derivation event and is gated like any other derivation ([I-D.draft-mcguinness-oauth-mission], Section "Mission Lifecycle and Gating"). A Mission-bound cross-domain grant:

The ID-JAG profile meets these requirements and is RECOMMENDED; in it the artifact is the ID-JAG and the issuance request carries a requested_token_type of urn:ietf:params:oauth:token-type:id-jag.

The client obtains the grant with an [RFC8693] token exchange. The subject_token MUST be the Mission's refresh token, with subject_token_type of urn:ietf:params:oauth:token-type:refresh_token, and the audience identifies the target Resource AS. The refresh-token subject is this profile's deviation from the ID-JAG issuance request, which that specification defines over an identity-assertion subject_token (id_token or saml2); a Mission-bound deployment substitutes the Mission's grant so the exchange resolves a Mission rather than a bare subject assertion. This refresh-token mode is what binds the request to a Mission: the AS resolves the Mission from the presented grant per the base profile's grant binding ([I-D.draft-mcguinness-oauth-mission], Section "Binding the Mission to the Grant"), exactly as on any other refresh, and the grant therefore projects the agent's full Mission authority (audience-scoped), never a narrowed delegate's.

This profile intentionally fixes the refresh-token subject mode to remove any ambiguity about which Mission authority a cross-domain grant projects: the refresh token resolves to exactly one Mission and its full authority, whereas an access token or delegated token could carry a narrowed or actor-specific subset. The cost is that this optional cross-domain binding is unavailable to a deployment that issues no refresh token; such a deployment uses the single-domain base profile, which needs no refresh token.

The AS MUST reject an access token or a delegated token presented as subject_token for cross-domain issuance. The AS MUST NOT resolve the Mission from a client-supplied mission_id, nor from an identity assertion that carries no Mission binding.

Before issuing, the AS MUST verify the Mission is active (failing otherwise with invalid_grant) and that the target Resource AS is authorized for the requested resources under the Mission's Authority Set (failing otherwise with invalid_target, [RFC8693]). The token-exchange response carries issued_token_type of urn:ietf:params:oauth:token-type:id-jag (for the RECOMMENDED profile) and token_type of N_A, per [RFC8693] Section 2.2.1.

This profile defines only the refresh-token subject_token mode above. Other Mission-bound subject-token modes, such as an access-token subject mode (which would have to bound the projected authority by the presenting token rather than by the full Mission Authority Set), are left to future profiles. Excluding the access-token subject mode here is a deliberate choice: it avoids propagating a narrowed or delegated authority across a trust boundary, where it could be re-widened. A deployment that does not issue the agent a Mission refresh token therefore cannot use this OPTIONAL cross-domain hop as defined here.

A delegate, rather than the agent, crossing a trust domain directly and carrying its own narrowed authority into another domain is out of scope for this document and deferred to future work. Cross-domain issuance here always projects the agent's Mission authority; delegation within the target domain is performed by the Resource AS (Section 7). A sub-agent that must act in a different trust domain under its own narrowed authority is therefore not covered by a single hop; distributed multi-agent work across domains composes only through the agent's projected authority or through separate Missions per domain. A delegate-carries-its-own-authority mode is future work.

Two roles MUST NOT be conflated. The grant the client presents to obtain the cross-domain grant (the Mission's refresh token) is the input to the exchange and selects the Mission; the Mission-bound access token plays no part here. The identity the issued grant conveys to the Resource AS is the Mission's Subject, which the AS populates from the Mission's recorded subject and which the Resource AS resolves locally per the identity chaining rules (this document defines no cross-domain subject mapping, Section 7).

Sender-constraining is REQUIRED for the cross-domain grant, stronger than the RECOMMENDED level the base profile sets for the primary access token ([I-D.draft-mcguinness-oauth-mission], Section "Mission-Bound Access Tokens"): it is the highest-authority credential in the chain and the only one that crosses a trust boundary, and the underlying grant provides no replay backstop of its own.

7. Validation at the Resource AS

A Resource AS consuming a Mission-bound cross-domain grant:

A { "sub": ... } matcher in a conveyed entry's delegation.allowed_delegates is a client identifier in the originating AS's namespace and is not portable across the trust domain. When a Resource AS evaluates a conveyed entry, it MUST fail closed, narrowing the entry out, for any sub matcher it cannot resolve against the delegate it authenticated in its own namespace. Portable cross-domain matching SHOULD therefore use a sub_profile matcher, an actor-type class rather than a domain-relative identifier ([I-D.draft-mcguinness-oauth-mission], Section "Delegation Constraints").

This document does not define cross-domain subject mapping. A Resource AS consuming a Mission-bound cross-domain grant resolves the subject of any local token according to the cross-domain grant profile in use (the Identity Assertion Authorization Grant profile in the recommended case), the OAuth identity chaining architecture, and its local trust and account-linking policy. This document only requires that the Mission binding (mission.id, mission.issuer, and authority_hash) and the audience-scoped authorization_details remain bounded as described here.

Downstream, authority_hash is an immutable audit and correlation anchor to the originating AS's consent commitment. A Resource AS and its Resource Servers hold only the audience-scoped subset, never the full Authority Set, so they cannot recompute authority_hash ([I-D.draft-mcguinness-oauth-mission], Section "Integrity Anchors"); its integrity rests on the signature chain (the originating AS signs the ID-JAG; the Resource AS validates issuer trust and signs its local token). It is verifiable only against the originating AS, which this document does not require to be exposed.

8. Introspection at a Resource AS

The base profile's OPTIONAL token introspection ([RFC7662]) reports a mission response member, and only the Mission issuer reports the Mission's lifecycle state ([I-D.draft-mcguinness-oauth-mission], Section "Mission State via Token Introspection"). This section specifies the non-issuer half of that rule.

A Resource AS that supports introspection for a local token it minted from a cross-domain grant returns the claim-shape members only: id, issuer, and authority_hash. It holds the token, not the Mission: it knows the Mission state only as of grant validation and has no query to the issuer keyed by mission_id (neither this document nor the base profile defines one). It MUST omit mission.state rather than report a stale value as current. authority_hash, when included, is the issuer's commitment carried through the grant, not a value the Resource AS recomputes from its audience-scoped subset ([I-D.draft-mcguinness-oauth-mission], Section "Consent Binding").

9. Security Considerations

The security considerations of the base profile [I-D.draft-mcguinness-oauth-mission] and of the identity chaining architecture [I-D.draft-ietf-oauth-identity-chaining] apply.

9.1. Cross-Domain Revocation Latency

Single-domain revocation is prompt: the AS that issued a token also honors its revocation ([I-D.draft-mcguinness-oauth-mission], Section "Revocation"). The cross-domain case is strictly weaker. When a Mission is revoked at the originating AS, that AS can stop issuing new cross-domain grants, but it cannot revoke a token a Resource AS has already minted in another domain: that token remains valid until its own expiry. Cross-domain revocation latency is therefore the downstream token lifetime. For this reason, Resource ASes MUST issue short-lived local tokens for Mission-bound interactions; the originating AS bounds grant lifetimes by the 300-second cap of Section 6, so a revoked Mission cannot continue to seed new downstream tokens for long. The base profile's token introspection closes the revocation gap only single-domain: it requires the introspecting AS to hold the Mission, and a Resource AS has no query to the issuer keyed by mission_id (Section 8), so short downstream lifetimes remain the only cross-domain control. Deployments needing tighter cross-domain revocation can add the status or event-distribution mechanisms specified separately by Mission Status [I-D.draft-mcguinness-oauth-mission-status] and Mission Lifecycle Signals [I-D.draft-mcguinness-oauth-mission-signals], which this document does not require.

9.2. The Grant at the Trust Boundary

The cross-domain grant is the highest-authority credential in the chain and the only one that crosses a trust boundary. The requirements of Section 6 and Section 7 follow from that position: issuer trust is established by local policy or metadata, never inferred from a signed assertion's own mission.issuer; the grant is sender-constrained and one-time-use, because the underlying grant profile provides no replay backstop of its own; and everything the Resource AS honors is bounded by the audience-scoped entries the grant conveyed, interpreted fail-closed. Downstream of the issuer, authority_hash is an audit and correlation anchor, not a recomputable proof: its integrity rests on the signature chain (Section 7).

Two companion mechanisms compose here. The identity-assertion trust framework and its domain-authorized-issuer method ([I-D.draft-mcguinness-oauth-id-assertion-framework], [I-D.draft-mcguinness-oauth-domain-authorized-issuer]) are concrete ways a deployment publishes and evaluates the issuer policy this section requires, instead of a hand-maintained list. And a consumer that needs independently verifiable provenance of the delegation hops upstream of the re-mint, rather than trust in the minting domain's assertion of them, MAY require issuer-signed hop receipts ([I-D.draft-mcguinness-oauth-actor-receipts]).

10. Privacy Considerations

The cross-domain grant and every local token minted from it carry the canonical mission_id, mission.issuer, and authority_hash unchanged, so a Resource AS and its Resource Servers can correlate a Mission's activity across domains, and mission.issuer identifies the issuing AS to the partner domain. This is the deliberate correlation property of the base profile ([I-D.draft-mcguinness-oauth-mission], Section "Mission Identifier Correlation"), extended across the trust boundary. Audience scoping (Section 5) is the minimization measure: a Resource AS never sees Authority Set entries addressed to other audiences.

11. Conformance

An implementation conforms in one of two roles.

An Originating Mission Issuer with Cross-Domain is a conforming Mission Issuer of the base profile ([I-D.draft-mcguinness-oauth-mission], Section "Conformance") that additionally issues the Mission-bound cross-domain grant per Section 6, including the audience scoping of Section 5.

A Resource AS honors the cross-domain grant per Section 7 and, where it offers token introspection for its local tokens, follows Section 8. A Resource AS is not required to implement the base profile's Mission Issuer role; it never creates or alters a Mission (Section 4).

12. IANA Considerations

This document has no IANA actions. The mission JWT claim, the mission introspection response member, and the mission_resource_access authorization details type it carries are registered by the base profile [I-D.draft-mcguinness-oauth-mission].

13. References

13.1. Normative References

[I-D.draft-ietf-oauth-identity-assertion-authz-grant]
Parecki, A., McGuinness, K., and B. Campbell, "Identity Assertion JWT Authorization Grant", Work in Progress, Internet-Draft, draft-ietf-oauth-identity-assertion-authz-grant-04, , <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-assertion-authz-grant-04>.
[I-D.draft-ietf-oauth-identity-chaining]
Schwenkschuster, A., Kasselman, P., Burgin, K., Jenkins, M. J., Campbell, B., and A. Parecki, "OAuth Identity and Authorization Chaining Across Domains", Work in Progress, Internet-Draft, draft-ietf-oauth-identity-chaining-16, , <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-chaining-16>.
[I-D.draft-mcguinness-oauth-mission]
McGuinness, K., "Mission-Bound Authorization for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission.html>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC7523]
Jones, M., Campbell, B., and C. Mortimore, "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants", RFC 7523, DOI 10.17487/RFC7523, , <https://www.rfc-editor.org/rfc/rfc7523>.
[RFC7662]
Richer, J., Ed., "OAuth 2.0 Token Introspection", RFC 7662, DOI 10.17487/RFC7662, , <https://www.rfc-editor.org/rfc/rfc7662>.
[RFC7800]
Jones, M., Bradley, J., and H. Tschofenig, "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)", RFC 7800, DOI 10.17487/RFC7800, , <https://www.rfc-editor.org/rfc/rfc7800>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8693]
Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J., and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693, DOI 10.17487/RFC8693, , <https://www.rfc-editor.org/rfc/rfc8693>.
[RFC8705]
Campbell, B., Bradley, J., Sakimura, N., and T. Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens", RFC 8705, DOI 10.17487/RFC8705, , <https://www.rfc-editor.org/rfc/rfc8705>.
[RFC9396]
Lodderstedt, T., Richer, J., and B. Campbell, "OAuth 2.0 Rich Authorization Requests", RFC 9396, DOI 10.17487/RFC9396, , <https://www.rfc-editor.org/rfc/rfc9396>.
[RFC9449]
Fett, D., Campbell, B., Bradley, J., Lodderstedt, T., Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of Possession (DPoP)", RFC 9449, DOI 10.17487/RFC9449, , <https://www.rfc-editor.org/rfc/rfc9449>.

13.2. Informative References

[I-D.draft-ietf-oauth-transaction-tokens]
Tulshibagwale, A., Fletcher, G., and P. Kasselman, "Transaction Tokens", Work in Progress, Internet-Draft, draft-ietf-oauth-transaction-tokens-09, , <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-transaction-tokens-09>.
[I-D.draft-mcguinness-mission-runtime]
McGuinness, K., "Mission-Bound Runtime Enforcement", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-mission-runtime.html>.
[I-D.draft-mcguinness-oauth-actor-receipts]
McGuinness, K., "OAuth Actor Receipts for Delegation Provenance", Work in Progress, Internet-Draft, draft-mcguinness-oauth-actor-receipts-00, , <https://datatracker.ietf.org/doc/html/draft-mcguinness-oauth-actor-receipts-00>.
[I-D.draft-mcguinness-oauth-domain-authorized-issuer]
McGuinness, K., "OAuth Domain-Authorized Issuer Trust Method", Work in Progress, Internet-Draft, draft-mcguinness-oauth-domain-authorized-issuer-00, , <https://datatracker.ietf.org/doc/html/draft-mcguinness-oauth-domain-authorized-issuer-00>.
[I-D.draft-mcguinness-oauth-id-assertion-framework]
McGuinness, K., "OAuth Identity Assertion Trust Framework", Work in Progress, Internet-Draft, draft-mcguinness-oauth-id-assertion-framework-00, , <https://datatracker.ietf.org/doc/html/draft-mcguinness-oauth-id-assertion-framework-00>.
[I-D.draft-mcguinness-oauth-mission-signals]
McGuinness, K., "Mission Lifecycle Signals for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-signals.html>.
[I-D.draft-mcguinness-oauth-mission-status]
McGuinness, K., "Mission Status and Lifecycle for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-status.html>.

Appendix A. End-to-End Example (Non-Normative)

This appendix continues the end-to-end example of the base profile's appendix across a trust boundary: from the home domain (as.example.com) into a partner domain, and then into the partner's internal microservice call chain. It is illustrative and adds no normative requirements. The final intra-domain hop shows one deployment-local way to carry Mission context in a Transaction Token [I-D.draft-ietf-oauth-transaction-tokens]. Identifiers and hash values are illustrative and are not computed from the displayed JSON.

The chain crosses boundaries in two distinct ways, and seeing why is the point of the example:

The Mission is the durable anchor across both: mission.id, mission.issuer, and authority_hash ride unchanged through every hop. OAuth authority is audience-scoped by the Mission Issuer and Resource AS; deployment-local transaction context then narrows the operation for internal services. In this baseline walkthrough no hop calls back to mission.issuer for state; each enforces from the credential it holds. The OPTIONAL companion profiles layer on this baseline, and the stages note where: Stage 4 gains a runtime point-of-use check, and Stage 3 gains prompt cross-domain revocation from Status or Signals.

Scenario: agent s6BhdRkqt3, acting for alice (user_3p2q8mN1a0kV7tR), reconciles Q3 invoices in a partner ERP under Mission msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-. Stage 0 (agent identity) and Stage 1 (Mission creation at the home AS) are the base profile's single-domain walkthrough, extended here in one way: the Mission Intent's resources also names the partner ERP https://erp.partner.example.com, so the approved Authority Set additionally carries, for that resource, an invoices.read entry (delegable to ai_agent actors at depth 1) and a journal-entries.write entry capped at a max_amount of 500.00 USD. The Mission was recorded active with authority_hash sha-256:Gv2nD9bM7sX1cF8gH0pVl3KvZ4mP5x0wQrR6tY2jE5kQ and intent_hash sha-256:Zb8mR3nX5pV4lE6sQqYwQ7p4LHnX9Md0LqJ6sZJ2xT5f (illustrative; this Mission's Intent and Authority Set extend the single-domain walkthrough's, so its anchors differ from that example's). The partner ERP is behind the Resource AS ras.partner.example.com, so the agent's next step is a cross-domain projection rather than a home-domain access token.

A.1. Stage 2: Cross-Domain Projection via ID-JAG (Between Domains)

The agent needs the partner ERP, behind the Resource AS ras.partner.example.com. It presents its Mission refresh token as the subject_token of a token exchange requesting an ID-JAG (Section 6); the home AS resolves the Mission from that grant, gates on Mission active, and mints a Mission-bound ID-JAG audienced to that Resource AS, carrying the mission claim and the audience-scoped authority for the ERP:

{
  "iss": "https://as.example.com",
  "aud": "https://ras.partner.example.com",
  "sub": "user_3p2q8mN1a0kV7tR",
  "client_id": "s6BhdRkqt3",
  "iat": 1793606400,
  "exp": 1793606700,
  "cnf": { "jkt": "0ZcOCORZNYy-DWpqq30jZyJGHTN0d2HglBV3uiguA4I" },
  "authorization_details": [
    { "type": "mission_resource_access",
      "resource": "https://erp.partner.example.com",
      "actions": ["invoices.read"],
      "delegation": {
        "max_depth": 1,
        "allowed_delegates": [{ "sub_profile": "ai_agent" }]
      } },
    { "type": "mission_resource_access",
      "resource": "https://erp.partner.example.com",
      "actions": ["journal-entries.write"],
      "constraints": { "max_amount":
        { "amount": "500.00", "currency": "USD" } } }
  ],
  "mission": {
    "id": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-",
    "issuer": "https://as.example.com",
    "authority_hash":
      "sha-256:Gv2nD9bM7sX1cF8gH0pVl3KvZ4mP5x0wQrR6tY2jE5kQ"
  }
}

The ID-JAG is short-lived (300 s) and sender-constrained to the agent. Its exp does not exceed the Mission's expires_at (Section 6).

A.2. Stage 3: The Resource AS Issues a Local Access Token

ras.partner.example.com validates the ID-JAG (Section 7): it establishes issuer trust in as.example.com, verifies the signature, checks that aud is itself, checks the expiry, and verifies the sender-constraint proof. It then issues its own access token for the ERP, preserving the mission claim unchanged and capping exp at the ID-JAG's exp:

{
  "iss": "https://ras.partner.example.com",
  "aud": "https://erp.partner.example.com",
  "sub": "partner-user_7Kp4QnZ2vR9s",
  "client_id": "s6BhdRkqt3",
  "iat": 1793606430,
  "exp": 1793606690,
  "jti": "at_7Kp4QnZ2vR9sT1mX8b3N",
  "cnf": { "jkt": "0ZcOCORZNYy-DWpqq30jZyJGHTN0d2HglBV3uiguA4I" },
  "authorization_details": [
    { "type": "mission_resource_access",
      "resource": "https://erp.partner.example.com",
      "actions": ["invoices.read"],
      "delegation": {
        "max_depth": 1,
        "allowed_delegates": [{ "sub_profile": "ai_agent" }]
      } },
    { "type": "mission_resource_access",
      "resource": "https://erp.partner.example.com",
      "actions": ["journal-entries.write"],
      "constraints": { "max_amount":
        { "amount": "500.00", "currency": "USD" } } }
  ],
  "mission": {
    "id": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-",
    "issuer": "https://as.example.com",
    "authority_hash":
      "sha-256:Gv2nD9bM7sX1cF8gH0pVl3KvZ4mP5x0wQrR6tY2jE5kQ"
  }
}

The issuing iss is now the Resource AS, but mission.issuer remains the home AS. The token's exp (1793606690) is below the ID-JAG's (1793606700) and far below the Mission's expires_at. The Resource AS-local sub is illustrative; its value is determined by the subject-resolution rules of the ID-JAG and identity chaining profiles, not by this document.

Revoking the Mission now stops new ID-JAGs, but the local token the Resource AS minted stays usable until its exp (260 seconds), bounded by the 300-second ID-JAG cap (Section 9.1). Tighter cross-domain revocation is opt-in, and the two companions do different things: a Mission Status freshness lease shortens how long the partner relies on stale state by forcing a pull or per-request re-check, while a Mission Lifecycle Signal notifies the partner on a Mission transition so it can react without polling.

The Resource AS holds only this audience's subset and cannot recompute authority_hash. To show its local token did not widen beyond the ID-JAG, it SHOULD record, per minted token, both sides of the derivation: the consumed ID-JAG's jti and conveyed authorization_details, and the local token's own identifier or digest (jti), iss, aud, iat, exp, and issued authorization_details. An auditor can then identify the exact local token, tie it to the grant it was minted from, and check its authority is a subset of that grant.

A.3. Stage 4: The Resource Server Enforces

The agent calls the ERP Resource Server (erp.partner.example.com) with that token. The Resource Server validates the JWT and the cnf binding and enforces the authorization_details whose resource it serves, permitting invoices.read and journal-entries.write up to a max_amount of 500.00 USD ([I-D.draft-mcguinness-oauth-mission], Section "Resource Server Enforcement"). It treats the mission claim as an audit anchor; holding only this audience's subset of the Authority Set, it does not recompute authority_hash.

This is stateless enforcement from the token alone. journal-entries.write is a consequential write, so where the partner deploys the runtime profile ([I-D.draft-mcguinness-mission-runtime]) it also obtains a point-of-use PDP permit against current Mission state before executing. The baseline bounds the write only by token lifetime and max_amount.

A.4. Stage 5: Internal Call Context via Transaction Tokens

To serve the request, the ERP Resource Server calls internal services inside the partner trust domain. Here it calls a ledger service for one invoice. The Resource Server is the entry edge of that domain: after it has validated the Mission-bound access token, it obtains a short-lived Transaction Token for the internal call.

The following shows one illustrative way the Mission context could ride in that Transaction Token. This is not a Mission-derived OAuth access token, and this document does not define the Transaction Token claim names or issuance rules. The important point is that the local context can keep the Mission anchor while narrowing the internal operation:

{
  "iss": "https://txn.partner.example.com",
  "aud": "https://ledger.partner.example.com",
  "sub": "partner-user_7Kp4QnZ2vR9s",
  "tid": "txn_5kQ9pX2vN7sR1tY8mZ3",
  "iat": 1793606460,
  "exp": 1793606520,
  "txn_authorization": {
    "source_resource": "https://erp.partner.example.com",
    "source_actions": ["invoices.read"],
    "internal_operation": "ledger.lookup_invoice",
    "constraints": { "invoice_id": "inv_2026Q3_1042" }
  },
  "mission": {
    "id": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-",
    "issuer": "https://as.example.com",
    "authority_hash":
      "sha-256:Gv2nD9bM7sX1cF8gH0pVl3KvZ4mP5x0wQrR6tY2jE5kQ"
  }
}

The Transaction Token is intra-domain and the shortest-lived credential in the chain (60 s). The holder has changed: the Resource Server's workload, not the agent, possesses it. The local context has narrowed again, to one ledger lookup for one invoice, while the mission anchor is unchanged.

A.5. Stage 6: The Internal Service Enforces

The ledger service receives the Transaction Token, validates it under partner-domain policy, reads the Mission context and local transaction authorization, and enforces them for the internal operation. Like every consumer downstream of the home AS, it treats authority_hash as an audit and correlation anchor it cannot recompute, and it makes no call to mission.issuer.

A.6. What Rode Through, and What Narrowed

Table 1
Hop (mechanism) Mission anchor Authority or context Expiry
ID-JAG (between domains) unchanged ERP: read + write 1793606700
Resource AS token unchanged ERP: read + write 1793606690
Txn Token (within domain) unchanged one ledger lookup 1793606520

The Mission anchor (id, issuer, authority_hash) is constant end to end. OAuth authority is preserved or narrowed at the cross-domain boundary, and local transaction context narrows the internal operation inside the partner domain. The lifetime shrinks at every hop and never exceeds the Mission's expires_at. The ID-JAG carried identity between trust domains; the Transaction Token carried context within one. The Mission bound both.

Author's Address

Karl McGuinness
Independent