Align Enterprise-Managed Authorization with id-jag-04 and promote to stable#29
Merged
Conversation
Reduce duplication by referencing draft-ietf-oauth-identity-assertion-authz-grant-04 for roles, token exchange parameters, ID-JAG claims, and processing rules, keeping only MCP-specific constraints inline. - Adopt 'Resource Authorization Server' terminology from id-jag §2 - Replace parameter/claim tables with section references plus MCP deltas - Keep `resource` REQUIRED in this profile (id-jag-04 made it optional) - Drop the restriction on `actor_token` (removed upstream in -03) - Replace multi-tenant implementation notes with reference to id-jag §6 - Reference id-jag §5 for cross-domain client_id handling - Add Discovery section referencing `authorization_grant_profiles_supported`
Move the extension from specification/draft/ to specification/stable/ to indicate it is ready for use and has reference implementations. Update the README to list stable and draft extensions separately, and update the in-document status banner to match.
pcarleton
changed the title
aaronpk
reviewed
Jun 17, 2026
aaronpk
reviewed
Jun 17, 2026
aaronpk
reviewed
Jun 17, 2026
aaronpk
reviewed
Jun 17, 2026
aaronpk
reviewed
Jun 17, 2026
aaronpk
reviewed
Jun 17, 2026
aaronpk
reviewed
Jun 17, 2026
Co-authored-by: Aaron Parecki <aaron@parecki.com>
aaronpk
reviewed
Jun 17, 2026
aaronpk
reviewed
Jun 17, 2026
aaronpk
reviewed
Jun 18, 2026
aaronpk
reviewed
Jun 18, 2026
Co-authored-by: Aaron Parecki <aaron@parecki.com>
aaronpk
previously approved these changes
Jun 18, 2026
aaronpk
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two changes to the Enterprise-Managed Authorization extension:
1. Reduce duplication against id-jag-04
References draft-ietf-oauth-identity-assertion-authz-grant-04 directly for roles, token exchange parameters, ID-JAG claims, and processing rules, keeping only MCP-specific constraints inline.
resourceREQUIRED in this profile (id-jag-04 made it optional)actor_token(removed upstream in -03)client_idhandlingauthorization_grant_profiles_supported(id-jag §7.2)resourceclaim in the ID-JAG2. Promote to
specification/stable/Moves the document from
draft/to a newstable/directory to indicate it is ready for use and has reference implementations. README updated to list Stable and Draft extensions separately; in-document status banner updated to match.Examples and the sequence diagram are unchanged.