# Meeting Notes 07-21-2023
## Attendees:
- Rifaat
- Pieter
- George
- Kelley
- Justin
- Atul
## Agenda
- SPIFEE in the IETF (Justin)
- Transaction Tokens Feedback (Atul)
## SPIFFE in the IETF
- Being presented in dispatch and secdispatch WGs
- Propose to discuss in IAB open office hours
- Justin went through a presentation that introduces the problem both at the SPIFFE level and higher level use cases
- [Pieter] There is no venue to talk about this stuff right now
- [Rifaat] You may want to take a look at the Network Service Mesh concepts, which we have examined in the JWT embedded tokens world
- [Justin] The data structure and packaging are two different questions, but there is a lot of unanswered stuff on both sides of that
## Transaction Tokens
- [Atul] No feedback on the new section yet.
- [Kelly] No specific concerns.
- [Atul] We have open issueds and the nesting discussion to go through.
- [Atul] Couldn't find open questions (found them in [notes for 7/7/21](https://hackmd.io/@rpc-sec-wg/notes-20230707))
- [Atul] Is the Tx-Token Service and new token endpoint
- [Justin] - probably not
- [Rifaat] - agreed
- [George] - Don't want to ovrload the AS.
- From operational perspective want to seperate the load. May need a way from a configuration perspective to point to the endpoint.
- [Justin] - Question is whether that means it points to a functionally different Authroization Server or an aspect of an existig service.
- [Atul] - Proposing to use token exchange - functionally looks different. Wants to call it as a different server.
- [Justin] - can be a an authz server, but a different authz server.
- [George] - Some logic happens when it hits the service. Domain the authz manages is the internal domain of the workloads. This is a another layer of AuthZ server.
- [Pieter] The placement of this server is different from an authorization server, in terms of traffic, latency, etc. So it may have to be a different server
- [Justin] Its a different grant type, but still an authroization server that issues this token.
- [Justin] Is this a new type of server or is this an OAuth server.
- [George] Clarify to the reader it is a specialised authz server focused on the internal domain. It is not a front door authz service. Need to clarify this to avoid confusion.
- [Atul] Wording "OAuth Authorization server for issuing transaction tokens".
- [Justin] Should be able to get transaction tokens out of a GNAP service for example.
- [Atul] Will define it Transaction Token service as an OAuth Authroization Server
### Token Lifetime
- [Atul] In a batch process, the batch process will get new transaction tokens (probably replacement transaction tokens) to execute each RPC
- [George] These calls do not ACID properties. So unless you keep the token lifetime small, you will get into trouble because of inability identify which transaction occured / failed
- [George] That said, we did run into a few use cases in Yahoo, where when a batch actually ran, the original user ID was removed / not present in the database. So we should not be too prescriptive about the lifetime, but the short-lived nature reduces the need for intermediary validation
- [Rifaat] When you say intermediary validation, what do you mean?
- [George] Each server in the chain going back to the AuthZ server to check the token
- [Rifaat] I'm assuming the tokens are JWT tokens, which can be validated by themselves
- [George] Local validation of a signature is not the full level of authorization when a user is presenting an external access token, so you need to bind the transaction related info.
- [Rifaat] Are Transaction Tokens Access Tokens? are there refresh tokens associated with Transaction Tokens?
- [George, Atul] No refresh tokens. They're not, although they are JWTs with data
- [George] We can investigate whether it is valuable to understand whether TraTs are OAuth Access Tokens
- [Pieter] I would want them to not be access tokens just because of where we will be deploying these
- [Rifaat] We need to explain the difference between the Access Token and a Transaction Token
- [George] Access tokens tend to be coarse-grained, and TraTs are fine-grained.
- [George] How these things map for the purpose of bridging authorization domains is interesting