Use of actor_token and actor_token_type

[gffletch]

Should we allow the use of actor_token and actor_token_type to be used as a means of client authentication for the Transaction Token Service? If not, should explicitly prohibit the use of these parameters in the profile of the Token Exchange spec.

[tulshi]

Since RFC8693 (Token Exchange) refers to the actor_token as "A security token that represents the identity of the acting party", we should not use it in the TraT request. I thought we wanted to have some way to convey the inbound token to the TraT service, and that's why we were using actor_token, but that is inconsistent with RFC8693. I think we should neither require nor disallow the use of actor_token because some implementations may want that for client auth, and some implementations may want to do something else (e.g. mTLS) for client auth.

[gffletch]

This is kind of what the spec says today. It's not required and up to the implementation. It is just referenced as an example. However, I'm fine removing the example and just being silent in the spec on the topic.

[gffletch]

Recommendation to update example and be silent on use of actor_token and actor_token_type. Add a section to Security Considerations to talk about client authentication and add some non-normative examples.

[gffletch]

Removed the additional text regarding possible client authentication methods and just left it that the client MUST authenticate itself to the Transaction Token Service and that the specific client authentication method is out of scope for this specification.