oauth-wg · PieterKas · Jan 31, 2025 · Jan 31, 2025 · gffletch · Jan 31, 2025
@@ -635,10 +635,13 @@ The authorization model within a trust domain boundary is most often quite diffe
 ## Identifying Call Chains
 A Txn-token typically represents the call-chain of workloads necessary to complete a logical function initiated by an external or internal workload. The `txn` claim in the Txn-token provides a unique identifier that when logged by the TTS and each subsequent workload can provide both discovery and auditability of successful and failed transactions. It is therefore strongly RECOMMENDED to use an identifier, unique within the trust domain, for the `txn` value.
 
+## Transaction Token Service Discovery
+A workload may use a variety of mechanisms to determine the Transaction Token Service it should interact with. Workloads should only retrieve configuration information indicating which Transaction Token Service it should interact with from a trusted location to  minimize the risk of a threat actor inserting configuration information pointing to a Transaction Token Service under it's control, which it may use to collect Access Tokens sent to it as part of the Txn-Token Request message. The workload should authenticate the service providing the configuration information and verify the integrity of the information to prevent a threat actor from inserting configuration information for a Trust Domain Service under its control. The wokrload may use TLS to authenticate the end-point and protect the request at the transport layer, and may use additional application layer signatures or message authentication codes to detect tampering with the configuration information.
+
 ## Workload Configuration Protection
 A workload may be configured to access more than one instance of a Transaction Token Service to ensure redundancy or reduce latency for transaction token requests. The workload configuration should be protected against unauthorized addition or removal of Transaction Token Service instances. An attacker may perform a denial of service attack or degrade the performance of a system by removing an instance of a Transaction Token Service from the workload configuration.
 
-## Transaction token Service Authentication
+## Transaction Token Service Authentication
 A workload may accidently send a transaction token request to a service that is not a Transaction Token Service, or an attacker may attempt to impersonate a Transaction Token Service in order to gain access to transaction token requests which includes sensitive information like access tokens. To minimise the risk of leaking sensitive information like access tokens that are included in the transaction token request, the workload must ensure that it authenticates the Transaction Token Service and only contact instances of the Transaction Token Service that is authorized to issue transaction tokens.
 
 # Privacy Considerations {#Privacy}