https://notes.karlmcguinness.com/tags/identity-chaining/Recent content in Identity Chaining on Control Plane by Karl McGuinnessHugoen-uspublic@karlmcguinness.com (Karl McGuinness)public@karlmcguinness.com (Karl McGuinness)Sat, 06 Jun 2026 09:00:00 -0700https://notes.karlmcguinness.com/notes/re-subjecting-is-a-mint-not-an-attenuation/Sat, 06 Jun 2026 09:00:00 -0700public@karlmcguinness.com (Karl McGuinness)https://notes.karlmcguinness.com/notes/re-subjecting-is-a-mint-not-an-attenuation/Cross-App Access becomes structurally difficult when applications use different subject namespaces for the same user. Workload identity alone cannot supply the delegated user context, and offline attenuation cannot create a target-local identity binding that the artifact’s issuer never supplied. When a hop requires subject translation, an IdP or broker trusted for that mapping must mint new audience-scoped identity evidence. The destination Authorization Server still applies local policy and separately mints the access token. The open design question is how that mapping authority is invoked: caller-pushed continuation, resource-pulled resolution, or another profile that preserves the same trust invariant.