Added some Privacy Considerations (#162)

Co-authored-by: Arndt Schwenkschuster <[email protected]>

Author: bc-pi

draft-ietf-oauth-identity-chaining.md

@@ -319,6 +319,19 @@ Authorization servers in trust domain B MAY enforce these mitigations.
 
 Implementations and profiles of this specification MAY define additional mitigations tailored to specific use cases and operational contexts.
 
+# Privacy Considerations
+
+In addition to the privacy considerations outlined in {{RFC8693}} and {{RFC7523}}, the following items are relevant to this specification:
+
+OAuth federation involves the exchange of tokens and claims between disparate trust domains.
+If excessive or unnecessary user data is included in these tokens, it may lead to unintended privacy consequences.
+As noted in {{RFC8693}} and {{RFC7523}}, deployments should determine the minimum amount of information necessary to complete the exchange and ensure that only that information is included in the token.
+
+Inconsistent user privacy practices within OAuth federation can result from varying interpretations and implementations of the protocol across different domains.
+This inconsistency can lead to a lack of transparency and user control over what data is shared and with whom.
+To mitigate this, federation trust relationships between domains must be carefully established and maintained with user privacy in mind.
+This includes verifying that privacy policies are aligned across trust domains and clearly define how user data is collected, used, and protected.
+
 --- back
 
 # Use cases
@@ -511,6 +524,7 @@ The editors would like to thank Joe Jubinski, Justin Richer, Dean H. Saxe, and o
 * Added examples in claims transcription text
 * Simplify some text in the JWT Authorization Grant section
 * Fix some toolchain complaints and other nitpicks
+* Added some Privacy Considerations
 * Move Mr. Parecki from acknowledgements to contributors in acknowledgement of his contributions
 
 -04