Internet-Draft AI Agent Authorization July 2026
Liu, et al. Expires 7 January 2027 [Page]
Workgroup:
Web Authorization Protocol
Internet-Draft:
draft-liu-ai-agent-authorization-integration-00
Published:
Intended Status:
Informational
Expires:
Authors:
D. Liu
Alibaba Group
H. Zhu
Alibaba Group
S. Krishnan
Cisco
A. Parecki
Okta
H. Xue
Alibaba Group

AI Agent Authorization Integration Framework

Abstract

This document describes how to integrate multiple OAuth 2.0 extensions to enable secure authorization for AI agents acting on behalf of users. It combines cross-domain identity, policy-based authorization, user consent evidence, and multi-hop delegation into a cohesive framework for autonomous agent authorization.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 January 2027.

Table of Contents

1. Introduction

AI agents increasingly need to access protected resources on behalf of users across different trust domains. Traditional OAuth 2.0 [RFC6749] provides basic delegation mechanisms, but AI agent scenarios require additional capabilities:

This document describes how to combine several OAuth 2.0 extensions into an integrated framework for AI agent authorization. It does not define new protocol mechanisms, but rather profiles existing specifications for this use case.

Two key design principles guide this framework:

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.

1.2. Component Specifications

This framework integrates the following specifications. The first two (Agent Authentication and Identity Assertion Grant) are external OAuth Working Group specifications that this framework profiles. The remaining four are companion specifications developed alongside this framework:

Table 1: Framework Components
Component Specification Purpose
Agent Authentication [I-D.ietf-oauth-spiffe-client-auth] Agent workload identity via SPIFFE/WIT-SVID
Identity Assertion Grant [I-D.ietf-oauth-identity-assertion-authz-grant] JWT-based cross-domain identity assertion
User Interaction & Consent [I-D.parecki-oauth-jwt-grant-interaction-response] User consent via JWT grant interaction flow
Policy Authorization [I-D.liu-oauth-rego-policy] Fine-grained Rego policy support
Consent Evidence [I-D.liu-oauth-authorization-evidence] User confirmation records, audit trail, and consent-to-evidence pipeline
Multi-hop Delegation [I-D.liu-oauth-chain-delegation] Agent-to-agent delegation chains

2. Authorization Model: Policy vs Scope

This framework uses a policy-based authorization model that replaces traditional OAuth 2.0 scopes with fine-grained Rego policies. This section clarifies the relationship between scopes and policies in this framework.

2.1. Policy as Primary Authorization Mechanism

In this framework, the primary authorization mechanism is policy carried via Rich Authorization Requests (RAR, [RFC9396]), not OAuth 2.0 scopes. The rego_policy authorization data type defined in [I-D.liu-oauth-rego-policy] carries the authorization logic within the authorization_details parameter:

  • Authorization Request: Clients submit authorization_details containing a rego_policy type with Rego policy that defines permitted operations (e.g., "allow add_to_cart if amount <= 50").
  • Access Token: AS returns an enriched authorization_details response per RFC 9396 Section 7.1, including the evaluated policy reference.
  • Resource Server: RS evaluates the policy at runtime using a Rego-compatible policy engine (e.g., Open Policy Agent [OPA]) with request context.

This approach enables dynamic, context-aware authorization that goes beyond static scope lists.

2.2. Scope as Optional Supplement

Traditional OAuth 2.0 scope parameter is OPTIONAL in this framework and serves different purposes:

  • When to use scope: For coarse-grained resource categorization (e.g., "read", "write") or backward compatibility with existing OAuth deployments.
  • When NOT to use scope: When fine-grained, conditional authorization is required. In this case, Rego policy provides all necessary authorization logic.
  • Relationship: If both scope and policy are present, the policy takes precedence. Scope acts as an outer boundary, while policy defines specific conditions.
+-----------------------------------------------------------+
|  Authorization Boundary                                   |
+-----------------------------------------------------------+
|  +-----------------------------------------------------+  |
|  |  Scope (Traditional OAuth)                          |  |
|  |  +-----------------------------------------------+  |  |
|  |  |  Policy via RAR (Primary)                     |  |  |
|  |  |  authorization_details: rego_policy           |  |  |
|  |  |  "allow if amount <= 50 AND time < 6pm"       |  |  |
|  |  +-----------------------------------------------+  |  |
|  +-----------------------------------------------------+  |
+-----------------------------------------------------------+
Figure 1

2.3. Complete Authorization Mechanism

The complete authorization mechanism comprises six integrated components:

  1. Agent Authentication ([I-D.ietf-oauth-spiffe-client-auth]): Proves "who the agent is" through cryptographic workload identity.
  2. Cross-Domain Identity ([I-D.ietf-oauth-identity-assertion-authz-grant]): Proves "who the user is" across trust domains via JWT assertion.
  3. User Interaction & Consent ([I-D.parecki-oauth-jwt-grant-interaction-response]): Obtains explicit user consent through structured interaction flow.
  4. Rego Policy ([I-D.liu-oauth-rego-policy]): Defines "what operations are allowed" with fine-grained conditions.
  5. Authorization Evidence ([I-D.liu-oauth-authorization-evidence]): Provides cryptographic proof of "what the user agreed to".
  6. Chain Delegation ([I-D.liu-oauth-chain-delegation]): Enables secure "agent-to-agent transfer" of authorization.

Together, these components provide end-to-end authorization for AI agents:

+------------------------------------------------------------+
|  Integration Framework (This Draft)                        |
|  "How to combine all components"                           |
+------------------------------------------------------------+
|  +------------+ +------------+ +------------+ +----------+  |
|  |  Agent     | |  Identity  | |  Consent   | | Delegat. |  |
|  |  Authn     | |  (ID-JAG)  | |  (JAG-IR)  | | (Chain)  |  |
|  | (SPIFFE)   | +------------+ +------------+ +----------+  |
|  +------------+                                             |
|  +------------------------------------------------------+  |
|  |     Policy Engine via RAR (rego_policy)              |  |
|  |         "Under what conditions allow"                |  |
|  +------------------------------------------------------+  |
|  +------------------------------------------------------+  |
|  |     Authorization Evidence (consent + audit trail)   |  |
|  |         "What did the user agree to"                 |  |
|  +------------------------------------------------------+  |
+------------------------------------------------------------+
|        OAuth 2.0 Core + RAR (RFC 9396)                     |
+------------------------------------------------------------+
Figure 2

3. Architecture

3.1. Participants

+------------------+     +------------------+     +------------------+
|    Home IdP      |     |   AI Agent       |     |   External AS    |
|                  |     |                  |     |                  |
| - User authn     |     | - SPIFFE identity|     | - Policy engine  |
| - ID Token issue |     | - JWT Grant clnt |     | - Token issuance |
+------------------+     +------------------+     +------------------+
        |                        |                        |
        |   ID Token             |                        |
        |----------------------->|                        |
        |                        |                        |
        |                        | JWT Grant + authz_det  |
        |                        |----------------------->|
        |                        |                        |
        |                        | interaction_required   |
        |                        |<-----------------------|
        |                        |                        |
        |  interaction_uri       |                        |
        |<-----------------------|                        |
        |  (user consent)        |                        |
        |----------------------->|                        |
        |                        | Poll token endpoint    |
        |                        |----------------------->|
        |                        |                        |
        |                        |   Access Token         |
        |                        |<-----------------------|
        |                        |                        |
        |                        |                  +-------------------+
        |                        |                  | Resource Server   |
        |                        |                  |                   |
        |                        |   API Request    | - Token validation|
        |                        |----------------->| - Policy engine   |
        |                        |                  +-------------------+
Figure 3
Home Identity Provider (Home IdP):
Authenticates the user and issues ID Tokens. This is the user's trusted identity service.
AI Agent:
An autonomous software agent acting on behalf of the user. Has its own workload identity (SPIFFE/WIT-SVID).
External Authorization Server (AS):
Issues access tokens for resources in its domain. Validates JWT assertions, evaluates authorization_details, and manages user interaction.
Resource Server (RS):
Hosts protected resources. Validates access tokens and enforces policies using a Rego-compatible policy engine.

3.2. Token Structure

The framework uses JWT access tokens ([RFC7519], [RFC9068]) following OAuth 2.0 standards. Key claim semantics:

  • sub (Subject): MUST contain the user's identifier at the Resource Application (third-party app), NOT the Agent's internal user identifier. This enables the Resource Server to immediately identify the resource owner without additional identity mapping lookups. The AS maps the Home IdP subject to the resource-domain identifier through account linking, federation metadata, or additional identity claims (e.g., email) present in the JWT assertion.

  • act (Actor): Identifies the entity exercising delegated authority. Contains:

    • sub: The Agent's WIT URI, identifying which agent is acting on behalf of the user;
    • agent_user_id (OPTIONAL): The user's identifier at the Agent system, enabling audit trail correlation at the Agent side. Note: This is a non-registered extension field within the act claim structure.
  • authorization_details: Carries multiple authorization data types via Rich Authorization Requests ([RFC9396]):

    • rego_policy type: The Rego policy defining what operations the agent is permitted to perform. Defined in [I-D.liu-oauth-rego-policy].
    • authorization_evidence type: The signed record of the user's confirmation action during authorization, including what was displayed to the user, how the user confirmed, a cryptographic signature from the AS, and the audit_trail sub-object for semantic traceability. Defined in [I-D.liu-oauth-authorization-evidence].
  • delegation_chain: Records the chain of delegation hops when authorization is transferred between agents, with cryptographic signatures for each hop. Only present in delegated scenarios. Defined in [I-D.liu-oauth-chain-delegation].

{
  "iss": "https://as.external.example",
  "sub": "user_12345",
  "aud": "https://api.external.example",
  "exp": 1731369540,
  "iat": 1731320700,
  "jti": "urn:uuid:token-abc-123",

  "act": {
    "sub": "wit://agent.example/sha256.abc123...",
    "agent_user_id": "agent_user_001"
  },

  "authorization_details": [
    {
      "type": "rego_policy",
      "policy": {
        "type": "rego",
        "uri": "https://as.external.example/policies/policy-abc123",
        "entry_point": "allow"
      },
      "context": {
        "user": { "id": "user_12345" },
        "action": "add_to_cart"
      }
    },
    {
      "type": "authorization_evidence",
      "evidence": {
        "id": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
        "user_confirmation": {
          "displayed_content": "Add items under $50 to cart",
          "user_action": "confirmed_via_button_click",
          "timestamp": 1731320595
        },
        "as_signature": "eyJhbGciOiJFUzI1NiJ9..MEUCIQDx...",
        "audit_trail": {
          "evidence_ref": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
          "semantic_expansion_level": "medium",
          "proposal_ref": "urn:uuid:proposal-xyz"
        }
      }
    }
  ],

  "delegation_chain": [
    {
      "delegator_id": "wit://agent-a.example/sha256.aaa111...",
      "delegatee_id": "wit://agent-b.example/sha256.bbb222...",
      "as_id": "https://as.external.example",
      "delegation_timestamp": 1731320800,
      "root_evidence_ref": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
      "delegated_policy": {
        "type": "rego",
        "uri": "https://as.external.example/policies/policy-delegated-456",
        "entry_point": "allow"
      },
      "operation_summary": "Delegate cart operations",
      "delegator_signature": "eyJhbGciOiJFUzI1NiJ9..MEYCIQD...",
      "as_signature": "eyJhbGciOiJSUzI1NiJ9..MEUCIQDx..."
    }
  ]
}
Figure 4

4. Authorization Workflow

4.1. Overview

+-------+    +-------+    +--------+    +---------+    +-------+    +------+
| User  |    | Home  |    |  AI    |    |External |    |  RS   |    |Policy|
|       |    |  IdP  |    | Agent  |    |   AS    |    |       |    |      |
+-------+    +-------+    +--------+    +---------+    +-------+    +------+
    |            |             |            |            |           |
(1) | Authn      |             |            |            |           |
    |----------->|             |            |            |           |
    |            |             |            |            |           |
(2) |  ID Token (aud=External AS)           |            |           |
    |<------------------------>|            |            |           |
    |            |             |            |            |           |
(3) |            |   Agent builds token req:|            |           |
    |            |   - JWT assertion        |            |           |
    |            |   - authorization_details|            |           |
    |            |     (rego_policy type)   |            |           |
    |            |             |            |            |           |
(4) |            |   Token Request          |            |           |
    |            |   + SPIFFE client auth   |            |           |
    |            |             |----------->|            |           |
    |            |             |            |            |           |
(5) |            |             |  Validate: |            |           |
    |            |             |  - SPIFFE  |            |           |
    |            |             |  - JWT     |            |           |
    |            |             |  - policy  |            |           |
    |            |             |            |            |           |
(6) |            |             |  interaction_required   |           |
    |            |             |  + interaction_uri      |           |
    |            |             |<-----------|            |           |
    |            |             |            |            |           |
(7) | User interaction via browser          |            |           |
    |<--------------------------------------|            |           |
    |            |             |            |            |           |
(8) | User confirms            |            |            |           |
    |-------------------------------------->|            |           |
    |            |             |            |            |           |
(9) |            |             |  Poll token endpoint    |           |
    |            |             |----------->|            |           |
    |            |             |            |            |           |
(10)|            |             |  Issue token with:      |           |
    |            |             |  - act                  |           |
    |            |             |  - authorization_details|           |
    |            |             |  - evidence             |           |
    |            |             |  - audit_trail          |           |
    |            |             |<-----------|            |           |
    |            |             |            |            |           |
(11)|            |             | API Request|            |           |
    |            |             |------------------------>|           |
    |            |             |            |            |           |
(12)|            |             |            |  Validate  |           |
    |            |             |            |  token     |           |
    |            |             |            |            |           |
(13)|            |             |            |  Policy    |           |
    |            |             |            |  eval      |---------->|
    |            |             |            |            |           |
(14)|            |             |            |  Decision  |           |
    |            |             |            |            |<----------|
    |            |             |            |            |           |
(15)|            |             | Response   |            |           |
    |            |             |<------------------------|           |
Figure 5

4.2. Step-by-Step Description

  1. User Authentication at Agent: User authenticates with the Agent's Identity Provider (Home IdP). The Agent requests an ID Token suitable for cross-domain assertion, containing:

  2. ID Token as JWT Assertion: The Agent uses the ID Token as the JWT assertion in the token request per [I-D.ietf-oauth-identity-assertion-authz-grant]. The AS validates the Home IdP's signature and extracts the user's identity claims.

  3. Token Request Construction: Agent builds a token request including:

    • grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer;
    • assertion: The user's ID Token (JWT);
    • authorization_details: Containing rego_policy type with policy and context.
  4. Token Request Submission: Agent sends the token request to External AS with SPIFFE client authentication (WIT-SVID in headers).

  5. AS Validation: AS validates:

    • SPIFFE client credentials;
    • JWT assertion signature, audience (aud), and expiration (exp) from Home IdP;
    • Policy syntax and safety in authorization_details.
  6. Interaction Required: AS determines user interaction is needed and returns an interaction_required error response per [I-D.parecki-oauth-jwt-grant-interaction-response] containing an interaction_uri for user consent.

  7. User Interaction: The agent launches the interaction_uri in the user's browser. The AS presents the consent UI showing the interpreted operation.

  8. User Confirmation: User reviews and approves (or denies) the operation.

  9. Polling: Agent polls the token endpoint (re-sending its original request with a fresh SPIFFE client attestation) until the AS completes user interaction. If the user denies consent, the AS returns an access_denied error to subsequent polling requests.

  10. Token Issuance: AS issues access token containing:

    • act: Agent's SPIFFE ID;
    • authorization_details: Enriched response per RFC 9396 Section 7.1, including both rego_policy and authorization_evidence types;
    • delegation_chain: (only in delegation scenarios).
  11. API Request: Agent presents token to Resource Server.

  12. Token Validation: RS validates token signature and claims.

  13. Policy Evaluation: RS sends policy and request context to the policy engine.

  14. Authorization Decision: Policy engine returns allow/deny decision.

  15. Response: RS executes (or denies) the operation and returns response.

5. Agent-to-Agent Delegation

When Agent A needs to delegate operations to Agent B, the framework extends the basic workflow:

+---------+       +---------+       +--------+       +---------+
| Agent A |       |   AS    |       | Agent B|       |   RS    |
+---------+       +---------+       +--------+       +---------+
     |                 |                 |                |
     | (has token)     |                 |                |
     |                 |                 |                |
     | Token Exchange  |                 |                |
     | - subject_token |                 |                |
     | - delegatee_id  |                 |                |
     | - authorization |                 |                |
     |   _details      |                 |                |
     | - delegator_sig |                 |                |
     |   (over deleg.  |                 |                |
     |    record)      |                 |                |
     |---------------->|                 |                |
     |                 |                 |                |
     |                 | Validate:       |                |
     |                 | - Token A valid |                |
     |                 | - Policy subset |                |
     |                 | - Agent B auth  |                |
     |                 | - delegator_sig |                |
     |                 |                 |                |
     |                 | AS countersigns |                |
     |                 | (as_signature)  |                |
     |                 |                 |                |
     |                 | Issue Token B   |                |
     |                 | with delegation_chain            |
     |                 | (del_sig+as_sig)|                |
     |                 |---------------->|                |
     |                 |                 |                |
     |                 |                 | API Request    |
     |                 |                 |--------------->|
     |                 |                 |                |
     |                 |                 |     Validate   |
     |                 |                 |     chain      |
     |                 |                 |  (dual sig)    |
     |                 |                 |                |
     |                 |                 | Response       |
     |                 |                 |<---------------|
Figure 6

The resulting token for Agent B includes a delegation_chain recording the delegation hop, as defined in [I-D.liu-oauth-chain-delegation]. Each delegation chain entry carries a dual signature: the delegator's signature (delegator_signature) over the delegation record and the AS's countersignature (as_signature), ensuring non-repudiation and preventing unilateral scope escalation.

The AS MUST also decide how to handle the original authorization_evidence entry from Agent A's token. Three strategies are defined in [I-D.liu-oauth-authorization-evidence]: Propagate (copy the original authorization_evidence entry into Agent B's token), Reference (replace the embedded evidence with an audit_trail sub-object containing only the evidence_ref), or Omit (do not include evidence). The Propagate strategy is RECOMMENDED when the delegated policy is a subset of the original token's policy. When using delegation chains, the root_evidence_ref in the delegation chain entry SHOULD reference the same evidence record, creating an unbroken audit trail from the original user consent through all delegation hops.

7. Progressive Deployment

This framework supports progressive deployment through a two-dimensional matrix, allowing organizations to adopt capabilities gradually based on their security requirements and operational maturity.

7.1. Identity Deployment Levels

Implementations MAY deploy agent identity at three progressive levels:

7.1.1. Level 0: Self-Issued Identity

The agent generates its own key pair and self-issues identity assertions. Suitable for development, testing, and low-trust scenarios such as personal or small-team agents.

7.1.2. Level 1: WIMSE Workload Identity

The agent obtains workload identity tokens through WIMSE infrastructure [I-D.ietf-wimse-workload-creds]. Provides cross-domain verifiability without requiring full enterprise IdP deployment. This level can be enhanced with optional trusted execution environment verification using WIT attestation [I-D.ietf-wimse-arch].

7.1.3. Level 2: Enterprise Identity

The agent's identity is managed by an enterprise IdP with full X.509 or SAML/OIDC trust chains. Required for high-assurance enterprise deployments.

7.2. Token Deployment Levels

Authorization tokens can be deployed at three levels:

7.2.1. Level A: Pre-configured Tokens

Static tokens configured at deployment time. No runtime AS interaction required. Suitable for internal services and well-known agents.

7.2.2. Level B: Admin-Assigned Tokens

Tokens assigned by administrators through a management interface. Policy binding without end-user consent. Suitable for enterprise automation scenarios.

7.2.3. Level C: Runtime Authorization Tokens

The full framework flow with user consent, policy evaluation, and evidence recording. Required for high-sensitivity operations and cross-domain access. This level utilizes the JWT Grant Interaction Response mechanism for user consent.

7.3. Deployment Matrix

The combination of identity and token levels creates a deployment matrix:

Table 2: Deployment Matrix
Identity \ Token A (Pre-configured) B (Admin-assigned) C (Runtime Authz)
0 (Self-Issued) Personal agents, IoT Small team automation Dynamic authorization
1 (WIMSE) Trusted lightweight agents Enterprise operations Cross-domain access
2 (Enterprise) High-trust static auth Compliance scenarios Full framework enterprise

Organizations typically progress through the matrix as their requirements evolve, starting from lower levels (e.g., 0A) and upgrading to higher levels (e.g., 2C) based on security needs.

8. Reverse-Guided Authorization

Traditional OAuth error responses indicate authorization failure without guidance on how to obtain valid authorization. In AI agent scenarios, where agents may autonomously navigate authorization requirements, resource servers can provide structured guidance through error responses.

When an agent's request lacks sufficient authorization, the resource server returns a 403 Forbidden response with a rego_profile object that specifies:

The AI agent parses this guidance and constructs a new authorization request that satisfies the specified requirements. This enables agents to "learn" authorization requirements dynamically rather than requiring pre-programmed knowledge of each resource server's policies.

Detailed specification of the Rego Profile format and agent adaptive behavior is defined in [I-D.liu-oauth-rego-policy].

9. Security Considerations

9.1. Trust Boundaries

The framework establishes clear trust boundaries:

  • Home IdP → Agent: ID Token with agent in audience;
  • Agent → External AS: SPIFFE authentication + JWT assertion (Identity Assertion Grant, ID-JAG);
  • External AS → RS: Signed access token with policy reference (JWS [RFC7515]);
  • Delegation: AS-signed delegation chain entries.

9.2. Threat Mitigations

Table 3: Threat Mitigations
Threat Mitigation
Token substitution JWT assertion audience binding (assertion.aud == AS identifier)
Privilege escalation Scope subset validation in delegation
Unauthorized actions Rego policy enforcement at RS
Consent forgery AS-signed evidence records
Delegation chain tampering AS signature on each chain entry

9.3. LLM Threat Model

This framework assumes the agent implementation (including authorization logic) is trusted, while the Large Language Model (LLM) used to derive operations is NOT trusted. The policy-based authorization ensures:

  • LLM cannot directly control authorization decisions;
  • All operations are bounded by user-approved policies;
  • Audit trails enable post-hoc verification.

9.4. Token Size

A full access token in this framework may carry multiple claims beyond the standard JWT fields: act, authorization_details (with embedded Rego policy and authorization evidence), and delegation_chain (for multi-hop scenarios). The combined size of these claims can exceed typical HTTP header limits when the token is passed in an Authorization header.

Implementations SHOULD consider:

  • Using token introspection ([RFC7662]) to retrieve detailed evidence and policy information rather than embedding all data in the token;
  • Using policy references (URIs) instead of inline Rego policy in authorization_details;
  • Applying the Reference strategy for evidence in token exchange scenarios, as defined in [I-D.liu-oauth-authorization-evidence].

9.5. Evidence Freshness

In this framework, evidence records capture user consent at a specific point in time. When tokens are exchanged or refreshed across delegation hops, the original consent timestamp may become significantly older than the current request time. Deployments SHOULD define an evidence freshness policy that specifies the maximum acceptable age of an evidence record and the actions to take when evidence is stale (e.g., reject the request, require re-consent). See [I-D.liu-oauth-authorization-evidence] for detailed guidance.

9.6. Policy Injection and Server-Side Request Forgery

When agents submit Rego policy via authorization_details, the AS must validate the policy before evaluation. Malicious or compromised agents could attempt to inject policies that exploit the policy engine (e.g., resource exhaustion, data exfiltration via external calls). The AS SHOULD enforce policy size limits, restrict available Rego built-in functions (particularly those that perform network I/O), and validate policy syntax before evaluation. See [I-D.liu-oauth-rego-policy] for the complete threat model and mitigation strategies.

9.7. Cross-Domain Trust

This framework operates across multiple trust domains (Home IdP, Agent domain, External AS, Resource Server). Trust establishment between these domains relies on:

  • The External AS trusting the Home IdP's JWT assertions (ID-JAG), which requires either a pre-established trust relationship or federation;
  • The Resource Server trusting the External AS's signing keys for both token validation and evidence signature verification;
  • Cross-domain delegation requiring trust in each intermediate AS's signing key for delegation chain verification.

Deployments SHOULD establish explicit trust frameworks or federation agreements that define key distribution, revocation, and liability across participating domains.

9.8. Delegation Depth and Privilege Escalation

Multi-hop delegation chains introduce the risk of unbounded delegation depth and privilege escalation at intermediate hops. The framework mitigates these risks through:

  • AS-enforced maximum delegation depth limits;
  • Scope subset validation ensuring each delegation hop can only narrow (never broaden) the authorized scope;
  • Cryptographic chain integrity via per-hop AS signatures in the delegation_chain claim.

See [I-D.liu-oauth-chain-delegation] for the complete delegation security model and validation checklist.

10. Privacy Considerations

The privacy considerations in this section are informed by the Internet protocol privacy analysis framework described in [RFC6973]. This section addresses privacy considerations specific to the integrated framework; implementers MUST also consult the privacy considerations in each component specification.

10.1. Cross-Domain Identity Correlation

This framework inherently links user identities across multiple trust domains: the Home IdP (where the user authenticates), the Agent domain (where the user interacts with the AI agent), and the External AS/RS domain (where resources are accessed). The act.agent_user_id field and the evidence record within the authorization_evidence authorization details type both carry identifiers that could be used to correlate a user's activities across these domains.

Implementations SHOULD minimize cross-domain correlation by:

  • Using domain-specific subject identifiers in the access token's sub claim rather than globally unique identifiers;
  • Treating agent_user_id as optional and including it only when required for audit correlation;
  • Avoiding inclusion of stable, globally correlatable identifiers in the evidence record's displayed_content field.

10.2. Agent Observability

AI agents acting on behalf of users can observe resource contents, policy evaluation outcomes, and error responses (including reverse-guided authorization hints). A compromised or malicious agent could accumulate sensitive information about the user's access patterns, resource contents, and organizational policy structure.

Mitigations include:

  • Applying the principle of least privilege to agent capabilities via Rego policy constraints;
  • Using the semantic_expansion_level in the audit_trail sub-object to flag operations where significant interpretation was applied, enabling post-hoc review of agent behavior;
  • Limiting the information exposed in reverse-guided authorization error responses to what is necessary for constructing a valid request.

10.3. Displayed Content Sensitivity

The displayed_content field in the evidence record (within the authorization_evidence authorization details type) records the human-readable description shown to the user during consent. This field may contain sensitive information about the user's intent, financial parameters, health-related operations, or personal data. Since the evidence record is included in the access token and may be logged by resource servers, implementations MUST minimize personal data in this field and SHOULD use operation identifiers rather than natural-language descriptions that may contain PII.

See [I-D.liu-oauth-authorization-evidence] for detailed guidance on displayed content minimization, evidence retention, and the tension between audit retention and the right to erasure under GDPR and CCPA.

10.4. Delegation Chain Privacy

Delegation chains record the identity of each intermediate agent in the delegation_chain claim. In multi-hop scenarios, this creates a record of all agents involved in a transaction, which may reveal organizational structure or agent relationships that participants consider sensitive. Implementations SHOULD evaluate whether the full delegation chain needs to be visible to the final resource server, or whether a summarized view is sufficient.

See [I-D.liu-oauth-chain-delegation] for delegation chain privacy considerations.

11. Relationship to Other Specifications

This section clarifies the relationship between this framework and other OAuth 2.0 specifications. Understanding these relationships is essential for implementers to determine which specifications are required for their specific use cases.

11.1. Relationship to Identity Assertion Grant (ID-JAG)

This framework builds on the Identity Assertion Authorization Grant ([I-D.ietf-oauth-identity-assertion-authz-grant]) as the base grant type for cross-domain identity assertion. ID-JAG enables AI agents to present a JWT assertion (e.g., an ID Token from the user's Home IdP) to an external authorization server as proof of user identity.

This framework extends ID-JAG with:

  • The JWT Grant Interaction Response ([I-D.parecki-oauth-jwt-grant-interaction-response]) for obtaining explicit user consent when the AS requires user interaction;
  • RAR-based policy authorization via the rego_policy authorization data type in authorization_details;
  • Evidence recording of user consent decisions.

Implementations of this framework MUST implement ID-JAG as the base grant type.

11.2. Relationship to JWT Grant Interaction Response

The JWT Grant Interaction Response ([I-D.parecki-oauth-jwt-grant-interaction-response]) defines an extension to the JWT Authorization Grant that enables an authorization server to indicate that user interaction is required. Instead of immediately returning an access token or error, the AS returns an interaction_uri where the user can provide consent, along with a polling interval.

This framework uses JWT Grant Interaction Response for:

  • Obtaining explicit user consent for AI agent operations without requiring a traditional OAuth redirect flow;
  • Enabling the agent to launch a browser for user interaction and then poll for completion;
  • Supporting both polling-based and redirect-based notification of interaction completion.

Implementations MUST support JWT Grant Interaction Response for user consent in AI agent authorization scenarios.

11.3. Relationship to Token Exchange (RFC 8693)

This framework uses Token Exchange ([RFC8693]) as the base delegation mechanism and extends it with the delegation_chain claim for complete auditability. While RFC 8693 provides point-to-point token exchange, this framework enables end-to-end delegation chain tracking.

Key extensions:

  • delegation_chain claim records all delegation hops with cryptographic signatures;
  • Policy subset validation ensures privilege escalation prevention across delegation hops;
  • Evidence records provide cryptographic proof of the original user consent, propagated across delegation hops via root_evidence_ref;

Implementations SHOULD support RFC 8693 for token exchange operations and MAY implement the delegation chain extension for multi-hop scenarios.

11.4. Relationship to Transaction Tokens

Transaction Tokens ([I-D.ietf-oauth-transaction-tokens]) focus on short-lived service-to-service authorization in microservices architectures. This framework focuses on longer-lived user-to-agent delegation with explicit human consent.

Comparison:

Table 4: Transaction Tokens vs This Framework
Aspect Transaction Tokens This Framework
Primary use case Service-to-service User-to-agent
Human consent Not required Required
Token lifetime Minutes Minutes to hours
Authorization model Capability-based Policy-based

The two specifications can be combined: this framework for initial user authorization, Transaction Tokens for subsequent service-to-service calls within the authorized scope.

11.5. Relationship to CIBA

This framework profiles the OpenID Connect Client-Initiated Backchannel Authentication (CIBA) [CIBA] specification for out-of-band user consent. While CIBA focuses on user authentication, this framework uses it for authorization and consent collection.

CIBA is used in this framework for:

  • Scenarios where the agent cannot redirect the user to a browser (e.g., voice assistants, IoT devices);
  • High-security scenarios requiring out-of-band consent verification;
  • Mobile scenarios where the user completes consent on a separate device.

The framework extends CIBA by adding policy presentation to the consent interface and evidence recording of the consent decision.

11.6. Relationship to Rich Authorization Requests (RAR)

This framework uses Rich Authorization Requests ([RFC9396]) as the mechanism for carrying Rego policy in authorization requests via the authorization_details parameter. The rego_policy authorization data type defined in [I-D.liu-oauth-rego-policy] enables fine-grained, policy-based authorization within the RAR framework.

RAR integration provides:

  • A standardized container (authorization_details) for carrying Rego policy and evaluation context;
  • Enriched token responses (RFC 9396 Section 7.1) that include the evaluated policy in the access token;
  • Compatibility with other RAR types, enabling combined authorization scenarios.

Implementations MUST support RAR (RFC 9396) with the rego_policy authorization data type.

11.7. Relationship to SPIFFE Client Authentication

This framework uses OAuth SPIFFE Client Authentication ([I-D.ietf-oauth-spiffe-client-auth]) for agent authentication. SPIFFE provides workload identity through WIT-SVID (Workload Identity Token with SPIFFE Verifiable Identity Document).

The relationship is:

  • SPIFFE Client Auth proves "who the agent is" through cryptographic workload identity;
  • This framework proves "what the agent is allowed to do" through user consent and policy authorization;
  • Together, they provide complete agent identity and authorization.

Implementations using Identity Level 1 or Level 2 (Section 7.1) MUST support SPIFFE Client Authentication for agent identification. Deployments using Identity Level 0 (self-issued identity) MAY use alternative client authentication mechanisms.

11.8. Implementation Requirements

The following table summarizes the implementation requirements for different components of this framework:

Table 5: Implementation Requirements
Specification Requirement Level Component
OAuth 2.0 (RFC 6749) MUST All
PAR ([RFC9126]) MAY Agent, AS
RAR (RFC 9396) MUST Agent, AS, RS
ID-JAG MUST Agent, AS
JWT Grant Interaction Response MUST Agent, AS
SPIFFE Client Auth SHOULD (see note) Agent, AS
Rego Policy MUST Agent, AS, RS
Authorization Evidence SHOULD AS, RS
Chain Delegation MAY AS (if supporting delegation)
Token Exchange (RFC 8693) SHOULD AS
CIBA MAY AS (if supporting out-of-band consent)

Note: SPIFFE Client Authentication is required for Identity Levels 1 and 2 (Section 7.1). Identity Level 0 deployments (self-issued identity) MAY use alternative client authentication mechanisms such as client_secret_post or private_key_jwt.

12. IANA Considerations

This document has no IANA actions. All claims and parameters are defined in the referenced component specifications.

13. References

13.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC6749]
Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, , <https://www.rfc-editor.org/info/rfc6749>.
[RFC8693]
Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J., and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693, DOI 10.17487/RFC8693, , <https://www.rfc-editor.org/info/rfc8693>.
[RFC9396]
Lodderstedt, T., Richer, J., and B. Campbell, "OAuth 2.0 Rich Authorization Requests", RFC 9396, DOI 10.17487/RFC9396, , <https://www.rfc-editor.org/info/rfc9396>.
[RFC7515]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, , <https://www.rfc-editor.org/info/rfc7515>.
[RFC7519]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, , <https://www.rfc-editor.org/info/rfc7519>.
[RFC9068]
Bertocci, V., "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens", RFC 9068, DOI 10.17487/RFC9068, , <https://www.rfc-editor.org/info/rfc9068>.
[RFC6973]
Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, , <https://www.rfc-editor.org/info/rfc6973>.
[RFC7662]
Richer, J., Ed., "OAuth 2.0 Token Introspection", RFC 7662, DOI 10.17487/RFC7662, , <https://www.rfc-editor.org/info/rfc7662>.
[I-D.ietf-oauth-identity-assertion-authz-grant]
Ying, K. and B. Campbell, "OAuth 2.0 Identity Assertion Authorization Grant", Work in Progress, Internet-Draft, draft-ietf-oauth-identity-assertion-authz-grant, , <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-assertion-authz-grant>.
[I-D.parecki-oauth-jwt-grant-interaction-response]
Parecki, A., Campbell, B., and D. Liu, "JWT Authorization Grant with Interaction Response", Work in Progress, Internet-Draft, draft-parecki-oauth-jwt-grant-interaction-response-00, , <https://datatracker.ietf.org/doc/html/draft-parecki-oauth-jwt-grant-interaction-response-00>.
[I-D.ietf-oauth-spiffe-client-auth]
Schwenkschuster, A., "OAuth SPIFFE Client Authentication", Work in Progress, Internet-Draft, draft-ietf-oauth-spiffe-client-auth, , <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-spiffe-client-auth>.
[I-D.liu-oauth-rego-policy]
Liu, D., Zhu, H., Krishnan, S., Parecki, A., and H. Xue, "Rego Policy Language for OAuth 2.0 Authorization", Work in Progress, Internet-Draft, draft-liu-oauth-rego-policy-00, , <https://datatracker.ietf.org/doc/html/draft-liu-oauth-rego-policy-00>.
[I-D.liu-oauth-authorization-evidence]
Liu, D., Zhu, H., Krishnan, S., and A. Parecki, "Authorization Evidence and Audit Trail for OAuth 2.0 Access Tokens", Work in Progress, Internet-Draft, draft-liu-oauth-authorization-evidence-01, , <https://datatracker.ietf.org/doc/html/draft-liu-oauth-authorization-evidence-01>.
[I-D.liu-oauth-chain-delegation]
Liu, D., Zhu, H., Krishnan, S., and A. Parecki, "Delegation Chain for OAuth 2.0", Work in Progress, Internet-Draft, draft-liu-oauth-chain-delegation-00, , <https://datatracker.ietf.org/doc/html/draft-liu-oauth-chain-delegation-00>.

13.2. Informative References

[RFC9126]
Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., and F. Skokan, "OAuth 2.0 Pushed Authorization Requests", RFC 9126, DOI 10.17487/RFC9126, , <https://www.rfc-editor.org/info/rfc9126>.
[I-D.ietf-oauth-transaction-tokens]
Tulshibagwale, A., Fletcher, G., and P. Kasselman, "Transaction Tokens", Work in Progress, Internet-Draft, draft-ietf-oauth-transaction-tokens, , <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-transaction-tokens>.
[CIBA]
OpenID Foundation, "OpenID Connect CIBA Core", , <https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html>.
[OPA]
CNCF, "Open Policy Agent", , <https://www.openpolicyagent.org/>.
[I-D.ietf-wimse-arch]
Salowey, J., "Workload Identity in Multi System Environments (WIMSE) Architecture", Work in Progress, Internet-Draft, draft-ietf-wimse-arch, , <https://datatracker.ietf.org/doc/html/draft-ietf-wimse-arch>.
[I-D.ietf-wimse-workload-creds]
Salowey, J., "WIMSE Workload Identity Token", Work in Progress, Internet-Draft, draft-ietf-wimse-workload-creds, , <https://datatracker.ietf.org/doc/html/draft-ietf-wimse-workload-creds>.

Appendix A. Complete Example

A.1. Token Request

POST /token HTTP/1.1
Host: as.shop.example
Content-Type: application/x-www-form-urlencoded
OAuth-Client-Attestation: eyJ0eXAiOiJ3aXQrand0IiwiYWxnIjoiRVMyNTYifQ...
OAuth-Client-Attestation-PoP: eyJ0eXAiOiJvYXV0aC1jbGllbnQtYXR0ZXN0...

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lkc...
&authorization_details=%5B%7B%22type%22%3A%22rego_policy%22%2C%22policy%22%3A%7B%22type%22%3A%22rego%22%2C
  %22content%22%3A%22package+agent...%22%2C%22entry_point%22%3A%22allow%22%7D%2C
  %22context%22%3A%7B%22user%22%3A%7B%22id%22%3A%22user_12345%22%7D%2C%22action%22%3A%22add_to_cart%22%7D%7D%5D
Figure 7

A.2. Interaction Required Response

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error": "interaction_required",
  "interaction_uri": "https://as.shop.example/interact/abc123",
  "interval": 5,
  "expires_in": 600
}
Figure 8

A.3. Access Token

{
  "iss": "https://as.shop.example",
  "sub": "user_12345",
  "aud": "https://api.shop.example",
  "exp": 1731369540,
  "iat": 1731320700,
  "jti": "urn:uuid:token-shop-123",

  "act": {
    "sub": "wit://myassistant.example/sha256.xyz789...",
    "agent_user_id": "agent_user_001"
  },

  "authorization_details": [
    {
      "type": "rego_policy",
      "policy": {
        "type": "rego",
        "uri": "https://as.shop.example/policies/policy-cart-50",
        "entry_point": "allow"
      },
      "context": {
        "user": { "id": "user_12345" },
        "action": "add_to_cart"
      }
    },
    {
      "type": "authorization_evidence",
      "evidence": {
        "id": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
        "user_confirmation": {
          "displayed_content": "Add items under $50 to cart",
          "user_action": "confirmed_via_button_click",
          "timestamp": 1731320595
        },
        "as_signature": "eyJhbGciOiJFUzI1NiJ9..MEUCIQDx...",
        "audit_trail": {
          "evidence_ref": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
          "semantic_expansion_level": "medium",
          "proposal_ref": "urn:uuid:proposal-xyz"
        }
      }
    }
  ]
}
Figure 9
POST /token HTTP/1.1
Host: as.shop.example
Content-Type: application/x-www-form-urlencoded
OAuth-Client-Attestation: eyJ0eXAiOiJ3aXQrand0IiwiYWxnIjoiRVMyNTYifQ...
OAuth-Client-Attestation-PoP: eyJ0eXAiOiJvYXV0aC1jbGllbnQtYXR0ZXN0...

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lkc...
&authorization_details=%5B%7B%22type%22%3A%22rego_policy%22%2C%22policy%22%3A%7B%22type%22%3A%22rego%22%2C
  %22content%22%3A%22package+agent...%22%2C%22entry_point%22%3A%22allow%22%7D%2C
  %22context%22%3A%7B%22user%22%3A%7B%22id%22%3A%22user_12345%22%7D%2C%22action%22%3A%22add_to_cart%22%7D%7D%5D
Figure 10

The agent re-sends the original request with a fresh SPIFFE client attestation at the interval specified in the interaction response. Upon successful user consent, the AS returns the access token shown above.

A.5. API Request to Resource Server

POST /cart/add HTTP/1.1
Host: api.shop.example
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL...
Content-Type: application/json

{
  "item_id": "SKU-789",
  "quantity": 1,
  "price": 42.99
}
Figure 11

The Resource Server validates the access token, extracts the rego_policy from authorization_details, and evaluates it against the request context (action, item price, user identity) using a Rego-compatible policy engine.

Acknowledgments

The authors would like to thank Brian Campbell for his valuable feedback and insightful discussions on OAuth extension design. His contributions helped shape key aspects of this framework.

Authors' Addresses

Dapeng Liu
Alibaba Group
Hongru Zhu
Alibaba Group
Suresh Krishnan
Cisco
Aaron Parecki
Okta
Hui Xue
Alibaba Group