OAuth Working Group H. HM Internet-Draft 24 December 2024 Intended status: Standards Track Expires: 27 June 2025 OAuth 2.0 Extension for AI Model Access draft-hemanth-oauth-ai-scopes-00 Abstract This document defines an extension to OAuth 2.0 for delegating scoped access to AI model APIs. It introduces a standardized scope syntax, resource indicators for AI providers, and token constraints suitable for AI workloads including spend limits and model restrictions. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 27 June 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. HM Expires 27 June 2025 [Page 1] Internet-Draft OAuth AI Scopes December 2024 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 3 2. Scope Syntax . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. AI Scope Format . . . . . . . . . . . . . . . . . . . . . 3 2.2. Provider Identifiers . . . . . . . . . . . . . . . . . . 4 2.3. Capability Identifiers . . . . . . . . . . . . . . . . . 4 3. Token Metadata . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Token Introspection Response Extensions . . . . . . . . . 4 3.2. Limit Fields . . . . . . . . . . . . . . . . . . . . . . 5 4. Authorization Request . . . . . . . . . . . . . . . . . . . . 5 4.1. Additional Parameters . . . . . . . . . . . . . . . . . . 6 5. Resource Server Requirements . . . . . . . . . . . . . . . . 6 5.1. Proxy Architecture . . . . . . . . . . . . . . . . . . . 6 5.2. Error Responses . . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6.1. Token Binding . . . . . . . . . . . . . . . . . . . . . . 7 6.2. Prompt and Response Handling . . . . . . . . . . . . . . 7 6.3. Master Key Protection . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7.1. OAuth Scope Registration . . . . . . . . . . . . . . . . 7 7.2. AI Provider Registry . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . 8 Appendix A. Example Flow . . . . . . . . . . . . . . . . . . . . 8 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction The proliferation of AI model APIs (OpenAI, Anthropic, Google, Mistral, etc.) has created a need for secure delegation of API access. Current approaches involve sharing API keys directly with applications, which: * Exposes master credentials to third parties * Provides no usage limits or audit trail * Cannot be scoped to specific models or capabilities * Cannot be revoked without rotating the master key This specification extends OAuth 2.0 to address these concerns by defining: HM Expires 27 June 2025 [Page 2] Internet-Draft OAuth AI Scopes December 2024 1. A standard scope syntax for AI model access 2. Resource indicators for AI providers 3. Token metadata for usage limits and spending caps 4. Security considerations specific to AI workloads 1.1. Terminology AI Provider A service offering AI model APIs (e.g., OpenAI, Anthropic) Model A specific AI model (e.g., gpt-4, claude-3, gemini-pro) Capability A function offered by a model (chat, embeddings, images, audio) Master Key The user's API key for a provider Delegated Token An OAuth access token with AI-specific scopes 1.2. Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Scope Syntax 2.1. AI Scope Format AI-specific scopes follow this syntax: ai::: Examples: * ai:openai:gpt-4:chat - Chat completions with GPT-4 * ai:anthropic:claude-3-opus:* - All capabilities for Claude 3 Opus * ai:openai:*:embeddings - Embeddings with any OpenAI model * ai:*:*:chat - Chat with any provider/model HM Expires 27 June 2025 [Page 3] Internet-Draft OAuth AI Scopes December 2024 2.2. Provider Identifiers +=============+============+ | Provider | Identifier | +=============+============+ | OpenAI | openai | +-------------+------------+ | Anthropic | anthropic | +-------------+------------+ | Google AI | google | +-------------+------------+ | Mistral | mistral | +-------------+------------+ | Groq | groq | +-------------+------------+ | Together AI | together | +-------------+------------+ | Cohere | cohere | +-------------+------------+ Table 1 2.3. Capability Identifiers +============+===============================+ | Capability | Description | +============+===============================+ | chat | Chat/text completions | +------------+-------------------------------+ | embeddings | Vector embeddings | +------------+-------------------------------+ | images | Image generation | +------------+-------------------------------+ | audio | Audio transcription/synthesis | +------------+-------------------------------+ | vision | Multimodal/vision | +------------+-------------------------------+ | code | Code generation | +------------+-------------------------------+ Table 2 3. Token Metadata 3.1. Token Introspection Response Extensions The token introspection response ([RFC7662]) is extended with: HM Expires 27 June 2025 [Page 4] Internet-Draft OAuth AI Scopes December 2024 { "active": true, "scope": "ai:openai:gpt-4:chat", "ai_limits": { "monthly_spend_usd": 100.00, "daily_spend_usd": 10.00, "requests_per_minute": 60, "requests_per_day": 1000, "max_tokens_per_request": 4096 }, "ai_usage": { "spend_this_month_usd": 23.45, "spend_today_usd": 2.10, "requests_this_minute": 3, "requests_today": 156 } } 3.2. Limit Fields +========================+=========+===================+ | Field | Type | Description | +========================+=========+===================+ | monthly_spend_usd | number | Maximum spend per | | | | calendar month | +------------------------+---------+-------------------+ | daily_spend_usd | number | Maximum spend per | | | | day | +------------------------+---------+-------------------+ | requests_per_minute | integer | Rate limit (RPM) | +------------------------+---------+-------------------+ | requests_per_day | integer | Daily request | | | | limit | +------------------------+---------+-------------------+ | max_tokens_per_request | integer | Per-request token | | | | limit | +------------------------+---------+-------------------+ Table 3 4. Authorization Request HM Expires 27 June 2025 [Page 5] Internet-Draft OAuth AI Scopes December 2024 4.1. Additional Parameters +===========+========+==============================================+ | Parameter | Type | Description | +===========+========+==============================================+ | ai_limits | JSON | Requested limits (as | | | | defined in Section 3.2) | +-----------+--------+----------------------------------------------+ | ai_reason | string | Human-readable reason | | | | for access | +-----------+--------+----------------------------------------------+ Table 4 Example authorization request: GET /authorize? response_type=code& client_id=app123& scope=ai:openai:gpt-4:chat& ai_limits={"monthly_spend_usd":50}& ai_reason=Code+assistant+for+IDE 5. Resource Server Requirements 5.1. Proxy Architecture The resource server (authorization server or dedicated proxy) MUST: 1. Validate the OAuth access token 2. Verify the requested operation matches token scopes 3. Check usage against token limits 4. Substitute the master API key 5. Proxy the request to the AI provider 6. Log usage for auditing 7. Update usage counters 5.2. Error Responses When limits are exceeded: HM Expires 27 June 2025 [Page 6] Internet-Draft OAuth AI Scopes December 2024 { "error": "ai_limit_exceeded", "error_description": "Daily spend limit of $10.00 exceeded", "ai_usage": { "spend_today_usd": 10.23, "daily_spend_usd": 10.00 } } 6. Security Considerations 6.1. Token Binding For high-security deployments, tokens SHOULD be sender-constrained using: * DPoP ([RFC9449]) * mTLS ([RFC8705]) 6.2. Prompt and Response Handling Resource servers: * MUST NOT log prompt or response content by default * MUST encrypt any logged content at rest * SHOULD provide configurable retention policies * SHOULD support zero-logging mode 6.3. Master Key Protection * Master keys MUST be encrypted at rest * Master keys MUST NOT be exposed in logs or error messages * Key rotation SHOULD be supported without token invalidation 7. IANA Considerations 7.1. OAuth Scope Registration This specification registers the "ai" scope prefix in the OAuth Parameters registry. HM Expires 27 June 2025 [Page 7] Internet-Draft OAuth AI Scopes December 2024 7.2. AI Provider Registry This specification requests the establishment of a registry for AI provider identifiers. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, . [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012, . [RFC7662] Richer, J., "OAuth 2.0 Token Introspection", RFC 7662, October 2015, . [RFC8705] Campbell, B., Bradley, J., Sakimura, N., and T. Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens", RFC 8705, February 2020, . [RFC9449] Fett, D., Campbell, B., Bradley, J., Lodderstedt, T., Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of Possession (DPoP)", RFC 9449, September 2023, . Appendix A. Example Flow HM Expires 27 June 2025 [Page 8] Internet-Draft OAuth AI Scopes December 2024 +--------+ +---------------+ | |--(1) Authorization Request--->| | | | scope=ai:openai:gpt-4:chat| | | | ai_limits={...} | Authorization | | | | Server | | |<-(2) Authorization Code-------| | | | +---------------+ | | | Client | +---------------+ | |--(3) Token Request----------->| | | | | Token | | |<-(4) Access Token-------------| Endpoint | | | + ai_limits metadata | | | | +---------------+ | | | | +---------------+ | |--(5) API Request------------->| | | | Authorization: Bearer ... | Resource | | | POST /v1/chat/completions | Server | | | | (Proxy) | | |<-(6) API Response-------------| | | | +---------------+ +--------+ Acknowledgements The author would like to thank the OAuth Working Group for their foundational work on authorization frameworks. Author's Address Hemanth HM Email: hemanth.hm@gmail.com URI: https://h3manth.com HM Expires 27 June 2025 [Page 9]