| Internet-Draft | AI Agent Authorization | July 2026 |
| Liu, et al. | Expires 7 January 2027 | [Page] |
This document describes how to integrate multiple OAuth 2.0 extensions to enable secure authorization for AI agents acting on behalf of users. It combines cross-domain identity, policy-based authorization, user consent evidence, and multi-hop delegation into a cohesive framework for autonomous agent authorization.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
AI agents increasingly need to access protected resources on behalf of users across different trust domains. Traditional OAuth 2.0 [RFC6749] provides basic delegation mechanisms, but AI agent scenarios require additional capabilities:¶
This document describes how to combine several OAuth 2.0 extensions into an integrated framework for AI agent authorization. It does not define new protocol mechanisms, but rather profiles existing specifications for this use case.¶
Two key design principles guide this framework:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.¶
This framework integrates the following specifications. The first two (Agent Authentication and Identity Assertion Grant) are external OAuth Working Group specifications that this framework profiles. The remaining four are companion specifications developed alongside this framework:¶
| Component | Specification | Purpose |
|---|---|---|
| Agent Authentication | [I-D.ietf-oauth-spiffe-client-auth] | Agent workload identity via SPIFFE/WIT-SVID |
| Identity Assertion Grant | [I-D.ietf-oauth-identity-assertion-authz-grant] | JWT-based cross-domain identity assertion |
| User Interaction & Consent | [I-D.parecki-oauth-jwt-grant-interaction-response] | User consent via JWT grant interaction flow |
| Policy Authorization | [I-D.liu-oauth-rego-policy] | Fine-grained Rego policy support |
| Consent Evidence | [I-D.liu-oauth-authorization-evidence] | User confirmation records, audit trail, and consent-to-evidence pipeline |
| Multi-hop Delegation | [I-D.liu-oauth-chain-delegation] | Agent-to-agent delegation chains |
+------------------+ +------------------+ +------------------+
| Home IdP | | AI Agent | | External AS |
| | | | | |
| - User authn | | - SPIFFE identity| | - Policy engine |
| - ID Token issue | | - JWT Grant clnt | | - Token issuance |
+------------------+ +------------------+ +------------------+
| | |
| ID Token | |
|----------------------->| |
| | |
| | JWT Grant + authz_det |
| |----------------------->|
| | |
| | interaction_required |
| |<-----------------------|
| | |
| interaction_uri | |
|<-----------------------| |
| (user consent) | |
|----------------------->| |
| | Poll token endpoint |
| |----------------------->|
| | |
| | Access Token |
| |<-----------------------|
| | |
| | +-------------------+
| | | Resource Server |
| | | |
| | API Request | - Token validation|
| |----------------->| - Policy engine |
| | +-------------------+
The framework uses JWT access tokens ([RFC7519], [RFC9068]) following OAuth 2.0 standards. Key claim semantics:¶
sub (Subject): MUST contain the user's
identifier at the Resource Application (third-party app), NOT the
Agent's internal user identifier. This enables the Resource Server
to immediately identify the resource owner without additional
identity mapping lookups. The AS maps the Home IdP subject to
the resource-domain identifier through account linking,
federation metadata, or additional identity claims (e.g.,
email) present in the JWT assertion.¶
act (Actor): Identifies the entity
exercising delegated authority. Contains:¶
authorization_details: Carries
multiple authorization data types via Rich Authorization Requests
([RFC9396]):¶
rego_policy type: The Rego policy defining what
operations the agent is permitted to perform. Defined in
[I-D.liu-oauth-rego-policy].¶
authorization_evidence type: The signed record of
the user's confirmation action during authorization, including
what was displayed to the user, how the user confirmed, a
cryptographic signature from the AS, and the
audit_trail sub-object for semantic traceability.
Defined in
[I-D.liu-oauth-authorization-evidence].¶
delegation_chain: Records the
chain of delegation hops when authorization is transferred
between agents, with cryptographic signatures for each hop.
Only present in delegated scenarios. Defined in
[I-D.liu-oauth-chain-delegation].¶
{
"iss": "https://as.external.example",
"sub": "user_12345",
"aud": "https://api.external.example",
"exp": 1731369540,
"iat": 1731320700,
"jti": "urn:uuid:token-abc-123",
"act": {
"sub": "wit://agent.example/sha256.abc123...",
"agent_user_id": "agent_user_001"
},
"authorization_details": [
{
"type": "rego_policy",
"policy": {
"type": "rego",
"uri": "https://as.external.example/policies/policy-abc123",
"entry_point": "allow"
},
"context": {
"user": { "id": "user_12345" },
"action": "add_to_cart"
}
},
{
"type": "authorization_evidence",
"evidence": {
"id": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
"user_confirmation": {
"displayed_content": "Add items under $50 to cart",
"user_action": "confirmed_via_button_click",
"timestamp": 1731320595
},
"as_signature": "eyJhbGciOiJFUzI1NiJ9..MEUCIQDx...",
"audit_trail": {
"evidence_ref": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
"semantic_expansion_level": "medium",
"proposal_ref": "urn:uuid:proposal-xyz"
}
}
}
],
"delegation_chain": [
{
"delegator_id": "wit://agent-a.example/sha256.aaa111...",
"delegatee_id": "wit://agent-b.example/sha256.bbb222...",
"as_id": "https://as.external.example",
"delegation_timestamp": 1731320800,
"root_evidence_ref": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
"delegated_policy": {
"type": "rego",
"uri": "https://as.external.example/policies/policy-delegated-456",
"entry_point": "allow"
},
"operation_summary": "Delegate cart operations",
"delegator_signature": "eyJhbGciOiJFUzI1NiJ9..MEYCIQD...",
"as_signature": "eyJhbGciOiJSUzI1NiJ9..MEUCIQDx..."
}
]
}
+-------+ +-------+ +--------+ +---------+ +-------+ +------+
| User | | Home | | AI | |External | | RS | |Policy|
| | | IdP | | Agent | | AS | | | | |
+-------+ +-------+ +--------+ +---------+ +-------+ +------+
| | | | | |
(1) | Authn | | | | |
|----------->| | | | |
| | | | | |
(2) | ID Token (aud=External AS) | | |
|<------------------------>| | | |
| | | | | |
(3) | | Agent builds token req:| | |
| | - JWT assertion | | |
| | - authorization_details| | |
| | (rego_policy type) | | |
| | | | | |
(4) | | Token Request | | |
| | + SPIFFE client auth | | |
| | |----------->| | |
| | | | | |
(5) | | | Validate: | | |
| | | - SPIFFE | | |
| | | - JWT | | |
| | | - policy | | |
| | | | | |
(6) | | | interaction_required | |
| | | + interaction_uri | |
| | |<-----------| | |
| | | | | |
(7) | User interaction via browser | | |
|<--------------------------------------| | |
| | | | | |
(8) | User confirms | | | |
|-------------------------------------->| | |
| | | | | |
(9) | | | Poll token endpoint | |
| | |----------->| | |
| | | | | |
(10)| | | Issue token with: | |
| | | - act | |
| | | - authorization_details| |
| | | - evidence | |
| | | - audit_trail | |
| | |<-----------| | |
| | | | | |
(11)| | | API Request| | |
| | |------------------------>| |
| | | | | |
(12)| | | | Validate | |
| | | | token | |
| | | | | |
(13)| | | | Policy | |
| | | | eval |---------->|
| | | | | |
(14)| | | | Decision | |
| | | | |<----------|
| | | | | |
(15)| | | Response | | |
| | |<------------------------| |
User Authentication at Agent: User authenticates with the Agent's Identity Provider (Home IdP). The Agent requests an ID Token suitable for cross-domain assertion, containing:¶
sub: The user's identifier at the Agent system
(e.g., agent_user_001);¶
aud: The External AS's identifier, binding this
assertion to the target authorization server per
[I-D.ietf-oauth-identity-assertion-authz-grant].¶
ID Token as JWT Assertion: The Agent uses the ID Token as the JWT assertion in the token request per [I-D.ietf-oauth-identity-assertion-authz-grant]. The AS validates the Home IdP's signature and extracts the user's identity claims.¶
Token Request Construction: Agent builds a token request including:¶
Token Request Submission: Agent sends the token request to External AS with SPIFFE client authentication (WIT-SVID in headers).¶
AS Validation: AS validates:¶
Interaction Required: AS determines user interaction is needed
and returns an interaction_required error response per
[I-D.parecki-oauth-jwt-grant-interaction-response]
containing an interaction_uri for user consent.¶
User Interaction: The agent launches the interaction_uri
in the user's browser. The AS presents the consent UI showing
the interpreted operation.¶
User Confirmation: User reviews and approves (or denies) the operation.¶
Polling: Agent polls the token endpoint (re-sending its
original request with a fresh SPIFFE client attestation)
until the AS completes user interaction. If the user
denies consent, the AS returns an access_denied
error to subsequent polling requests.¶
Token Issuance: AS issues access token containing:¶
API Request: Agent presents token to Resource Server.¶
Token Validation: RS validates token signature and claims.¶
Policy Evaluation: RS sends policy and request context to the policy engine.¶
Authorization Decision: Policy engine returns allow/deny decision.¶
Response: RS executes (or denies) the operation and returns response.¶
When Agent A needs to delegate operations to Agent B, the framework extends the basic workflow:¶
+---------+ +---------+ +--------+ +---------+
| Agent A | | AS | | Agent B| | RS |
+---------+ +---------+ +--------+ +---------+
| | | |
| (has token) | | |
| | | |
| Token Exchange | | |
| - subject_token | | |
| - delegatee_id | | |
| - authorization | | |
| _details | | |
| - delegator_sig | | |
| (over deleg. | | |
| record) | | |
|---------------->| | |
| | | |
| | Validate: | |
| | - Token A valid | |
| | - Policy subset | |
| | - Agent B auth | |
| | - delegator_sig | |
| | | |
| | AS countersigns | |
| | (as_signature) | |
| | | |
| | Issue Token B | |
| | with delegation_chain |
| | (del_sig+as_sig)| |
| |---------------->| |
| | | |
| | | API Request |
| | |--------------->|
| | | |
| | | Validate |
| | | chain |
| | | (dual sig) |
| | | |
| | | Response |
| | |<---------------|
The resulting token for Agent B includes a delegation_chain
recording the delegation hop, as defined in
[I-D.liu-oauth-chain-delegation]. Each delegation
chain entry carries a dual signature: the delegator's signature
(delegator_signature) over the delegation record and
the AS's countersignature (as_signature), ensuring
non-repudiation and preventing unilateral scope escalation.¶
The AS MUST also decide how to handle the original
authorization_evidence entry from Agent A's token.
Three strategies are defined in
[I-D.liu-oauth-authorization-evidence]:
Propagate (copy the original
authorization_evidence entry into Agent B's token),
Reference (replace the embedded evidence with
an audit_trail sub-object containing only the
evidence_ref), or Omit (do
not include evidence). The Propagate strategy is RECOMMENDED
when the delegated policy is a subset of the original
token's policy. When using delegation chains, the
root_evidence_ref in the delegation chain entry SHOULD
reference the same evidence record, creating an unbroken audit
trail from the original user consent through all delegation hops.¶
The framework supports multiple consent mechanisms:¶
Traditional OAuth redirect flow where the agent redirects the user to the AS's consent page. This is the most common consent mechanism and is suitable for web-based agents that can launch a browser for user interaction.¶
Client-Initiated Backchannel Authentication (CIBA) [CIBA] for out-of-band consent, useful when the agent cannot redirect the user. Typical scenarios include voice assistants, IoT devices, and mobile applications where the user completes consent on a separate device.¶
When the user has a valid, non-expired session at the AS and the
agent's identity is already trusted, the AS MAY skip
re-authentication and only prompt for consent to the specific
operation. This is a deployment-level optimization that does
not change the protocol flow; the AS still returns an
interaction_required response, but the consent
interface presented to the user omits the authentication step.
This mode reduces user friction for repeat operations while
maintaining explicit consent for each authorized action.¶
This framework supports progressive deployment through a two-dimensional matrix, allowing organizations to adopt capabilities gradually based on their security requirements and operational maturity.¶
Implementations MAY deploy agent identity at three progressive levels:¶
The agent generates its own key pair and self-issues identity assertions. Suitable for development, testing, and low-trust scenarios such as personal or small-team agents.¶
The agent obtains workload identity tokens through WIMSE infrastructure [I-D.ietf-wimse-workload-creds]. Provides cross-domain verifiability without requiring full enterprise IdP deployment. This level can be enhanced with optional trusted execution environment verification using WIT attestation [I-D.ietf-wimse-arch].¶
The agent's identity is managed by an enterprise IdP with full X.509 or SAML/OIDC trust chains. Required for high-assurance enterprise deployments.¶
Authorization tokens can be deployed at three levels:¶
Static tokens configured at deployment time. No runtime AS interaction required. Suitable for internal services and well-known agents.¶
Tokens assigned by administrators through a management interface. Policy binding without end-user consent. Suitable for enterprise automation scenarios.¶
The full framework flow with user consent, policy evaluation, and evidence recording. Required for high-sensitivity operations and cross-domain access. This level utilizes the JWT Grant Interaction Response mechanism for user consent.¶
The combination of identity and token levels creates a deployment matrix:¶
| Identity \ Token | A (Pre-configured) | B (Admin-assigned) | C (Runtime Authz) |
|---|---|---|---|
| 0 (Self-Issued) | Personal agents, IoT | Small team automation | Dynamic authorization |
| 1 (WIMSE) | Trusted lightweight agents | Enterprise operations | Cross-domain access |
| 2 (Enterprise) | High-trust static auth | Compliance scenarios | Full framework enterprise |
Organizations typically progress through the matrix as their requirements evolve, starting from lower levels (e.g., 0A) and upgrading to higher levels (e.g., 2C) based on security needs.¶
Traditional OAuth error responses indicate authorization failure without guidance on how to obtain valid authorization. In AI agent scenarios, where agents may autonomously navigate authorization requirements, resource servers can provide structured guidance through error responses.¶
When an agent's request lacks sufficient authorization, the resource
server returns a 403 Forbidden response with a rego_profile
object that specifies:¶
The AI agent parses this guidance and constructs a new authorization request that satisfies the specified requirements. This enables agents to "learn" authorization requirements dynamically rather than requiring pre-programmed knowledge of each resource server's policies.¶
Detailed specification of the Rego Profile format and agent adaptive behavior is defined in [I-D.liu-oauth-rego-policy].¶
The framework establishes clear trust boundaries:¶
| Threat | Mitigation |
|---|---|
| Token substitution | JWT assertion audience binding (assertion.aud == AS identifier) |
| Privilege escalation | Scope subset validation in delegation |
| Unauthorized actions | Rego policy enforcement at RS |
| Consent forgery | AS-signed evidence records |
| Delegation chain tampering | AS signature on each chain entry |
This framework assumes the agent implementation (including authorization logic) is trusted, while the Large Language Model (LLM) used to derive operations is NOT trusted. The policy-based authorization ensures:¶
A full access token in this framework may carry multiple claims beyond the
standard JWT fields: act, authorization_details
(with embedded Rego policy and authorization evidence), and
delegation_chain (for multi-hop scenarios). The
combined size of these claims can exceed typical HTTP header
limits when the token is passed in an Authorization header.¶
Implementations SHOULD consider:¶
authorization_details;¶
In this framework, evidence records capture user consent at a specific point in time. When tokens are exchanged or refreshed across delegation hops, the original consent timestamp may become significantly older than the current request time. Deployments SHOULD define an evidence freshness policy that specifies the maximum acceptable age of an evidence record and the actions to take when evidence is stale (e.g., reject the request, require re-consent). See [I-D.liu-oauth-authorization-evidence] for detailed guidance.¶
When agents submit Rego policy via authorization_details,
the AS must validate the policy before evaluation. Malicious
or compromised agents could attempt to inject policies that
exploit the policy engine (e.g., resource exhaustion, data
exfiltration via external calls). The AS SHOULD enforce
policy size limits, restrict available Rego built-in functions
(particularly those that perform network I/O), and validate
policy syntax before evaluation. See
[I-D.liu-oauth-rego-policy] for the complete
threat model and mitigation strategies.¶
This framework operates across multiple trust domains (Home IdP, Agent domain, External AS, Resource Server). Trust establishment between these domains relies on:¶
Deployments SHOULD establish explicit trust frameworks or federation agreements that define key distribution, revocation, and liability across participating domains.¶
Multi-hop delegation chains introduce the risk of unbounded delegation depth and privilege escalation at intermediate hops. The framework mitigates these risks through:¶
delegation_chain claim.¶
See [I-D.liu-oauth-chain-delegation] for the complete delegation security model and validation checklist.¶
The privacy considerations in this section are informed by the Internet protocol privacy analysis framework described in [RFC6973]. This section addresses privacy considerations specific to the integrated framework; implementers MUST also consult the privacy considerations in each component specification.¶
This framework inherently links user identities across
multiple trust domains: the Home IdP (where the user
authenticates), the Agent domain (where the user interacts
with the AI agent), and the External AS/RS domain (where
resources are accessed). The act.agent_user_id field
and the evidence record within the
authorization_evidence authorization details type
both carry identifiers that
could be used to correlate a user's activities across these
domains.¶
Implementations SHOULD minimize cross-domain correlation by:¶
sub claim rather than globally unique
identifiers;¶
agent_user_id as optional and including
it only when required for audit correlation;¶
displayed_content field.¶
AI agents acting on behalf of users can observe resource contents, policy evaluation outcomes, and error responses (including reverse-guided authorization hints). A compromised or malicious agent could accumulate sensitive information about the user's access patterns, resource contents, and organizational policy structure.¶
Mitigations include:¶
semantic_expansion_level in the
audit_trail sub-object to flag operations where
significant interpretation was applied, enabling
post-hoc review of agent behavior;¶
The displayed_content field in the evidence record
(within the authorization_evidence authorization
details type) records the human-readable description shown to
the user during consent. This field may contain sensitive
information about the user's intent, financial parameters,
health-related operations, or personal data. Since the
evidence record is included in the access token and may be
logged by resource servers, implementations MUST minimize
personal data in this field and SHOULD use operation
identifiers rather than natural-language descriptions that
may contain PII.¶
See [I-D.liu-oauth-authorization-evidence] for detailed guidance on displayed content minimization, evidence retention, and the tension between audit retention and the right to erasure under GDPR and CCPA.¶
Delegation chains record the identity of each intermediate
agent in the delegation_chain claim. In multi-hop
scenarios, this creates a record of all agents involved in a
transaction, which may reveal organizational structure or
agent relationships that participants consider sensitive.
Implementations SHOULD evaluate whether the full delegation
chain needs to be visible to the final resource server, or
whether a summarized view is sufficient.¶
See [I-D.liu-oauth-chain-delegation] for delegation chain privacy considerations.¶
This section clarifies the relationship between this framework and other OAuth 2.0 specifications. Understanding these relationships is essential for implementers to determine which specifications are required for their specific use cases.¶
This framework builds on the Identity Assertion Authorization Grant ([I-D.ietf-oauth-identity-assertion-authz-grant]) as the base grant type for cross-domain identity assertion. ID-JAG enables AI agents to present a JWT assertion (e.g., an ID Token from the user's Home IdP) to an external authorization server as proof of user identity.¶
This framework extends ID-JAG with:¶
rego_policy authorization
data type in authorization_details;¶
Implementations of this framework MUST implement ID-JAG as the base grant type.¶
The JWT Grant Interaction Response
([I-D.parecki-oauth-jwt-grant-interaction-response])
defines an extension to the JWT Authorization Grant that enables an
authorization server to indicate that user interaction is required.
Instead of immediately returning an access token or error, the AS
returns an interaction_uri where the user can provide consent,
along with a polling interval.¶
This framework uses JWT Grant Interaction Response for:¶
Implementations MUST support JWT Grant Interaction Response for user consent in AI agent authorization scenarios.¶
This framework uses Token Exchange ([RFC8693]) as the base
delegation mechanism and extends it with the delegation_chain claim
for complete auditability. While RFC 8693 provides point-to-point token
exchange, this framework enables end-to-end delegation chain tracking.¶
Key extensions:¶
delegation_chain claim records all delegation hops with
cryptographic signatures;¶
root_evidence_ref;¶
Implementations SHOULD support RFC 8693 for token exchange operations and MAY implement the delegation chain extension for multi-hop scenarios.¶
Transaction Tokens ([I-D.ietf-oauth-transaction-tokens]) focus on short-lived service-to-service authorization in microservices architectures. This framework focuses on longer-lived user-to-agent delegation with explicit human consent.¶
Comparison:¶
| Aspect | Transaction Tokens | This Framework |
|---|---|---|
| Primary use case | Service-to-service | User-to-agent |
| Human consent | Not required | Required |
| Token lifetime | Minutes | Minutes to hours |
| Authorization model | Capability-based | Policy-based |
The two specifications can be combined: this framework for initial user authorization, Transaction Tokens for subsequent service-to-service calls within the authorized scope.¶
This framework profiles the OpenID Connect Client-Initiated Backchannel Authentication (CIBA) [CIBA] specification for out-of-band user consent. While CIBA focuses on user authentication, this framework uses it for authorization and consent collection.¶
CIBA is used in this framework for:¶
The framework extends CIBA by adding policy presentation to the consent interface and evidence recording of the consent decision.¶
This framework uses Rich Authorization Requests
([RFC9396]) as the mechanism for carrying Rego policy
in authorization requests via the authorization_details parameter.
The rego_policy authorization data type defined in
[I-D.liu-oauth-rego-policy] enables fine-grained,
policy-based authorization within the RAR framework.¶
RAR integration provides:¶
authorization_details) for carrying
Rego policy and evaluation context;¶
Implementations MUST support RAR (RFC 9396) with the rego_policy
authorization data type.¶
This framework uses OAuth SPIFFE Client Authentication ([I-D.ietf-oauth-spiffe-client-auth]) for agent authentication. SPIFFE provides workload identity through WIT-SVID (Workload Identity Token with SPIFFE Verifiable Identity Document).¶
The relationship is:¶
Implementations using Identity Level 1 or Level 2 (Section 7.1) MUST support SPIFFE Client Authentication for agent identification. Deployments using Identity Level 0 (self-issued identity) MAY use alternative client authentication mechanisms.¶
The following table summarizes the implementation requirements for different components of this framework:¶
| Specification | Requirement Level | Component |
|---|---|---|
| OAuth 2.0 (RFC 6749) | MUST | All |
| PAR ([RFC9126]) | MAY | Agent, AS |
| RAR (RFC 9396) | MUST | Agent, AS, RS |
| ID-JAG | MUST | Agent, AS |
| JWT Grant Interaction Response | MUST | Agent, AS |
| SPIFFE Client Auth | SHOULD (see note) | Agent, AS |
| Rego Policy | MUST | Agent, AS, RS |
| Authorization Evidence | SHOULD | AS, RS |
| Chain Delegation | MAY | AS (if supporting delegation) |
| Token Exchange (RFC 8693) | SHOULD | AS |
| CIBA | MAY | AS (if supporting out-of-band consent) |
Note: SPIFFE Client Authentication is required for Identity
Levels 1 and 2 (Section 7.1). Identity
Level 0 deployments (self-issued identity) MAY use alternative
client authentication mechanisms such as client_secret_post
or private_key_jwt.¶
This document has no IANA actions. All claims and parameters are defined in the referenced component specifications.¶
POST /token HTTP/1.1 Host: as.shop.example Content-Type: application/x-www-form-urlencoded OAuth-Client-Attestation: eyJ0eXAiOiJ3aXQrand0IiwiYWxnIjoiRVMyNTYifQ... OAuth-Client-Attestation-PoP: eyJ0eXAiOiJvYXV0aC1jbGllbnQtYXR0ZXN0... grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lkc... &authorization_details=%5B%7B%22type%22%3A%22rego_policy%22%2C%22policy%22%3A%7B%22type%22%3A%22rego%22%2C %22content%22%3A%22package+agent...%22%2C%22entry_point%22%3A%22allow%22%7D%2C %22context%22%3A%7B%22user%22%3A%7B%22id%22%3A%22user_12345%22%7D%2C%22action%22%3A%22add_to_cart%22%7D%7D%5D
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"error": "interaction_required",
"interaction_uri": "https://as.shop.example/interact/abc123",
"interval": 5,
"expires_in": 600
}
{
"iss": "https://as.shop.example",
"sub": "user_12345",
"aud": "https://api.shop.example",
"exp": 1731369540,
"iat": 1731320700,
"jti": "urn:uuid:token-shop-123",
"act": {
"sub": "wit://myassistant.example/sha256.xyz789...",
"agent_user_id": "agent_user_001"
},
"authorization_details": [
{
"type": "rego_policy",
"policy": {
"type": "rego",
"uri": "https://as.shop.example/policies/policy-cart-50",
"entry_point": "allow"
},
"context": {
"user": { "id": "user_12345" },
"action": "add_to_cart"
}
},
{
"type": "authorization_evidence",
"evidence": {
"id": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
"user_confirmation": {
"displayed_content": "Add items under $50 to cart",
"user_action": "confirmed_via_button_click",
"timestamp": 1731320595
},
"as_signature": "eyJhbGciOiJFUzI1NiJ9..MEUCIQDx...",
"audit_trail": {
"evidence_ref": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
"semantic_expansion_level": "medium",
"proposal_ref": "urn:uuid:proposal-xyz"
}
}
}
]
}
POST /token HTTP/1.1 Host: as.shop.example Content-Type: application/x-www-form-urlencoded OAuth-Client-Attestation: eyJ0eXAiOiJ3aXQrand0IiwiYWxnIjoiRVMyNTYifQ... OAuth-Client-Attestation-PoP: eyJ0eXAiOiJvYXV0aC1jbGllbnQtYXR0ZXN0... grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lkc... &authorization_details=%5B%7B%22type%22%3A%22rego_policy%22%2C%22policy%22%3A%7B%22type%22%3A%22rego%22%2C %22content%22%3A%22package+agent...%22%2C%22entry_point%22%3A%22allow%22%7D%2C %22context%22%3A%7B%22user%22%3A%7B%22id%22%3A%22user_12345%22%7D%2C%22action%22%3A%22add_to_cart%22%7D%7D%5D
The agent re-sends the original request with a fresh SPIFFE
client attestation at the interval specified in the
interaction response. Upon successful user consent, the AS
returns the access token shown above.¶
POST /cart/add HTTP/1.1
Host: api.shop.example
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL...
Content-Type: application/json
{
"item_id": "SKU-789",
"quantity": 1,
"price": 42.99
}
The Resource Server validates the access token, extracts the
rego_policy from authorization_details, and
evaluates it against the request context (action, item price,
user identity) using a Rego-compatible policy engine.¶
The authors would like to thank Brian Campbell for his valuable feedback and insightful discussions on OAuth extension design. His contributions helped shape key aspects of this framework.¶