<?xml version="1.0" encoding="utf-8"?>
<?xml-model href="rfc7991bis.rnc"?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>

<rfc
  xmlns:xi="http://www.w3.org/2001/XInclude"
  category="info"
  docName="draft-liu-ai-agent-authorization-integration-00"
  ipr="trust200902"
  submissionType="IETF"
  xml:lang="en"
  version="3">

  <front>
    <title abbrev="AI Agent Authorization">AI Agent Authorization Integration Framework</title>
    <seriesInfo name="Internet-Draft" value="draft-liu-ai-agent-authorization-integration-00"/>

    <author fullname="Dapeng Liu" initials="D." surname="Liu">
      <organization>Alibaba Group</organization>
      <address>
        <email>max.ldp@alibaba-inc.com</email>
      </address>
    </author>

    <author fullname="Hongru Zhu" initials="H." surname="Zhu">
      <organization>Alibaba Group</organization>
      <address>
        <email>hongru.zhr@alibaba-inc.com</email>
      </address>
    </author>

    <author fullname="Suresh Krishnan" initials="S." surname="Krishnan">
      <organization>Cisco</organization>
      <address>
        <email>suresh.krishnan@gmail.com</email>
      </address>
    </author>

    <author fullname="Aaron Parecki" initials="A." surname="Parecki">
      <organization>Okta</organization>
      <address>
        <email>aaron@parecki.com</email>
      </address>
    </author>

    <author fullname="Hui Xue" initials="H." surname="Xue">
      <organization>Alibaba Group</organization>
      <address>
        <email>hui.xueh@alibaba-inc.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="6"/>
    <area>Security</area>
    <workgroup>Web Authorization Protocol</workgroup>

    <keyword>AI Agent</keyword>
    <keyword>Authorization</keyword>
    <keyword>OAuth</keyword>
    <keyword>Integration</keyword>

    <abstract>
      <t>
        This document describes how to integrate multiple OAuth 2.0 extensions 
        to enable secure authorization for AI agents acting on behalf of users. 
        It combines cross-domain identity, policy-based authorization, user 
        consent evidence, and multi-hop delegation into a cohesive framework 
        for autonomous agent authorization.
      </t>
    </abstract>
  </front>

  <middle>
    <section anchor="introduction" title="Introduction">
      <t>
        AI agents increasingly need to access protected resources on behalf of
        users across different trust domains. Traditional OAuth 2.0
        <xref target="RFC6749"/> provides 
        basic delegation mechanisms, but AI agent scenarios require additional 
        capabilities:
      </t>

      <ul>
        <li>Cross-domain user identity verification;</li>
        <li>Fine-grained, policy-based authorization;</li>
        <li>Verifiable user consent evidence;</li>
        <li>Secure multi-agent delegation chains.</li>
      </ul>

      <t>
        This document describes how to combine several OAuth 2.0 extensions into 
        an integrated framework for AI agent authorization. It does not define 
        new protocol mechanisms, but rather profiles existing specifications for 
        this use case.
      </t>

      <t>
        Two key design principles guide this framework:
      </t>

      <ul>
        <li>
          <strong>Progressive Deployment</strong>: Organizations can adopt the framework's
          capabilities gradually through a two-dimensional deployment matrix, 
          starting with simple configurations and upgrading to full runtime 
          authorization as requirements evolve (see <xref target="progressive-deployment"/>).
        </li>
        <li>
          <strong>Reverse-Guided Authorization</strong>: Resource servers can 
          guide agents toward appropriate authorization by returning structured 
          error responses that specify required policies and constraints, enabling 
          AI agents to adaptively construct valid authorization requests (see 
          <xref target="reverse-guided"/>).
        </li>
      </ul>

      <section title="Requirements Language">
        <t>
          The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", 
          "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this 
          document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> 
          <xref target="RFC8174"/> when, and only when, they appear in all capitals.
        </t>
      </section>

      <section title="Component Specifications">
        <t>
          This framework integrates the following specifications. The first
          two (Agent Authentication and Identity Assertion Grant) are
          external OAuth Working Group specifications that this framework
          profiles. The remaining four are companion specifications
          developed alongside this framework:
        </t>

        <table anchor="tbl-components">
          <name>Framework Components</name>
          <thead>
            <tr>
              <th>Component</th>
              <th>Specification</th>
              <th>Purpose</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>Agent Authentication</td>
              <td><xref target="I-D.ietf-oauth-spiffe-client-auth"/></td>
              <td>Agent workload identity via SPIFFE/WIT-SVID</td>
            </tr>
            <tr>
              <td>Identity Assertion Grant</td>
              <td><xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/></td>
              <td>JWT-based cross-domain identity assertion</td>
            </tr>
            <tr>
              <td>User Interaction &amp; Consent</td>
              <td><xref target="I-D.parecki-oauth-jwt-grant-interaction-response"/></td>
              <td>User consent via JWT grant interaction flow</td>
            </tr>
            <tr>
              <td>Policy Authorization</td>
              <td><xref target="I-D.liu-oauth-rego-policy"/></td>
              <td>Fine-grained Rego policy support</td>
            </tr>
            <tr>
              <td>Consent Evidence</td>
              <td><xref target="I-D.liu-oauth-authorization-evidence"/></td>
              <td>User confirmation records, audit trail, and
                consent-to-evidence pipeline</td>
            </tr>
            <tr>
              <td>Multi-hop Delegation</td>
              <td><xref target="I-D.liu-oauth-chain-delegation"/></td>
              <td>Agent-to-agent delegation chains</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>

    <section anchor="authorization-model" title="Authorization Model: Policy vs Scope">
      <t>
        This framework uses a policy-based authorization model that replaces traditional OAuth 2.0 
        scopes with fine-grained Rego policies. This section clarifies the relationship 
        between scopes and policies in this framework.
      </t>

      <section title="Policy as Primary Authorization Mechanism">
        <t>
          In this framework, the primary authorization mechanism is policy carried via 
          Rich Authorization Requests (RAR, <xref target="RFC9396"/>), not OAuth 2.0 scopes. 
          The <tt>rego_policy</tt> authorization data type defined in 
          <xref target="I-D.liu-oauth-rego-policy"/> carries the authorization logic 
          within the <tt>authorization_details</tt> parameter:
        </t>

        <ul>
          <li>
            <strong>Authorization Request:</strong> Clients submit 
            <tt>authorization_details</tt> containing a <tt>rego_policy</tt> type 
            with Rego policy that defines permitted operations 
            (e.g., "allow add_to_cart if amount &lt;= 50").
          </li>
          <li>
            <strong>Access Token:</strong> AS returns an enriched 
            <tt>authorization_details</tt> response per RFC 9396 Section 7.1, 
            including the evaluated policy reference.
          </li>
          <li>
            <strong>Resource Server:</strong> RS evaluates the policy at runtime using 
            a Rego-compatible policy engine (e.g., Open Policy Agent
            <xref target="OPA"/>) with request context.
          </li>
        </ul>

        <t>
          This approach enables dynamic, context-aware authorization that goes beyond 
          static scope lists.
        </t>
      </section>

      <section title="Scope as Optional Supplement">
        <t>
          Traditional OAuth 2.0 <tt>scope</tt> parameter is OPTIONAL in this framework and serves 
          different purposes:
        </t>

        <ul>
          <li>
            <strong>When to use scope:</strong> For coarse-grained resource categorization 
            (e.g., "read", "write") or backward compatibility with existing OAuth deployments.
          </li>
          <li>
            <strong>When NOT to use scope:</strong> When fine-grained, conditional 
            authorization is required. In this case, Rego policy provides all necessary 
            authorization logic.
          </li>
          <li>
            <strong>Relationship:</strong> If both scope and policy are present, the 
            policy takes precedence. Scope acts as an outer boundary, while policy 
            defines specific conditions.
          </li>
        </ul>

        <figure>
          <artwork name="Scope vs Policy" type=""><![CDATA[
+-----------------------------------------------------------+
|  Authorization Boundary                                   |
+-----------------------------------------------------------+
|  +-----------------------------------------------------+  |
|  |  Scope (Traditional OAuth)                          |  |
|  |  +-----------------------------------------------+  |  |
|  |  |  Policy via RAR (Primary)                     |  |  |
|  |  |  authorization_details: rego_policy           |  |  |
|  |  |  "allow if amount <= 50 AND time < 6pm"       |  |  |
|  |  +-----------------------------------------------+  |  |
|  +-----------------------------------------------------+  |
+-----------------------------------------------------------+
          ]]></artwork>
        </figure>
      </section>

      <section title="Complete Authorization Mechanism">
        <t>
          The complete authorization mechanism comprises six integrated components:
        </t>

        <ol>
          <li>
            <strong>Agent Authentication</strong>
            (<xref target="I-D.ietf-oauth-spiffe-client-auth"/>):
            Proves "who the agent is" through cryptographic workload identity.
          </li>
          <li>
            <strong>Cross-Domain Identity</strong>
            (<xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/>):
            Proves "who the user is" across trust domains via JWT assertion.
          </li>
          <li>
            <strong>User Interaction &amp; Consent</strong>
            (<xref target="I-D.parecki-oauth-jwt-grant-interaction-response"/>):
            Obtains explicit user consent through structured interaction flow.
          </li>
          <li>
            <strong>Rego Policy</strong>
            (<xref target="I-D.liu-oauth-rego-policy"/>):
            Defines "what operations are allowed" with fine-grained conditions.
          </li>
          <li>
            <strong>Authorization Evidence</strong>
            (<xref target="I-D.liu-oauth-authorization-evidence"/>):
            Provides cryptographic proof of "what the user agreed to".
          </li>
          <li>
            <strong>Chain Delegation</strong>
            (<xref target="I-D.liu-oauth-chain-delegation"/>):
            Enables secure "agent-to-agent transfer" of authorization.
          </li>
        </ol>

        <t>
          Together, these components provide end-to-end authorization for AI agents:
        </t>

        <figure>
          <artwork name="Authorization Stack" type="ascii-art"><![CDATA[
+------------------------------------------------------------+
|  Integration Framework (This Draft)                        |
|  "How to combine all components"                           |
+------------------------------------------------------------+
|  +------------+ +------------+ +------------+ +----------+  |
|  |  Agent     | |  Identity  | |  Consent   | | Delegat. |  |
|  |  Authn     | |  (ID-JAG)  | |  (JAG-IR)  | | (Chain)  |  |
|  | (SPIFFE)   | +------------+ +------------+ +----------+  |
|  +------------+                                             |
|  +------------------------------------------------------+  |
|  |     Policy Engine via RAR (rego_policy)              |  |
|  |         "Under what conditions allow"                |  |
|  +------------------------------------------------------+  |
|  +------------------------------------------------------+  |
|  |     Authorization Evidence (consent + audit trail)   |  |
|  |         "What did the user agree to"                 |  |
|  +------------------------------------------------------+  |
+------------------------------------------------------------+
|        OAuth 2.0 Core + RAR (RFC 9396)                     |
+------------------------------------------------------------+
          ]]></artwork>
        </figure>
      </section>
    </section>


    <section anchor="architecture" title="Architecture">
      <section title="Participants">
        <figure>
          <artwork name="Architecture Participants" type="ascii-art"><![CDATA[
+------------------+     +------------------+     +------------------+
|    Home IdP      |     |   AI Agent       |     |   External AS    |
|                  |     |                  |     |                  |
| - User authn     |     | - SPIFFE identity|     | - Policy engine  |
| - ID Token issue |     | - JWT Grant clnt |     | - Token issuance |
+------------------+     +------------------+     +------------------+
        |                        |                        |
        |   ID Token             |                        |
        |----------------------->|                        |
        |                        |                        |
        |                        | JWT Grant + authz_det  |
        |                        |----------------------->|
        |                        |                        |
        |                        | interaction_required   |
        |                        |<-----------------------|
        |                        |                        |
        |  interaction_uri       |                        |
        |<-----------------------|                        |
        |  (user consent)        |                        |
        |----------------------->|                        |
        |                        | Poll token endpoint    |
        |                        |----------------------->|
        |                        |                        |
        |                        |   Access Token         |
        |                        |<-----------------------|
        |                        |                        |
        |                        |                  +-------------------+
        |                        |                  | Resource Server   |
        |                        |                  |                   |
        |                        |   API Request    | - Token validation|
        |                        |----------------->| - Policy engine   |
        |                        |                  +-------------------+
          ]]></artwork>
        </figure>

        <dl>
          <dt>Home Identity Provider (Home IdP):</dt>
          <dd>
            Authenticates the user and issues ID Tokens. This is the user's 
            trusted identity service.
          </dd>

          <dt>AI Agent:</dt>
          <dd>
            An autonomous software agent acting on behalf of the user. Has its 
            own workload identity (SPIFFE/WIT-SVID).
          </dd>

          <dt>External Authorization Server (AS):</dt>
          <dd>
            Issues access tokens for resources in its domain. Validates JWT 
            assertions, evaluates authorization_details, and manages user interaction.
          </dd>

          <dt>Resource Server (RS):</dt>
          <dd>
            Hosts protected resources. Validates access tokens and enforces 
            policies using a Rego-compatible policy engine.
          </dd>
        </dl>
      </section>

      <section title="Token Structure">
        <t>
          The framework uses JWT access tokens
          (<xref target="RFC7519"/>, <xref target="RFC9068"/>) following
          OAuth 2.0 standards. 
          Key claim semantics:
        </t>

        <ul>
          <li>
            <t>
            <strong><tt>sub</tt> (Subject)</strong>: MUST contain the user's
            identifier at the Resource Application (third-party app), NOT the
            Agent's internal user identifier. This enables the Resource Server
            to immediately identify the resource owner without additional
            identity mapping lookups. The AS maps the Home IdP subject to
            the resource-domain identifier through account linking,
            federation metadata, or additional identity claims (e.g.,
            <tt>email</tt>) present in the JWT assertion.
            </t>
          </li>
          <li>
            <t>
              <strong><tt>act</tt> (Actor)</strong>: Identifies the entity 
              exercising delegated authority. Contains:
            </t>
            <ul>
              <li>
                <tt>sub</tt>: The Agent's WIT URI, identifying which agent is 
                acting on behalf of the user;
              </li>
              <li>
                <tt>agent_user_id</tt> (OPTIONAL): The user's identifier at the 
                Agent system, enabling audit trail correlation at the Agent side.
                Note: This is a non-registered extension field within the
                <tt>act</tt> claim structure.
              </li>
            </ul>
          </li>
          <li>
            <t>
            <strong><tt>authorization_details</tt></strong>: Carries
            multiple authorization data types via Rich Authorization Requests
            (<xref target="RFC9396"/>):
            </t>
            <ul>
              <li>
                <tt>rego_policy</tt> type: The Rego policy defining what
                operations the agent is permitted to perform.  Defined in
                <xref target="I-D.liu-oauth-rego-policy"/>.
              </li>
              <li>
                <tt>authorization_evidence</tt> type: The signed record of
                the user's confirmation action during authorization, including
                what was displayed to the user, how the user confirmed, a
                cryptographic signature from the AS, and the
                <tt>audit_trail</tt> sub-object for semantic traceability.
                Defined in
                <xref target="I-D.liu-oauth-authorization-evidence"/>.
              </li>
            </ul>
          </li>
          <li>
            <t>
            <strong><tt>delegation_chain</tt></strong>: Records the
            chain of delegation hops when authorization is transferred
            between agents, with cryptographic signatures for each hop.
            Only present in delegated scenarios.  Defined in
            <xref target="I-D.liu-oauth-chain-delegation"/>.
            </t>
          </li>
        </ul>

        <figure>
          <artwork name="Access Token Structure" type="json"><![CDATA[
{
  "iss": "https://as.external.example",
  "sub": "user_12345",
  "aud": "https://api.external.example",
  "exp": 1731369540,
  "iat": 1731320700,
  "jti": "urn:uuid:token-abc-123",

  "act": {
    "sub": "wit://agent.example/sha256.abc123...",
    "agent_user_id": "agent_user_001"
  },

  "authorization_details": [
    {
      "type": "rego_policy",
      "policy": {
        "type": "rego",
        "uri": "https://as.external.example/policies/policy-abc123",
        "entry_point": "allow"
      },
      "context": {
        "user": { "id": "user_12345" },
        "action": "add_to_cart"
      }
    },
    {
      "type": "authorization_evidence",
      "evidence": {
        "id": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
        "user_confirmation": {
          "displayed_content": "Add items under $50 to cart",
          "user_action": "confirmed_via_button_click",
          "timestamp": 1731320595
        },
        "as_signature": "eyJhbGciOiJFUzI1NiJ9..MEUCIQDx...",
        "audit_trail": {
          "evidence_ref": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
          "semantic_expansion_level": "medium",
          "proposal_ref": "urn:uuid:proposal-xyz"
        }
      }
    }
  ],

  "delegation_chain": [
    {
      "delegator_id": "wit://agent-a.example/sha256.aaa111...",
      "delegatee_id": "wit://agent-b.example/sha256.bbb222...",
      "as_id": "https://as.external.example",
      "delegation_timestamp": 1731320800,
      "root_evidence_ref": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
      "delegated_policy": {
        "type": "rego",
        "uri": "https://as.external.example/policies/policy-delegated-456",
        "entry_point": "allow"
      },
      "operation_summary": "Delegate cart operations",
      "delegator_signature": "eyJhbGciOiJFUzI1NiJ9..MEYCIQD...",
      "as_signature": "eyJhbGciOiJSUzI1NiJ9..MEUCIQDx..."
    }
  ]
}
          ]]></artwork>
        </figure>
      </section>
    </section>

    <section anchor="workflow" title="Authorization Workflow">
      <section title="Overview">
        <figure>
          <artwork name="Complete Authorization Flow" type="ascii-art"><![CDATA[
+-------+    +-------+    +--------+    +---------+    +-------+    +------+
| User  |    | Home  |    |  AI    |    |External |    |  RS   |    |Policy|
|       |    |  IdP  |    | Agent  |    |   AS    |    |       |    |      |
+-------+    +-------+    +--------+    +---------+    +-------+    +------+
    |            |             |            |            |           |
(1) | Authn      |             |            |            |           |
    |----------->|             |            |            |           |
    |            |             |            |            |           |
(2) |  ID Token (aud=External AS)           |            |           |
    |<------------------------>|            |            |           |
    |            |             |            |            |           |
(3) |            |   Agent builds token req:|            |           |
    |            |   - JWT assertion        |            |           |
    |            |   - authorization_details|            |           |
    |            |     (rego_policy type)   |            |           |
    |            |             |            |            |           |
(4) |            |   Token Request          |            |           |
    |            |   + SPIFFE client auth   |            |           |
    |            |             |----------->|            |           |
    |            |             |            |            |           |
(5) |            |             |  Validate: |            |           |
    |            |             |  - SPIFFE  |            |           |
    |            |             |  - JWT     |            |           |
    |            |             |  - policy  |            |           |
    |            |             |            |            |           |
(6) |            |             |  interaction_required   |           |
    |            |             |  + interaction_uri      |           |
    |            |             |<-----------|            |           |
    |            |             |            |            |           |
(7) | User interaction via browser          |            |           |
    |<--------------------------------------|            |           |
    |            |             |            |            |           |
(8) | User confirms            |            |            |           |
    |-------------------------------------->|            |           |
    |            |             |            |            |           |
(9) |            |             |  Poll token endpoint    |           |
    |            |             |----------->|            |           |
    |            |             |            |            |           |
(10)|            |             |  Issue token with:      |           |
    |            |             |  - act                  |           |
    |            |             |  - authorization_details|           |
    |            |             |  - evidence             |           |
    |            |             |  - audit_trail          |           |
    |            |             |<-----------|            |           |
    |            |             |            |            |           |
(11)|            |             | API Request|            |           |
    |            |             |------------------------>|           |
    |            |             |            |            |           |
(12)|            |             |            |  Validate  |           |
    |            |             |            |  token     |           |
    |            |             |            |            |           |
(13)|            |             |            |  Policy    |           |
    |            |             |            |  eval      |---------->|
    |            |             |            |            |           |
(14)|            |             |            |  Decision  |           |
    |            |             |            |            |<----------|
    |            |             |            |            |           |
(15)|            |             | Response   |            |           |
    |            |             |<------------------------|           |
          ]]></artwork>
        </figure>
      </section>

      <section title="Step-by-Step Description">
        <ol>
          <li>
            <t><strong>User Authentication at Agent:</strong> User
            authenticates with the Agent's Identity Provider (Home IdP).
            The Agent requests an ID Token suitable for cross-domain
            assertion, containing:</t>
            <ul>
              <li>
                <tt>sub</tt>: The user's identifier at the Agent system
                (e.g., <tt>agent_user_001</tt>);
              </li>
              <li>
                <tt>aud</tt>: The External AS's identifier, binding this
                assertion to the target authorization server per
                <xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/>.
              </li>
            </ul>
          </li>
          <li>
            <t><strong>ID Token as JWT Assertion:</strong> The Agent uses 
            the ID Token as the JWT assertion in the token request per 
            <xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/>. 
            The AS validates the Home IdP's signature and extracts 
            the user's identity claims.</t>
          </li>
          <li>
            <t>Token Request Construction: Agent builds a token request including:</t>
            <ul>
              <li><tt>grant_type</tt>: <tt>urn:ietf:params:oauth:grant-type:jwt-bearer</tt>;</li>
              <li><tt>assertion</tt>: The user's ID Token (JWT);</li>
              <li><tt>authorization_details</tt>: Containing <tt>rego_policy</tt> type with policy and context.</li>
            </ul>
          </li>
          <li>
            <t>Token Request Submission: Agent sends the token request to 
            External AS with SPIFFE client authentication (WIT-SVID in headers).</t>
          </li>
          <li>
            <t>AS Validation: AS validates:</t>
            <ul>
              <li>SPIFFE client credentials;</li>
              <li>JWT assertion signature, audience (<tt>aud</tt>),
                and expiration (<tt>exp</tt>) from Home IdP;</li>
              <li>Policy syntax and safety in <tt>authorization_details</tt>.</li>
            </ul>
          </li>
          <li>
            <t>Interaction Required: AS determines user interaction is needed 
            and returns an <tt>interaction_required</tt> error response per 
            <xref target="I-D.parecki-oauth-jwt-grant-interaction-response"/> 
            containing an <tt>interaction_uri</tt> for user consent.</t>
          </li>
          <li>
            <t>User Interaction: The agent launches the <tt>interaction_uri</tt> 
            in the user's browser. The AS presents the consent UI showing 
            the interpreted operation.</t>
          </li>
          <li>
            <t>User Confirmation: User reviews and approves (or denies) the
            operation.</t>
          </li>
          <li>
            <t>Polling: Agent polls the token endpoint (re-sending its
            original request with a fresh SPIFFE client attestation)
            until the AS completes user interaction.  If the user
            denies consent, the AS returns an <tt>access_denied</tt>
            error to subsequent polling requests.</t>
          </li>
          <li>
            <t>Token Issuance: AS issues access token containing:</t>
            <ul>
              <li><tt>act</tt>: Agent's SPIFFE ID;</li>
              <li><tt>authorization_details</tt>: Enriched response per RFC 9396 Section 7.1,
                including both <tt>rego_policy</tt> and
                <tt>authorization_evidence</tt> types;</li>
              <li><tt>delegation_chain</tt>: (only in delegation scenarios).</li>
            </ul>
          </li>
          <li>
            <t>API Request: Agent presents token to Resource Server.</t>
          </li>
          <li>
            <t>Token Validation: RS validates token signature and claims.</t>
          </li>
          <li>
            <t>Policy Evaluation: RS sends policy and request context 
            to the policy engine.</t>
          </li>
          <li>
            <t>Authorization Decision: Policy engine returns allow/deny decision.</t>
          </li>
          <li>
            <t>Response: RS executes (or denies) the operation and 
            returns response.</t>
          </li>
        </ol>
      </section>
    </section>

    <section anchor="delegation" title="Agent-to-Agent Delegation">
      <t>
        When Agent A needs to delegate operations to Agent B, the framework 
        extends the basic workflow:
      </t>

      <figure>
        <artwork name="Delegation Flow" type="ascii-art"><![CDATA[
+---------+       +---------+       +--------+       +---------+
| Agent A |       |   AS    |       | Agent B|       |   RS    |
+---------+       +---------+       +--------+       +---------+
     |                 |                 |                |
     | (has token)     |                 |                |
     |                 |                 |                |
     | Token Exchange  |                 |                |
     | - subject_token |                 |                |
     | - delegatee_id  |                 |                |
     | - authorization |                 |                |
     |   _details      |                 |                |
     | - delegator_sig |                 |                |
     |   (over deleg.  |                 |                |
     |    record)      |                 |                |
     |---------------->|                 |                |
     |                 |                 |                |
     |                 | Validate:       |                |
     |                 | - Token A valid |                |
     |                 | - Policy subset |                |
     |                 | - Agent B auth  |                |
     |                 | - delegator_sig |                |
     |                 |                 |                |
     |                 | AS countersigns |                |
     |                 | (as_signature)  |                |
     |                 |                 |                |
     |                 | Issue Token B   |                |
     |                 | with delegation_chain            |
     |                 | (del_sig+as_sig)|                |
     |                 |---------------->|                |
     |                 |                 |                |
     |                 |                 | API Request    |
     |                 |                 |--------------->|
     |                 |                 |                |
     |                 |                 |     Validate   |
     |                 |                 |     chain      |
     |                 |                 |  (dual sig)    |
     |                 |                 |                |
     |                 |                 | Response       |
     |                 |                 |<---------------|
        ]]></artwork>
      </figure>

      <t>
        The resulting token for Agent B includes a <tt>delegation_chain</tt>
        recording the delegation hop, as defined in
        <xref target="I-D.liu-oauth-chain-delegation"/>.  Each delegation
        chain entry carries a dual signature: the delegator's signature
        (<tt>delegator_signature</tt>) over the delegation record and
        the AS's countersignature (<tt>as_signature</tt>), ensuring
        non-repudiation and preventing unilateral scope escalation.
      </t>

      <t>
        The AS MUST also decide how to handle the original
        <tt>authorization_evidence</tt> entry from Agent A's token.
        Three strategies are defined in
        <xref target="I-D.liu-oauth-authorization-evidence"/>:
        <strong>Propagate</strong> (copy the original
        <tt>authorization_evidence</tt> entry into Agent B's token),
        <strong>Reference</strong> (replace the embedded evidence with
        an <tt>audit_trail</tt> sub-object containing only the
        <tt>evidence_ref</tt>), or <strong>Omit</strong> (do
        not include evidence).  The Propagate strategy is RECOMMENDED
        when the delegated policy is a subset of the original
        token's policy.  When using delegation chains, the
        <tt>root_evidence_ref</tt> in the delegation chain entry SHOULD
        reference the same evidence record, creating an unbroken audit
        trail from the original user consent through all delegation hops.
      </t>
    </section>

    <section anchor="consent-modes" title="User Consent Modes">
      <t>
        The framework supports multiple consent mechanisms:
      </t>

      <section title="Redirect-Based Consent">
        <t>
          Traditional OAuth redirect flow where the agent redirects the user
          to the AS's consent page.  This is the most common consent
          mechanism and is suitable for web-based agents that can launch
          a browser for user interaction.
        </t>
      </section>

      <section title="CIBA-Based Consent">
        <t>
          Client-Initiated Backchannel Authentication (CIBA)
          <xref target="CIBA"/> for out-of-band
          consent, useful when the agent cannot redirect the user.
          Typical scenarios include voice assistants, IoT devices,
          and mobile applications where the user completes consent
          on a separate device.
        </t>
      </section>

      <section title="Consent-Only Flow">
        <t>
          When the user has a valid, non-expired session at the AS and the
          agent's identity is already trusted, the AS MAY skip
          re-authentication and only prompt for consent to the specific
          operation.  This is a deployment-level optimization that does
          not change the protocol flow; the AS still returns an
          <tt>interaction_required</tt> response, but the consent
          interface presented to the user omits the authentication step.
          This mode reduces user friction for repeat operations while
          maintaining explicit consent for each authorized action.
        </t>
      </section>
    </section>

    <section anchor="progressive-deployment" title="Progressive Deployment">
      <t>
        This framework supports progressive deployment through a 
        two-dimensional matrix, allowing organizations to adopt capabilities 
        gradually based on their security requirements and operational maturity.
      </t>

      <section anchor="identity-levels" title="Identity Deployment Levels">
        <t>
          Implementations MAY deploy agent identity at three progressive levels:
        </t>

        <section title="Level 0: Self-Issued Identity">
          <t>
            The agent generates its own key pair and self-issues identity 
            assertions. Suitable for development, testing, and low-trust scenarios 
            such as personal or small-team agents.
          </t>
        </section>

        <section title="Level 1: WIMSE Workload Identity">
          <t>
            The agent obtains workload identity tokens through WIMSE infrastructure
            <xref target="I-D.ietf-wimse-workload-creds"/>. 
            Provides cross-domain verifiability without requiring full enterprise IdP 
            deployment. This level can be enhanced with optional trusted execution 
            environment verification using WIT attestation
            <xref target="I-D.ietf-wimse-arch"/>.
          </t>
        </section>

        <section title="Level 2: Enterprise Identity">
          <t>
            The agent's identity is managed by an enterprise IdP with full 
            X.509 or SAML/OIDC trust chains. Required for high-assurance 
            enterprise deployments.
          </t>
        </section>
      </section>

      <section anchor="token-levels" title="Token Deployment Levels">
        <t>
          Authorization tokens can be deployed at three levels:
        </t>

        <section title="Level A: Pre-configured Tokens">
          <t>
            Static tokens configured at deployment time. No runtime AS interaction 
            required. Suitable for internal services and well-known agents.
          </t>
        </section>

        <section title="Level B: Admin-Assigned Tokens">
          <t>
            Tokens assigned by administrators through a management interface. 
            Policy binding without end-user consent. Suitable for enterprise 
            automation scenarios.
          </t>
        </section>

        <section title="Level C: Runtime Authorization Tokens">
          <t>
            The full framework flow with user consent, policy evaluation, and evidence 
            recording. Required for high-sensitivity operations and cross-domain 
            access. This level utilizes the JWT Grant Interaction Response 
            mechanism for user consent.
          </t>
        </section>
      </section>

      <section anchor="deployment-matrix" title="Deployment Matrix">
        <t>
          The combination of identity and token levels creates a deployment matrix:
        </t>

        <table anchor="tbl-deployment-matrix">
          <name>Deployment Matrix</name>
          <thead>
            <tr>
              <th>Identity \ Token</th>
              <th>A (Pre-configured)</th>
              <th>B (Admin-assigned)</th>
              <th>C (Runtime Authz)</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>0 (Self-Issued)</td>
              <td>Personal agents, IoT</td>
              <td>Small team automation</td>
              <td>Dynamic authorization</td>
            </tr>
            <tr>
              <td>1 (WIMSE)</td>
              <td>Trusted lightweight agents</td>
              <td>Enterprise operations</td>
              <td>Cross-domain access</td>
            </tr>
            <tr>
              <td>2 (Enterprise)</td>
              <td>High-trust static auth</td>
              <td>Compliance scenarios</td>
              <td>Full framework enterprise</td>
            </tr>
          </tbody>
        </table>

        <t>
          Organizations typically progress through the matrix as their 
          requirements evolve, starting from lower levels (e.g., 0A) and 
          upgrading to higher levels (e.g., 2C) based on security needs.
        </t>
      </section>
    </section>

    <section anchor="reverse-guided" title="Reverse-Guided Authorization">
      <t>
        Traditional OAuth error responses indicate authorization failure without 
        guidance on how to obtain valid authorization. In AI agent scenarios, 
        where agents may autonomously navigate authorization requirements, 
        resource servers can provide structured guidance through error responses.
      </t>

      <t>
        When an agent's request lacks sufficient authorization, the resource 
        server returns a 403 Forbidden response with a <tt>rego_profile</tt> 
        object that specifies:
      </t>

      <ul>
        <li>Required scopes or authorization details;</li>
        <li>Policy constraints that must be satisfied;</li>
        <li>Whether user consent is required;</li>
        <li>Reference to the authorization server capable of issuing appropriate tokens.</li>
      </ul>

      <t>
        The AI agent parses this guidance and constructs a new authorization 
        request that satisfies the specified requirements. This enables agents 
        to "learn" authorization requirements dynamically rather than requiring 
        pre-programmed knowledge of each resource server's policies.
      </t>

      <t>
        Detailed specification of the Rego Profile format and agent adaptive 
        behavior is defined in <xref target="I-D.liu-oauth-rego-policy"/>.
      </t>
    </section>

    <section anchor="security" title="Security Considerations">
      <section title="Trust Boundaries">
        <t>
          The framework establishes clear trust boundaries:
        </t>

        <ul>
          <li>
            Home IdP → Agent: ID Token with agent in audience;
          </li>
          <li>
            Agent → External AS: SPIFFE authentication + JWT assertion (Identity Assertion Grant, ID-JAG);
          </li>
          <li>
            External AS → RS: Signed access token with policy reference
            (JWS <xref target="RFC7515"/>);
          </li>
          <li>
            Delegation: AS-signed delegation chain entries.
          </li>
        </ul>
      </section>

      <section title="Threat Mitigations">
        <table anchor="tbl-threats">
          <name>Threat Mitigations</name>
          <thead>
            <tr>
              <th>Threat</th>
              <th>Mitigation</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>Token substitution</td>
              <td>JWT assertion audience binding (assertion.aud == AS identifier)</td>
            </tr>
            <tr>
              <td>Privilege escalation</td>
              <td>Scope subset validation in delegation</td>
            </tr>
            <tr>
              <td>Unauthorized actions</td>
              <td>Rego policy enforcement at RS</td>
            </tr>
            <tr>
              <td>Consent forgery</td>
              <td>AS-signed evidence records</td>
            </tr>
            <tr>
              <td>Delegation chain tampering</td>
              <td>AS signature on each chain entry</td>
            </tr>
          </tbody>
        </table>
      </section>

      <section title="LLM Threat Model">
        <t>
          This framework assumes the agent implementation (including authorization 
          logic) is trusted, while the Large Language Model (LLM) used to derive 
          operations is NOT trusted. The policy-based authorization ensures:
        </t>

        <ul>
          <li>LLM cannot directly control authorization decisions;</li>
          <li>All operations are bounded by user-approved policies;</li>
          <li>Audit trails enable post-hoc verification.</li>
        </ul>
      </section>

      <section title="Token Size">
        <t>
          A full access token in this framework may carry multiple claims beyond the
          standard JWT fields: <tt>act</tt>, <tt>authorization_details</tt>
          (with embedded Rego policy and authorization evidence), and
          <tt>delegation_chain</tt> (for multi-hop scenarios).  The
          combined size of these claims can exceed typical HTTP header
          limits when the token is passed in an Authorization header.
        </t>

        <t>
          Implementations SHOULD consider:
        </t>

        <ul>
          <li>
            Using token introspection (<xref target="RFC7662"/>) to
            retrieve detailed evidence and policy information rather than
            embedding all data in the token;
          </li>
          <li>
            Using policy references (URIs) instead of inline Rego policy
            in <tt>authorization_details</tt>;
          </li>
          <li>
            Applying the Reference strategy for evidence in token
            exchange scenarios, as defined in
            <xref target="I-D.liu-oauth-authorization-evidence"/>.
          </li>
        </ul>
      </section>

      <section title="Evidence Freshness">
        <t>
          In this framework, evidence records capture user consent at
          a specific point in time.  When tokens are exchanged or
          refreshed across delegation hops, the original consent
          timestamp may become significantly older than the current
          request time.  Deployments SHOULD define an evidence freshness
          policy that specifies the maximum acceptable age of an
          evidence record and the actions to take when evidence is stale
          (e.g., reject the request, require re-consent).  See
          <xref target="I-D.liu-oauth-authorization-evidence"/> for
          detailed guidance.
        </t>
      </section>

      <section title="Policy Injection and Server-Side Request Forgery">
        <t>
          When agents submit Rego policy via <tt>authorization_details</tt>,
          the AS must validate the policy before evaluation.  Malicious
          or compromised agents could attempt to inject policies that
          exploit the policy engine (e.g., resource exhaustion, data
          exfiltration via external calls).  The AS SHOULD enforce
          policy size limits, restrict available Rego built-in functions
          (particularly those that perform network I/O), and validate
          policy syntax before evaluation.  See
          <xref target="I-D.liu-oauth-rego-policy"/> for the complete
          threat model and mitigation strategies.
        </t>
      </section>

      <section title="Cross-Domain Trust">
        <t>
          This framework operates across multiple trust domains
          (Home IdP, Agent domain, External AS, Resource Server).
          Trust establishment between these domains relies on:
        </t>

        <ul>
          <li>
            The External AS trusting the Home IdP's JWT assertions
            (ID-JAG), which requires either a pre-established trust
            relationship or federation;
          </li>
          <li>
            The Resource Server trusting the External AS's signing keys
            for both token validation and evidence signature
            verification;
          </li>
          <li>
            Cross-domain delegation requiring trust in each
            intermediate AS's signing key for delegation chain
            verification.
          </li>
        </ul>

        <t>
          Deployments SHOULD establish explicit trust frameworks or
          federation agreements that define key distribution, revocation,
          and liability across participating domains.
        </t>
      </section>

      <section title="Delegation Depth and Privilege Escalation">
        <t>
          Multi-hop delegation chains introduce the risk of unbounded
          delegation depth and privilege escalation at intermediate
          hops.  The framework mitigates these risks through:
        </t>

        <ul>
          <li>
            AS-enforced maximum delegation depth limits;
          </li>
          <li>
            Scope subset validation ensuring each delegation hop can
            only narrow (never broaden) the authorized scope;
          </li>
          <li>
            Cryptographic chain integrity via per-hop AS signatures in
            the <tt>delegation_chain</tt> claim.
          </li>
        </ul>

        <t>
          See <xref target="I-D.liu-oauth-chain-delegation"/> for the
          complete delegation security model and validation checklist.
        </t>
      </section>
    </section>

    <section anchor="privacy" title="Privacy Considerations">
      <t>
        The privacy considerations in this section are informed by the
        Internet protocol privacy analysis framework described in
        <xref target="RFC6973"/>.  This section addresses privacy
        considerations specific to the integrated framework;
        implementers MUST also consult the privacy considerations in
        each component specification.
      </t>

      <section title="Cross-Domain Identity Correlation">
        <t>
          This framework inherently links user identities across
          multiple trust domains: the Home IdP (where the user
          authenticates), the Agent domain (where the user interacts
          with the AI agent), and the External AS/RS domain (where
          resources are accessed).  The <tt>act.agent_user_id</tt> field
          and the evidence record within the
          <tt>authorization_evidence</tt> authorization details type
          both carry identifiers that
          could be used to correlate a user's activities across these
          domains.
        </t>

        <t>
          Implementations SHOULD minimize cross-domain correlation by:
        </t>

        <ul>
          <li>
            Using domain-specific subject identifiers in the access
            token's <tt>sub</tt> claim rather than globally unique
            identifiers;
          </li>
          <li>
            Treating <tt>agent_user_id</tt> as optional and including
            it only when required for audit correlation;
          </li>
          <li>
            Avoiding inclusion of stable, globally correlatable
            identifiers in the evidence record's
            <tt>displayed_content</tt> field.
          </li>
        </ul>
      </section>

      <section title="Agent Observability">
        <t>
          AI agents acting on behalf of users can observe resource
          contents, policy evaluation outcomes, and error responses
          (including reverse-guided authorization hints).  A compromised
          or malicious agent could accumulate sensitive information about
          the user's access patterns, resource contents, and
          organizational policy structure.
        </t>

        <t>
          Mitigations include:
        </t>

        <ul>
          <li>
            Applying the principle of least privilege to agent
            capabilities via Rego policy constraints;
          </li>
          <li>
            Using the <tt>semantic_expansion_level</tt> in the
            <tt>audit_trail</tt> sub-object to flag operations where
            significant interpretation was applied, enabling
            post-hoc review of agent behavior;
          </li>
          <li>
            Limiting the information exposed in reverse-guided
            authorization error responses to what is necessary for
            constructing a valid request.
          </li>
        </ul>
      </section>

      <section title="Displayed Content Sensitivity">
        <t>
          The <tt>displayed_content</tt> field in the evidence record
          (within the <tt>authorization_evidence</tt> authorization
          details type) records the human-readable description shown to
          the user during consent.  This field may contain sensitive
          information about the user's intent, financial parameters,
          health-related operations, or personal data.  Since the
          evidence record is included in the access token and may be
          logged by resource servers, implementations MUST minimize
          personal data in this field and SHOULD use operation
          identifiers rather than natural-language descriptions that
          may contain PII.
        </t>

        <t>
          See <xref target="I-D.liu-oauth-authorization-evidence"/> for
          detailed guidance on displayed content minimization, evidence
          retention, and the tension between audit retention and the
          right to erasure under GDPR and CCPA.
        </t>
      </section>

      <section title="Delegation Chain Privacy">
        <t>
          Delegation chains record the identity of each intermediate
          agent in the <tt>delegation_chain</tt> claim.  In multi-hop
          scenarios, this creates a record of all agents involved in a
          transaction, which may reveal organizational structure or
          agent relationships that participants consider sensitive.
          Implementations SHOULD evaluate whether the full delegation
          chain needs to be visible to the final resource server, or
          whether a summarized view is sufficient.
        </t>

        <t>
          See <xref target="I-D.liu-oauth-chain-delegation"/> for
          delegation chain privacy considerations.
        </t>
      </section>
    </section>

    <section anchor="relationships" title="Relationship to Other Specifications">
      <t>
        This section clarifies the relationship between this framework and other
        OAuth 2.0 specifications. Understanding these relationships is essential
        for implementers to determine which specifications are required for their 
        specific use cases.
      </t>

      <section anchor="rel-id-jag" title="Relationship to Identity Assertion Grant (ID-JAG)">
        <t>
          This framework builds on the Identity Assertion Authorization Grant 
          (<xref target="I-D.ietf-oauth-identity-assertion-authz-grant"/>) as the 
          base grant type for cross-domain identity assertion. ID-JAG enables AI 
          agents to present a JWT assertion (e.g., an ID Token from the user's Home 
          IdP) to an external authorization server as proof of user identity.
        </t>

        <t>
          This framework extends ID-JAG with:
        </t>

        <ul>
          <li>
            The JWT Grant Interaction Response 
            (<xref target="I-D.parecki-oauth-jwt-grant-interaction-response"/>) for 
            obtaining explicit user consent when the AS requires user interaction;
          </li>
          <li>
            RAR-based policy authorization via the <tt>rego_policy</tt> authorization 
            data type in <tt>authorization_details</tt>;
          </li>
          <li>
            Evidence recording of user consent decisions.
          </li>
        </ul>

        <t>
          Implementations of this framework MUST implement ID-JAG as the base 
          grant type.
        </t>
      </section>

      <section anchor="rel-jwt-grant-interaction" title="Relationship to JWT Grant Interaction Response">
        <t>
          The JWT Grant Interaction Response 
          (<xref target="I-D.parecki-oauth-jwt-grant-interaction-response"/>) 
          defines an extension to the JWT Authorization Grant that enables an 
          authorization server to indicate that user interaction is required. 
          Instead of immediately returning an access token or error, the AS 
          returns an <tt>interaction_uri</tt> where the user can provide consent, 
          along with a polling interval.
        </t>

        <t>
          This framework uses JWT Grant Interaction Response for:
        </t>

        <ul>
          <li>
            Obtaining explicit user consent for AI agent operations without 
            requiring a traditional OAuth redirect flow;
          </li>
          <li>
            Enabling the agent to launch a browser for user interaction and then 
            poll for completion;
          </li>
          <li>
            Supporting both polling-based and redirect-based notification of 
            interaction completion.
          </li>
        </ul>

        <t>
          Implementations MUST support JWT Grant Interaction Response for 
          user consent in AI agent authorization scenarios.
        </t>
      </section>

      <section anchor="rel-token-exchange" title="Relationship to Token Exchange (RFC 8693)">
        <t>
          This framework uses Token Exchange (<xref target="RFC8693"/>) as the base 
          delegation mechanism and extends it with the <tt>delegation_chain</tt> claim 
          for complete auditability. While RFC 8693 provides point-to-point token 
          exchange, this framework enables end-to-end delegation chain tracking.
        </t>

        <t>
          Key extensions:
        </t>

        <ul>
          <li>
            <tt>delegation_chain</tt> claim records all delegation hops with 
            cryptographic signatures;
          </li>
          <li>
            Policy subset validation ensures privilege escalation prevention 
            across delegation hops;
          </li>
          <li>
            Evidence records provide cryptographic proof of the original
            user consent, propagated across delegation hops via
            <tt>root_evidence_ref</tt>;
          </li>
        </ul>

        <t>
          Implementations SHOULD support RFC 8693 for token exchange operations 
          and MAY implement the delegation chain extension for multi-hop scenarios.
        </t>
      </section>

      <section anchor="rel-transaction-tokens" title="Relationship to Transaction Tokens">
        <t>
          Transaction Tokens (<xref target="I-D.ietf-oauth-transaction-tokens"/>) focus on
          short-lived service-to-service authorization in microservices architectures. 
          This framework focuses on longer-lived user-to-agent delegation with explicit 
          human consent.
        </t>

        <t>
          Comparison:
        </t>

        <table anchor="tbl-txn-compare">
          <name>Transaction Tokens vs This Framework</name>
          <thead>
            <tr>
              <th>Aspect</th>
              <th>Transaction Tokens</th>
              <th>This Framework</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>Primary use case</td>
              <td>Service-to-service</td>
              <td>User-to-agent</td>
            </tr>
            <tr>
              <td>Human consent</td>
              <td>Not required</td>
              <td>Required</td>
            </tr>
            <tr>
              <td>Token lifetime</td>
              <td>Minutes</td>
              <td>Minutes to hours</td>
            </tr>
            <tr>
              <td>Authorization model</td>
              <td>Capability-based</td>
              <td>Policy-based</td>
            </tr>
          </tbody>
        </table>

        <t>
          The two specifications can be combined: this framework for initial user authorization, 
          Transaction Tokens for subsequent service-to-service calls within the 
          authorized scope.
        </t>
      </section>

      <section anchor="rel-ciba" title="Relationship to CIBA">
        <t>
          This framework profiles the OpenID Connect Client-Initiated Backchannel 
          Authentication (CIBA) <xref target="CIBA"/> specification for
          out-of-band user consent. While
          CIBA focuses on user authentication, this framework uses it for authorization 
          and consent collection.
        </t>

        <t>
          CIBA is used in this framework for:
        </t>

        <ul>
          <li>
            Scenarios where the agent cannot redirect the user to a browser 
            (e.g., voice assistants, IoT devices);
          </li>
          <li>
            High-security scenarios requiring out-of-band consent verification;
          </li>
          <li>
            Mobile scenarios where the user completes consent on a separate device.
          </li>
        </ul>

        <t>
          The framework extends CIBA by adding policy presentation to the consent 
          interface and evidence recording of the consent decision.
        </t>
      </section>

      <section anchor="rel-rar" title="Relationship to Rich Authorization Requests (RAR)">
        <t>
          This framework uses Rich Authorization Requests 
          (<xref target="RFC9396"/>) as the mechanism for carrying Rego policy 
          in authorization requests via the <tt>authorization_details</tt> parameter. 
          The <tt>rego_policy</tt> authorization data type defined in 
          <xref target="I-D.liu-oauth-rego-policy"/> enables fine-grained, 
          policy-based authorization within the RAR framework.
        </t>

        <t>
          RAR integration provides:
        </t>

        <ul>
          <li>
            A standardized container (<tt>authorization_details</tt>) for carrying 
            Rego policy and evaluation context;
          </li>
          <li>
            Enriched token responses (RFC 9396 Section 7.1) that include the 
            evaluated policy in the access token;
          </li>
          <li>
            Compatibility with other RAR types, enabling combined authorization 
            scenarios.
          </li>
        </ul>

        <t>
          Implementations MUST support RAR (RFC 9396) with the <tt>rego_policy</tt> 
          authorization data type.
        </t>
      </section>

      <section anchor="rel-spiffe" title="Relationship to SPIFFE Client Authentication">
        <t>
          This framework uses OAuth SPIFFE Client Authentication 
          (<xref target="I-D.ietf-oauth-spiffe-client-auth"/>) for agent 
          authentication. SPIFFE provides workload identity through WIT-SVID 
          (Workload Identity Token with SPIFFE Verifiable Identity Document).
        </t>

        <t>
          The relationship is:
        </t>

        <ul>
          <li>
            SPIFFE Client Auth proves "who the agent is" through cryptographic 
            workload identity;
          </li>
          <li>
            This framework proves "what the agent is allowed to do" through 
            user consent and policy authorization;
          </li>
          <li>
            Together, they provide complete agent identity and authorization.
          </li>
        </ul>

        <t>
          Implementations using Identity Level 1 or Level 2
          (<xref target="identity-levels"/>) MUST support SPIFFE Client
          Authentication for agent identification.  Deployments using
          Identity Level 0 (self-issued identity) MAY use alternative
          client authentication mechanisms.
        </t>
      </section>

      <section anchor="implementation-requirements" title="Implementation Requirements">
        <t>
          The following table summarizes the implementation requirements for 
          different components of this framework:
        </t>

        <table anchor="tbl-impl-req">
          <name>Implementation Requirements</name>
          <thead>
            <tr>
              <th>Specification</th>
              <th>Requirement Level</th>
              <th>Component</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>OAuth 2.0 (RFC 6749)</td>
              <td>MUST</td>
              <td>All</td>
            </tr>
            <tr>
              <td>PAR (<xref target="RFC9126"/>)</td>
              <td>MAY</td>
              <td>Agent, AS</td>
            </tr>
            <tr>
              <td>RAR (RFC 9396)</td>
              <td>MUST</td>
              <td>Agent, AS, RS</td>
            </tr>
            <tr>
              <td>ID-JAG</td>
              <td>MUST</td>
              <td>Agent, AS</td>
            </tr>
            <tr>
              <td>JWT Grant Interaction Response</td>
              <td>MUST</td>
              <td>Agent, AS</td>
            </tr>
            <tr>
              <td>SPIFFE Client Auth</td>
              <td>SHOULD (see note)</td>
              <td>Agent, AS</td>
            </tr>
            <tr>
              <td>Rego Policy</td>
              <td>MUST</td>
              <td>Agent, AS, RS</td>
            </tr>
            <tr>
              <td>Authorization Evidence</td>
              <td>SHOULD</td>
              <td>AS, RS</td>
            </tr>
            <tr>
              <td>Chain Delegation</td>
              <td>MAY</td>
              <td>AS (if supporting delegation)</td>
            </tr>
            <tr>
              <td>Token Exchange (RFC 8693)</td>
              <td>SHOULD</td>
              <td>AS</td>
            </tr>
            <tr>
              <td>CIBA</td>
              <td>MAY</td>
              <td>AS (if supporting out-of-band consent)</td>
            </tr>
          </tbody>
        </table>

        <t>
          Note: SPIFFE Client Authentication is required for Identity
          Levels 1 and 2 (<xref target="identity-levels"/>).  Identity
          Level 0 deployments (self-issued identity) MAY use alternative
          client authentication mechanisms such as <tt>client_secret_post</tt>
          or <tt>private_key_jwt</tt>.
        </t>
      </section>
    </section>

    <section anchor="iana" title="IANA Considerations">
      <t>
        This document has no IANA actions. All claims and parameters are defined 
        in the referenced component specifications.
      </t>
    </section>
  </middle>

  <back>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8693.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9396.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7515.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9068.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6973.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7662.xml"/>

        <reference anchor="I-D.ietf-oauth-identity-assertion-authz-grant">
          <front>
            <title>OAuth 2.0 Identity Assertion Authorization Grant</title>
            <author initials="K." surname="Ying"/>
            <author initials="B." surname="Campbell"/>
            <date year="2026" month="January"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-identity-assertion-authz-grant"/>
        </reference>

        <reference anchor="I-D.parecki-oauth-jwt-grant-interaction-response">
          <front>
            <title>JWT Authorization Grant with Interaction Response</title>
            <author initials="A." surname="Parecki"/>
            <author initials="B." surname="Campbell"/>
            <author initials="D." surname="Liu"/>
            <date year="2026" month="June"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-parecki-oauth-jwt-grant-interaction-response-00"/>
        </reference>

        <reference anchor="I-D.ietf-oauth-spiffe-client-auth">
          <front>
            <title>OAuth SPIFFE Client Authentication</title>
            <author initials="A." surname="Schwenkschuster"/>
            <date year="2026" month="March"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-spiffe-client-auth"/>
        </reference>

        <reference anchor="I-D.liu-oauth-rego-policy">
          <front>
            <title>Rego Policy Language for OAuth 2.0 Authorization</title>
            <author initials="D." surname="Liu"/>
            <author initials="H." surname="Zhu"/>
            <author initials="S." surname="Krishnan"/>
            <author initials="A." surname="Parecki"/>
            <author initials="H." surname="Xue"/>
            <date year="2026" month="June"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-liu-oauth-rego-policy-00"/>
        </reference>

        <reference anchor="I-D.liu-oauth-authorization-evidence">
          <front>
            <title>Authorization Evidence and Audit Trail for OAuth 2.0 Access Tokens</title>
            <author initials="D." surname="Liu"/>
            <author initials="H." surname="Zhu"/>
            <author initials="S." surname="Krishnan"/>
            <author initials="A." surname="Parecki"/>
            <date year="2026" month="June"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-liu-oauth-authorization-evidence-01"/>
        </reference>

        <reference anchor="I-D.liu-oauth-chain-delegation">
          <front>
            <title>Delegation Chain for OAuth 2.0</title>
            <author initials="D." surname="Liu"/>
            <author initials="H." surname="Zhu"/>
            <author initials="S." surname="Krishnan"/>
            <author initials="A." surname="Parecki"/>
            <date year="2026" month="June"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-liu-oauth-chain-delegation-00"/>
        </reference>
      </references>

      <references>
        <name>Informative References</name>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9126.xml"/>

        <reference anchor="I-D.ietf-oauth-transaction-tokens">
          <front>
            <title>Transaction Tokens</title>
            <author initials="A." surname="Tulshibagwale"/>
            <author initials="G." surname="Fletcher"/>
            <author initials="P." surname="Kasselman"/>
            <date year="2024"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-transaction-tokens"/>
        </reference>

        <reference anchor="CIBA" target="https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html">
          <front>
            <title>OpenID Connect CIBA Core</title>
            <author>
              <organization>OpenID Foundation</organization>
            </author>
            <date year="2021"/>
          </front>
        </reference>

        <reference anchor="OPA" target="https://www.openpolicyagent.org/">
          <front>
            <title>Open Policy Agent</title>
            <author>
              <organization>CNCF</organization>
            </author>
            <date year="2024"/>
          </front>
        </reference>

        <reference anchor="I-D.ietf-wimse-arch">
          <front>
            <title>Workload Identity in Multi System Environments (WIMSE) Architecture</title>
            <author initials="J." surname="Salowey"/>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-arch"/>
        </reference>

        <reference anchor="I-D.ietf-wimse-workload-creds">
          <front>
            <title>WIMSE Workload Identity Token</title>
            <author initials="J." surname="Salowey"/>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-workload-creds"/>
        </reference>
      </references>
    </references>

    <section title="Complete Example">
      <section title="Token Request">
        <figure>
          <artwork name="JWT Grant Token Request" type="http"><![CDATA[
POST /token HTTP/1.1
Host: as.shop.example
Content-Type: application/x-www-form-urlencoded
OAuth-Client-Attestation: eyJ0eXAiOiJ3aXQrand0IiwiYWxnIjoiRVMyNTYifQ...
OAuth-Client-Attestation-PoP: eyJ0eXAiOiJvYXV0aC1jbGllbnQtYXR0ZXN0...

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lkc...
&authorization_details=%5B%7B%22type%22%3A%22rego_policy%22%2C%22policy%22%3A%7B%22type%22%3A%22rego%22%2C
  %22content%22%3A%22package+agent...%22%2C%22entry_point%22%3A%22allow%22%7D%2C
  %22context%22%3A%7B%22user%22%3A%7B%22id%22%3A%22user_12345%22%7D%2C%22action%22%3A%22add_to_cart%22%7D%7D%5D
          ]]></artwork>
        </figure>
      </section>

      <section title="Interaction Required Response">
        <figure>
          <artwork name="Interaction Required" type="http"><![CDATA[
HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error": "interaction_required",
  "interaction_uri": "https://as.shop.example/interact/abc123",
  "interval": 5,
  "expires_in": 600
}
          ]]></artwork>
        </figure>
      </section>

      <section title="Access Token">
        <figure>
          <artwork name="Complete Access Token" type="json"><![CDATA[
{
  "iss": "https://as.shop.example",
  "sub": "user_12345",
  "aud": "https://api.shop.example",
  "exp": 1731369540,
  "iat": 1731320700,
  "jti": "urn:uuid:token-shop-123",

  "act": {
    "sub": "wit://myassistant.example/sha256.xyz789...",
    "agent_user_id": "agent_user_001"
  },

  "authorization_details": [
    {
      "type": "rego_policy",
      "policy": {
        "type": "rego",
        "uri": "https://as.shop.example/policies/policy-cart-50",
        "entry_point": "allow"
      },
      "context": {
        "user": { "id": "user_12345" },
        "action": "add_to_cart"
      }
    },
    {
      "type": "authorization_evidence",
      "evidence": {
        "id": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
        "user_confirmation": {
          "displayed_content": "Add items under $50 to cart",
          "user_action": "confirmed_via_button_click",
          "timestamp": 1731320595
        },
        "as_signature": "eyJhbGciOiJFUzI1NiJ9..MEUCIQDx...",
        "audit_trail": {
          "evidence_ref": "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
          "semantic_expansion_level": "medium",
          "proposal_ref": "urn:uuid:proposal-xyz"
        }
      }
    }
  ]
}
          ]]></artwork>
        </figure>
      </section>

      <section title="Polling (after user consent)">
        <figure>
          <artwork name="Poll Token Endpoint" type="http"><![CDATA[
POST /token HTTP/1.1
Host: as.shop.example
Content-Type: application/x-www-form-urlencoded
OAuth-Client-Attestation: eyJ0eXAiOiJ3aXQrand0IiwiYWxnIjoiRVMyNTYifQ...
OAuth-Client-Attestation-PoP: eyJ0eXAiOiJvYXV0aC1jbGllbnQtYXR0ZXN0...

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lkc...
&authorization_details=%5B%7B%22type%22%3A%22rego_policy%22%2C%22policy%22%3A%7B%22type%22%3A%22rego%22%2C
  %22content%22%3A%22package+agent...%22%2C%22entry_point%22%3A%22allow%22%7D%2C
  %22context%22%3A%7B%22user%22%3A%7B%22id%22%3A%22user_12345%22%7D%2C%22action%22%3A%22add_to_cart%22%7D%7D%5D
          ]]></artwork>
        </figure>
        <t>
          The agent re-sends the original request with a fresh SPIFFE
          client attestation at the <tt>interval</tt> specified in the
          interaction response.  Upon successful user consent, the AS
          returns the access token shown above.
        </t>
      </section>

      <section title="API Request to Resource Server">
        <figure>
          <artwork name="API Request" type="http"><![CDATA[
POST /cart/add HTTP/1.1
Host: api.shop.example
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL...
Content-Type: application/json

{
  "item_id": "SKU-789",
  "quantity": 1,
  "price": 42.99
}
          ]]></artwork>
        </figure>
        <t>
          The Resource Server validates the access token, extracts the
          <tt>rego_policy</tt> from <tt>authorization_details</tt>, and
          evaluates it against the request context (action, item price,
          user identity) using a Rego-compatible policy engine.
        </t>
      </section>
    </section>

    <section title="Acknowledgments" numbered="false">
      <t>
        The authors would like to thank Brian Campbell for his valuable
        feedback and insightful discussions on OAuth extension design.
        His contributions helped shape key aspects of this framework.
      </t>
    </section>
  </back>

</rfc>
