Hi Songyurong, Quoting from the draft,
Therefore, for these use cases, authorization needs to clarify which > specific module of the client is being authorized. This draft > proposes an authorization mechanism centered on a *target* -- role > introduced to identify the client module requiring authorization. To > support this, an optional extension field named *target_id* is added > to the OAuth 2.0 protocol flow. The *target* may refer to virtual AI > agents deployed on the client or AI models hosted on a physical AI > agent. I was thinking, could the same be achieved by modeling the agent module as a separate client and using the Identity Assertion Grant [1] to delegate permissions from the main client to the agent module? In real-world scenarios, developers usually know the connection between the main app and the agent module ahead of time. So, they can configure IdP policies to make the agent module trust assertions from the main app and grant it the necessary permissions. By the way, if you're interested in exploring identity for AI agent use cases, I'd suggest checking out the OIDF AIIM community group [2] as well. [1] https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/ [2] https://openid.net/cg/artificial-intelligence-identity-management-community-group/ Regards Pavindu On Fri, Jul 11, 2025 at 1:51 PM songyurong <songyurong1= 40huawei....@dmarc.ietf.org> wrote: > Dear OAuth Working Group Members, > > I am writing to propose a new topic for consideration within the working > group and to invite your valuable input for further discussion. > > Here is the information about this draft: > > Name: draft-song-oauth-ai-agent-authorization > > Title: OAuth2.0 Extention for AI Agent: Authorization on Target > > URL: draft-song-oauth-ai-agent-authorization-00 - OAuth2.0 Extention > for AI Agent: Authorization on Target > <https://datatracker.ietf.org/doc/draft-song-oauth-ai-agent-authorization/> > > > > In this draft, we address to potential adapt authorization frameworks for > the future AI agent. An extension is proposed in the OAuth 2.0 protocol > with an optional field *target_id* for granular authorization. By > explicitly identifying the target during authorization, the draft aims to > support precise permission management and enhance traceability. Potential > unauthorized or malicious behavior of AI components in the network can be > mitigated through the proposed extension, while maintaining the > compatibility of existing OAuth 2.0 workflows. > > > > Thank you for your time and consideration. I look forward to contributing > to the WG. Any questions, suggestions and co-operation is welcomed. > > Best regards, > > Yurong Song > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
