Hi Pavindu, Sorry for the delayed response. This has been a busy month. I’ve reviewed the draft you mentioned, and agree with your suggestion of using identity assertion examples. In our previous draft, the use case mainly focuses on virtual AI agent combined with the client, and the AI agent may not have its own certificate to build connection tunnels (e.g. TLS) with AS, RS or other entities. I think your approach perfectly fills the gap in our earlier draft regarding the physical AI agent component separated with the client, and it has its own certificate and the ability to build connection tunnels with others. I wonder if you’d be interested in collaborating on finalizing the draft together. Please let me know if this aligns with your schedule. Regarding the identity of AI agent, I check the OpenID website and found the overall project background and objectives insightful, however I didn’t find specific details about the identity format design on the site or the github. I wonder if you might have any updates on when the project’s whitepaper will be released? Our team are also working on this, currently we are designing the digital identity format of AI agents. Again, my apologies for the delay, and thank you for your valuable comments. I look forward to hearing your thoughts.
Best regards, 发件人: Pavindu Lakshan <pavindulaks...@gmail.com> 发送时间: 2025年7月12日 18:05 收件人: songyurong <songyuro...@huawei.com> 抄送: oauth@ietf.org; liufei (E) <liufe...@huawei.com> 主题: Re: [OAUTH-WG] Introduction for a new personal draft: OAuth2.0 Extention for AI Agent: Authorization on Target Hi Songyurong, Quoting from the draft, Therefore, for these use cases, authorization needs to clarify which specific module of the client is being authorized. This draft proposes an authorization mechanism centered on a *target* -- role introduced to identify the client module requiring authorization. To support this, an optional extension field named *target_id* is added to the OAuth 2.0 protocol flow. The *target* may refer to virtual AI agents deployed on the client or AI models hosted on a physical AI agent. I was thinking, could the same be achieved by modeling the agent module as a separate client and using the Identity Assertion Grant [1] to delegate permissions from the main client to the agent module? In real-world scenarios, developers usually know the connection between the main app and the agent module ahead of time. So, they can configure IdP policies to make the agent module trust assertions from the main app and grant it the necessary permissions. By the way, if you're interested in exploring identity for AI agent use cases, I'd suggest checking out the OIDF AIIM community group [2] as well. [1] https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/ [2] https://openid.net/cg/artificial-intelligence-identity-management-community-group/ Regards Pavindu On Fri, Jul 11, 2025 at 1:51 PM songyurong <songyurong1=40huawei....@dmarc.ietf.org<mailto:40huawei....@dmarc.ietf.org>> wrote: Dear OAuth Working Group Members, I am writing to propose a new topic for consideration within the working group and to invite your valuable input for further discussion. Here is the information about this draft: Name: draft-song-oauth-ai-agent-authorization Title: OAuth2.0 Extention for AI Agent: Authorization on Target URL: draft-song-oauth-ai-agent-authorization-00 - OAuth2.0 Extention for AI Agent: Authorization on Target<https://datatracker.ietf.org/doc/draft-song-oauth-ai-agent-authorization/> In this draft, we address to potential adapt authorization frameworks for the future AI agent. An extension is proposed in the OAuth 2.0 protocol with an optional field *target_id* for granular authorization. By explicitly identifying the target during authorization, the draft aims to support precise permission management and enhance traceability. Potential unauthorized or malicious behavior of AI components in the network can be mitigated through the proposed extension, while maintaining the compatibility of existing OAuth 2.0 workflows. Thank you for your time and consideration. I look forward to contributing to the WG. Any questions, suggestions and co-operation is welcomed. Best regards, Yurong Song _______________________________________________ OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org> To unsubscribe send an email to oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
