Hi all, in preparation for OSW, I would like to draw your attention to a proposal that I documented in a new draft: OAuth Client Challenge Protocol
https://datatracker.ietf.org/doc/draft-kahrer-oauth-client-challenge-protocol/ While designing OAuth integrations for AI use cases, I identified a requirement were the authorization server needed to request more data from a client before it could form a final decision about a token request. With CIMD, clients may register on the fly (i.e, the authorization server may observe the client ID for the first time during an authorization or token request). A consequence from that is that the authorization server needs to be able to establish trust on the fly as well. And for that it may need more data. In addition, AI agents may have a grant that goes beyond the user's currently intended tasks and where the authorization server wants to double check whether the client has a current mandate from the user for the requested access or whether it acts beyond some intended scope. I pictured something like "MFA for clients". I was investigating use cases where there is no user (resource owner) and where the client is a third-party client acting on behalf of a user. I needed something similar to FiPA that challenged the client to provide data but that went beyond user authentication and focused on reassuring the grant (e.g., an existing token during token exchange or client credentials). So, I came up with an extension to the OAuth token error response that challenges the client to provide more data to complement a grant. I ended up calling it the "OAuth Client Challenge Protocol". It is a simple and extensible protocol that fits into the existing landscape of OAuth standards (proposed or drafts) like CIMD, FiPA, RAR, PAR, probably more. It simply defines a new error code for the token error response that allows the authorization server to define authorization requirements that the client needs to satisfy. How does that sound? What do you think? Best regards, Judith Kahrer
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
