Hello OAuth WG, I’d like to introduce ZeroID, an open-source implementation focused on OAuth 2.0 / OAuth 2.1 delegation and token exchange patterns in autonomous agent and machine-to-machine systems.
Repository: https://github.com/highflame-ai/zeroid ZeroID is built directly on top of established OAuth mechanisms, with a focus on implementing and stress-testing real-world delegation semantics using: OAuth 2.0 authorization flows (RFC 6749), Token Exchange (RFC 8693), constrained and attenuated delegation of authority, impersonation and on-behalf-of patterns, multi-hop delegation chains between non-human actors. Rather than introducing a new authorization framework, ZeroID implements a concrete model of how OAuth-based delegation behaves in autonomous agent environments where: authority is dynamically delegated across multiple agents, execution chains may extend beyond initial authorization events, tokens are exchanged across multiple hops and contexts, downstream services require verifiable provenance of delegated actions. The goal of ZeroID is to serve as a reference implementation of OAuth-style delegation in these emerging workloads, and to provide a concrete system for evaluating where current specifications are sufficient and where semantic gaps may exist. We are particularly interested in feedback from the WG on: Whether RFC 8693-style token exchange adequately captures multi-hop delegation chains in autonomous systems, How existing OAuth semantics should be interpreted when both delegating and delegated parties are non-human agents, Any known limitations or constraints in representing attenuated authority across multiple delegation steps, Whether there are existing WG efforts or drafts that already address these patterns more directly. We believe OAuth already provides a strong foundation for this space, and ZeroID is intended to demonstrate a concrete, interoperable implementation of those mechanisms under realistic autonomous-agent workloads. We would welcome any feedback, critiques, or pointers to related work. Best regards, Sharath Rajasekar (www.highflame.com <http://www.highflame.com/>)
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
