Hi all, I've posted a draft defining Attenuating Authorization Tokens (AATs) <https://datatracker.ietf.org/doc/draft-niyikiza-oauth-attenuating-agent-tokens/>, a token format for delegation across multi-agent systems that draws on capability-based authorization. It profiles existing OAuth mechanisms where possible, and I'd value the WG's review.
The problem: in multi-agent workflows, an agent receives authority scoped to a session, principal, or workflow and carries it unchanged, across every tool call it makes and every sub-agent it delegates to. The draft defines: - a profile of RFC 9396 authorization_details for tool-level capability claims, with typed argument constraints; - offline derivation of child tokens by a token holder, with no AS round trip; - attenuation invariants enforcing that derived tokens can only narrow authority across capability, delegation depth, and lifetime; - cryptographic parent-to-child linkage, verifiable against the root trust anchor; and - proof-of-possession binding at invocation time. It builds on RFC 9396 and RFC 9201, differs from RFC 8693 Token Exchange in making the attenuation chain offline-verifiable rather than AS-mediated, and is meant to complement WIMSE's workload-identity work. There is also a reference implementation covering token derivation and chain verification; the draft's Implementation Status section has details. I'd particularly welcome review of the attenuation invariants, the constraint-subsumption model, and the offline chain-verification model, along with views on whether the WG sees this problem space as in scope. Draft: https://datatracker.ietf.org/doc/draft-niyikiza-oauth-attenuating-agent-tokens/ Thanks, Niki -- Niki Aimable Niyikiza Tenuo
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
