Dear Judith, Thanks for raising the topic. I share your concerns, in particular since AI driven clients are no longer software systems developed and tested for a certain functionality with reliable behavior, rather much more dynamic and unpredictable.
In my view, additional client authentication challenges cannot address the unpredictability of what the client is doing with the access it obtains. Therefore, continuous access evaluation solutions are important as they provide the signals that something is going wrong. In order for such signals to allow preventing further undesirable access, access grants should have shorter lifetimes requiring clients to periodically request renewed access, allowing intervention and prevention. Solution designs aiming to address these concerns should in my view leverage shorter grant lifetimes, refresh tokens and the Identity Assertion JWT Authorization Grant (cross-app-access) https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-assertion-authz-grant, all of which require clients to engage authorization servers, which can then evaluate requested access. And +1 on the discussion, happy to learn about how the full mature CAEP driven solution can look like, which rfcs are involved etc. Regards, Yaron Classification: GENERAL From: Judith Kahrer <[email protected]> Sent: Thursday, July 2, 2026 6:42 PM To: oauth <[email protected]> Subject: [OAUTH-WG] Continuous Access Evaluation and Conditional Access Control for Clients This message is from an external sender - be cautious, particularly with links and attachments. Dear working group, I'm interested in the communities and other identity expert's view on a topic I have mulled over lately. With more and more focus on clients (mainly driven through AI discussions), isn't it time to start thinking about continuous access evaluation for clients? In such an environment, wouldn't it make sense for the authorization server to also challenge the client for additional input to increase its confidence in the client and its behavior, similar to MFA or step-up authentication for users? What are your takes, thoughts? Yours, Judith P.S.: "I don't care, I simply need to survive this day", " I'm too busy with other stuff. " or a simple "I haven't thought about it yet." are valid answers as well. This message and any attachment ("the Message") are confidential. If you have received the Message in error, please notify the sender immediately and delete the Message from your system, any use of the Message is forbidden. Correspondence via e-mail is primarily for information purposes. RBI neither makes nor accepts legally binding statements via e-mail unless explicitly agreed otherwise. Information pursuant to ยง 14 Austrian Companies Code: Raiffeisen Bank International AG; Registered Office: Am Stadtpark 9, 1030 Vienna, Austria; Company Register Number: FN 122119m at the Commercial Court of Vienna (Handelsgericht Wien).
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
