Dear Judith,
Thanks for raising the topic.

I share your concerns, in particular since AI driven clients are no longer 
software systems developed and tested for a certain functionality with reliable 
behavior, rather much more dynamic and unpredictable.

In my view, additional client authentication challenges cannot address the 
unpredictability of what the client is doing with the access it obtains.
Therefore, continuous access evaluation solutions are important as they provide 
the signals that something is going wrong.

In order for such signals to allow preventing further undesirable access, 
access grants should have shorter lifetimes requiring clients to periodically 
request renewed access, allowing intervention and prevention.

Solution designs aiming to address these concerns should in my view leverage 
shorter grant lifetimes, refresh tokens and the Identity Assertion JWT 
Authorization Grant (cross-app-access) 
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-assertion-authz-grant,
 all of which require clients to engage authorization servers, which can then 
evaluate requested access.

And +1 on the discussion, happy to learn about how the full mature CAEP driven 
solution can look like, which rfcs are involved etc.

Regards,
Yaron




Classification: GENERAL
From: Judith Kahrer <[email protected]>
Sent: Thursday, July 2, 2026 6:42 PM
To: oauth <[email protected]>
Subject: [OAUTH-WG] Continuous Access Evaluation and Conditional Access Control 
for Clients

This message is from an external sender - be cautious, particularly with links 
and attachments.

Dear working group,
I'm interested in the communities and other identity expert's view on a topic I 
have mulled over lately.
With more and more focus on clients (mainly driven through AI discussions), 
isn't it time to start thinking about continuous access evaluation for clients?
In such an environment, wouldn't it make sense for the authorization server to 
also challenge the client for additional input to increase its confidence in 
the client and its behavior, similar to MFA or step-up authentication for users?
What are your takes, thoughts?

Yours, Judith

P.S.: "I don't care, I simply need to survive this day", " I'm too busy with 
other stuff. " or a simple "I haven't thought about it yet." are valid answers 
as well.
This message and any attachment ("the Message") are confidential. If you have 
received the Message in error, please notify the sender immediately and delete 
the Message from your system, any use of the Message is forbidden. 
Correspondence via e-mail is primarily for information purposes. RBI neither 
makes nor accepts legally binding statements via e-mail unless explicitly 
agreed otherwise. Information pursuant to ยง 14 Austrian Companies Code: 
Raiffeisen Bank International AG; Registered Office: Am Stadtpark 9, 1030 
Vienna, Austria; Company Register Number: FN 122119m at the Commercial Court of 
Vienna (Handelsgericht Wien).
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to