Hi,

Thanks for your Draft.

Here are some comments on the elements listed as Gaps:


  *   Section 3.1.1:
     *   You identify that OAuth is not capable of understand an intent. True 
but is it the purpose of OAuth? The Agent will rely on the LLM  to understand 
how the task need to be decomposed based on the tools and other agents 
available. At the end, this is for the Tools and Agents allowing to fulfill the 
task that the Agent will need to acquire consented delegation of Authorization. 
MCP Servers and Agent Card can contain information about the AS to contact and 
the scopes and potentially RAR authorization details 
(RFC9396<datatracker.ietf.org/doc/rfc9396/>) required to call them thanks to 
OAuth2.0 Protected Resource Metadata 
(RFC9728<https://datatracker.ietf.org/doc/rfc9728/>)
     *   You indicate that there is no No Standardized Interactive Flow.  But 
again is this even an OAuth problem? If the Agent needs more information from 
the User / Resource Owner, Agentic AI Development Frameworks like CrewAI, 
LangChain, LangGraph, Strands and other have all the capabilities to do such 
things through their converse API. Additional Information provided by the User 
/ Resource Owner will allow, thanks again to the LLM, to the selection of a new 
set of Tools and Agents to fulfill the updated Taks and new consented 
Delegation of Authorization will be acquired as explained in the previous point.
     *   Impractical Revocation. There are two points here: 1/ Tokens are 
stateless and lifetime is a perfect dimension to also control the permissions 
accumulation; 2/ You completely omits that write operations could be perform 
through the usage of Transaction Tokens (see 
https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/  and 
https://datatracker.ietf.org/doc/html/draft-oauth-transaction-tokens-for-agents 
)bound to a specific task / intent  (in this case a picnic event)
  *   Section 3.1.2 is frivolous. It does not include any mention of usage of 
AI. This is the old Smart Home Automation use case we know for years and has 
very successful deployment at the Enterprise and Open Source level: see Apple, 
Google, Home Assistant, Ring, etc.
     *   "Scope Explosion" and Usability : Again you forgot about the ability 
to use RAR authorization details (RFC9396<datatracker.ietf.org/doc/rfc9396/>) 
as a way to express Token Boundaries in Token but more importantly when in 
single Trust Domain, most of those scoping are stored in backend Policy 
Decision Point’s policy stores and only referenced in Tokens.
     *   No Standardized Policy Enforcement: Again this is a big misconception. 
OAuth is perfectly capable of handling claims that are JSON Structure that 
could host such information as “At 7 AM” or “in between 6AM and 8 AM”. But at 
the end of the the policy enforcement is done by the Resource Server after 
receiving all the information from the token, retrieving other information from 
other Policy Information Point and submitting the Authorization Request to the 
Policy Decision Point. None of those actions are in the scope of OAuth which 
always set those as explicitly ‘out of scope” in any OAuth RFC. If you are 
looking for standards, you should look at OpenID Foundation AuthZEN (see 
https://openid.net/wg/authzen/)
     *   No Standardized Bulk Revocation: I agree that there is no standardized 
Global Sign Out.
  *   Section 3.1.3 does not encompass the latest and greatest of OAuth
     *   If tokens are cryptographically bound to a client key, they cannot be 
shared and reused by AI Agent as they don’t have access to the key. See DPoP 
(RFC9449<https://datatracker.ietf.org/doc/html/rfc9449>)
     *   Therefore the AI Agent needs to possess their own Client identifier 
and that is where Draft like CIMD are useful as the document they exposes can 
establish the Agentic nature of the client (see 
https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/)
     *   Also we start to see a movement for Agent Registration ahead of time. 
That is what WebBotAuth WG came to - 
https://datatracker.ietf.org/wg/webbotauth/about/
     *   Finally we a lot of Workload Identity Federation support among 
OpenAI<https://developers.openai.com/api/docs/guides/workload-identity-federation>,
 
Anthropic<https://platform.claude.com/docs/en/manage-claude/workload-identity-federation>,
 and 
Snowflake<https://docs.snowflake.com/en/user-guide/workload-identity-federation>
  *   Section 3.1.4 is a real problem but globally  even MCP decide to 
standardize around STDIO and not RPC JSON for local access. All Operating 
Systems are still locked on ACLs access control and not open for supporting a 
Web Authorization Framework like OAuth
     *   Side note on the Policy enforcement point, there solutions like 
https://github.com/trusted-remote-execution/trusted-remote-execution
  *   Section 3.2.1: You are right but there is progress in the right direction 
with ID JAG (see 
https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/)
 and Transaction Token Authorization Grant Profile for OAuth Identity and 
Authorization 
Chaining<https://datatracker.ietf.org/doc/draft-fletcher-transaction-token-chaining-profile/>.
  *   Section 3.2.2: I might not sure how you are making it different from 
3.2.1. You forget that each agent from the group can work unitarily from the 
coordinator scoped Token they are called with from which they can Token 
Exchange, ID-JAG and cross domain accordingly. What can they exchange to? that 
is a policy enforcement at the AS and outside of the scope of OAuth.
  *   Section 3.2.3: you make it sound like it should its own peculiar beast… 
And that is what causes the problem. by doing so you are calling out for custom 
solutions. This use case is not different from 3.2.1 and 3.2.2 IMO.
  *   Section 3.2.4: As noted you miss Transaction Token Authorization Grant 
Profile for OAuth Identity and Authorization 
Chaining<https://datatracker.ietf.org/doc/draft-fletcher-transaction-token-chaining-profile/>.
  *   Section 3.3.1: Security Agents are not existing out of vacuum. They are 
configured by SecOps therefore they have owners they can act on behalf of. Also 
they are rarely one agent but a chain of agents to have of custody and clear 
bounding in the actions authorized to be taken. At AWS we do since at least 
2010 through RPA and AI did not change the authorization model. In a nutshell 
this is not different again from 3.2.1 and 3.2.2

My Canadian 2 cents

Jeff
Jean-François “Jeff” Lombardo | Amazon Web Services

Architecte Principal de Solutions, Stratégie de Sécurité
Principal Solution Architect, Security Strategy
Montréal, Canada

Commentaires à propos de notre échange? Exprimez-vous 
ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

Thoughts on our interaction? Provide feedback 
here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

From: [email protected] <[email protected]>
Sent: July 6, 2026 12:26 AM
To: oauth <[email protected]>
Subject: [EXT] [OAUTH-WG] Re: New Version Notification for 
draft-chen-oauth-agent-authz-use-cases-01.txt


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.


AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne 
cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas 
confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le 
contenu ne présente aucun risque.


Hi all,

We are writing to introduce a new Internet-Draft, "Agent Authorization Use 
Cases and Gap Analysis," which we believe is highly relevant to the future work 
of Oauth.

HTMLized: 
https://datatracker.ietf.org/doc/html/draft-chen-oauth-agent-authz-use-cases

https://github.com/Maisy-ML/Agent-Authorization-Use-Cases

This draft's primary goal is not to propose a solution, but rather to clearly 
define the problem space. It provides a systematic analysis of emerging 
agent-based use cases, categorizing them into distinct scenarios (from simple 
assistants to complex agent swarms).

For each use case, the draft details the specific authorization requirements 
and then performs a comprehensive gap analysis against the existing OAuth 2.0 
framework and its common extensions. It aims to answer the question: "Where do 
current standards fall short when faced with the demands of AI agents?"

Key gaps identified include challenges related to:

  *   Handling long-lived, offline, and autonomous tasks.
  *   Representing and securing complex, multi-step delegation chains.
  *   Enabling contextual and interactive user consent during a task.
  *   Providing fine-grained, task-level authorization and revocation.
  *   Managing authorization for groups or "swarms" of agents.

We hope this document can serve as a foundational piece to spark a focused 
discussion within the working group.

Feedback, comments, critiques, and suggestions are invaluable. We believe this 
is a crucial conversation for the future of authorization, and we look forward 
to discussing it with you on this mailing list.

Best,

Meiling

________________________________
[email protected]<mailto:[email protected]>

From: internet-drafts<mailto:[email protected]>
Date: 2026-07-06 00:20
To: Chunchi Peter Liu<mailto:[email protected]>; Jia 
Chen<mailto:[email protected]>; Jiankang Yao<mailto:[email protected]>; 
Meiling Chen<mailto:[email protected]>; Peter 
Liu<mailto:[email protected]>; Yuning 
Jiang<mailto:[email protected]>
Subject: New Version Notification for 
draft-chen-oauth-agent-authz-use-cases-01.txt
A new version of Internet-Draft draft-chen-oauth-agent-authz-use-cases-01.txt
has been successfully submitted by Meiling Chen and posted to the
IETF repository.

Name:     draft-chen-oauth-agent-authz-use-cases
Revision: 01
Title:    Agent Authorization use cases and gap analysis
Date:     2026-07-05
Group:    Individual Submission
Pages:    20
URL:      
https://www.ietf.org/archive/id/draft-chen-oauth-agent-authz-use-cases-01.txt
Status:   
https://datatracker.ietf.org/doc/draft-chen-oauth-agent-authz-use-cases/
HTML:     
https://www.ietf.org/archive/id/draft-chen-oauth-agent-authz-use-cases-01.html
HTMLized: 
https://datatracker.ietf.org/doc/html/draft-chen-oauth-agent-authz-use-cases
Diff:     
https://author-tools.ietf.org/iddiff?url2=draft-chen-oauth-agent-authz-use-cases-01

Abstract:

   This document provides a systematic analysis of these emerging agent-
   based use cases.  It categorizes them into distinct scenarios,
   details their specific authorization requirements, and performs a
   comprehensive gap analysis against the existing OAuth 2.0 framework
   [RFC6749] and its common extensions.  The analysis identifies
   fundamental mismatches, the goal of this document is to articulate
   these gaps clearly, providing a foundation for future work on new
   extensions within the OAuth Working Group to address the
   authorization needs of the next generation of ai agents.



The IETF Secretariat


_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to