Hi Jeff, Thank you very much for taking the time to provide such detailed and professional feedback on our draft, draft-chen-oauth-agent-authz-use-cases-01. Your comments are incredibly helpful, and we particularly appreciate you pointing out the various existing RFCs and other ongoing drafts that are relevant to our use cases. This context is crucial for us to accurately position our work and refine our analysis. Given the number of references and the depth of your analysis, we will need some time to carefully review all the documents you've mentioned and digest the information thoroughly. We plan to formulate a more detailed response and discuss our next steps for the draft in the coming days. Thank you again for your valuable contribution. Best, Meiling
[email protected] From: Lombardo, Jeff Date: 2026-07-13 18:50 To: [email protected] CC: oauth; Lombardo, Jeff Subject: RE: [OAUTH-WG] Re: New Version Notification for draft-chen-oauth-agent-authz-use-cases-01.txt Hi, Thanks for your Draft. Here are some comments on the elements listed as Gaps: Section 3.1.1: You identify that OAuth is not capable of understand an intent. True but is it the purpose of OAuth? The Agent will rely on the LLM to understand how the task need to be decomposed based on the tools and other agents available. At the end, this is for the Tools and Agents allowing to fulfill the task that the Agent will need to acquire consented delegation of Authorization. MCP Servers and Agent Card can contain information about the AS to contact and the scopes and potentially RAR authorization details (RFC9396) required to call them thanks to OAuth2.0 Protected Resource Metadata (RFC9728) You indicate that there is no No Standardized Interactive Flow. But again is this even an OAuth problem? If the Agent needs more information from the User / Resource Owner, Agentic AI Development Frameworks like CrewAI, LangChain, LangGraph, Strands and other have all the capabilities to do such things through their converse API. Additional Information provided by the User / Resource Owner will allow, thanks again to the LLM, to the selection of a new set of Tools and Agents to fulfill the updated Taks and new consented Delegation of Authorization will be acquired as explained in the previous point. Impractical Revocation. There are two points here: 1/ Tokens are stateless and lifetime is a perfect dimension to also control the permissions accumulation; 2/ You completely omits that write operations could be perform through the usage of Transaction Tokens (see https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/ and https://datatracker.ietf.org/doc/html/draft-oauth-transaction-tokens-for-agents )bound to a specific task / intent (in this case a picnic event) Section 3.1.2 is frivolous. It does not include any mention of usage of AI. This is the old Smart Home Automation use case we know for years and has very successful deployment at the Enterprise and Open Source level: see Apple, Google, Home Assistant, Ring, etc. "Scope Explosion" and Usability : Again you forgot about the ability to use RAR authorization details (RFC9396) as a way to express Token Boundaries in Token but more importantly when in single Trust Domain, most of those scoping are stored in backend Policy Decision Point’s policy stores and only referenced in Tokens. No Standardized Policy Enforcement: Again this is a big misconception. OAuth is perfectly capable of handling claims that are JSON Structure that could host such information as “At 7 AM” or “in between 6AM and 8 AM”. But at the end of the the policy enforcement is done by the Resource Server after receiving all the information from the token, retrieving other information from other Policy Information Point and submitting the Authorization Request to the Policy Decision Point. None of those actions are in the scope of OAuth which always set those as explicitly ‘out of scope” in any OAuth RFC. If you are looking for standards, you should look at OpenID Foundation AuthZEN (see https://openid.net/wg/authzen/) No Standardized Bulk Revocation: I agree that there is no standardized Global Sign Out. Section 3.1.3 does not encompass the latest and greatest of OAuth If tokens are cryptographically bound to a client key, they cannot be shared and reused by AI Agent as they don’t have access to the key. See DPoP (RFC9449) Therefore the AI Agent needs to possess their own Client identifier and that is where Draft like CIMD are useful as the document they exposes can establish the Agentic nature of the client (see https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) Also we start to see a movement for Agent Registration ahead of time. That is what WebBotAuth WG came to - https://datatracker.ietf.org/wg/webbotauth/about/ Finally we a lot of Workload Identity Federation support among OpenAI, Anthropic, and Snowflake Section 3.1.4 is a real problem but globally even MCP decide to standardize around STDIO and not RPC JSON for local access. All Operating Systems are still locked on ACLs access control and not open for supporting a Web Authorization Framework like OAuth Side note on the Policy enforcement point, there solutions like https://github.com/trusted-remote-execution/trusted-remote-execution Section 3.2.1: You are right but there is progress in the right direction with ID JAG (see https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) and Transaction Token Authorization Grant Profile for OAuth Identity and Authorization Chaining. Section 3.2.2: I might not sure how you are making it different from 3.2.1. You forget that each agent from the group can work unitarily from the coordinator scoped Token they are called with from which they can Token Exchange, ID-JAG and cross domain accordingly. What can they exchange to? that is a policy enforcement at the AS and outside of the scope of OAuth. Section 3.2.3: you make it sound like it should its own peculiar beast… And that is what causes the problem. by doing so you are calling out for custom solutions. This use case is not different from 3.2.1 and 3.2.2 IMO. Section 3.2.4: As noted you miss Transaction Token Authorization Grant Profile for OAuth Identity and Authorization Chaining. Section 3.3.1: Security Agents are not existing out of vacuum. They are configured by SecOps therefore they have owners they can act on behalf of. Also they are rarely one agent but a chain of agents to have of custody and clear bounding in the actions authorized to be taken. At AWS we do since at least 2010 through RPA and AI did not change the authorization model. In a nutshell this is not different again from 3.2.1 and 3.2.2 My Canadian 2 cents Jeff Jean-François “Jeff” Lombardo | Amazon Web Services Architecte Principal de Solutions, Stratégie de Sécurité Principal Solution Architect, Security Strategy Montréal, Canada Commentaires à propos de notre échange? Exprimez-vous ici. Thoughts on our interaction? Provide feedback here. From: [email protected] <[email protected]> Sent: July 6, 2026 12:26 AM To: oauth <[email protected]> Subject: [EXT] [OAUTH-WG] Re: New Version Notification for draft-chen-oauth-agent-authz-use-cases-01.txt CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque. Hi all, We are writing to introduce a new Internet-Draft, "Agent Authorization Use Cases and Gap Analysis," which we believe is highly relevant to the future work of Oauth. HTMLized: https://datatracker.ietf.org/doc/html/draft-chen-oauth-agent-authz-use-cases https://github.com/Maisy-ML/Agent-Authorization-Use-Cases This draft's primary goal is not to propose a solution, but rather to clearly define the problem space. It provides a systematic analysis of emerging agent-based use cases, categorizing them into distinct scenarios (from simple assistants to complex agent swarms). For each use case, the draft details the specific authorization requirements and then performs a comprehensive gap analysis against the existing OAuth 2.0 framework and its common extensions. It aims to answer the question: "Where do current standards fall short when faced with the demands of AI agents?" Key gaps identified include challenges related to: Handling long-lived, offline, and autonomous tasks. Representing and securing complex, multi-step delegation chains. Enabling contextual and interactive user consent during a task. Providing fine-grained, task-level authorization and revocation. Managing authorization for groups or "swarms" of agents. We hope this document can serve as a foundational piece to spark a focused discussion within the working group. Feedback, comments, critiques, and suggestions are invaluable. We believe this is a crucial conversation for the future of authorization, and we look forward to discussing it with you on this mailing list. Best, Meiling [email protected] From: internet-drafts Date: 2026-07-06 00:20 To: Chunchi Peter Liu; Jia Chen; Jiankang Yao; Meiling Chen; Peter Liu; Yuning Jiang Subject: New Version Notification for draft-chen-oauth-agent-authz-use-cases-01.txt A new version of Internet-Draft draft-chen-oauth-agent-authz-use-cases-01.txt has been successfully submitted by Meiling Chen and posted to the IETF repository. Name: draft-chen-oauth-agent-authz-use-cases Revision: 01 Title: Agent Authorization use cases and gap analysis Date: 2026-07-05 Group: Individual Submission Pages: 20 URL: https://www.ietf.org/archive/id/draft-chen-oauth-agent-authz-use-cases-01.txt Status: https://datatracker.ietf.org/doc/draft-chen-oauth-agent-authz-use-cases/ HTML: https://www.ietf.org/archive/id/draft-chen-oauth-agent-authz-use-cases-01.html HTMLized: https://datatracker.ietf.org/doc/html/draft-chen-oauth-agent-authz-use-cases Diff: https://author-tools.ietf.org/iddiff?url2=draft-chen-oauth-agent-authz-use-cases-01 Abstract: This document provides a systematic analysis of these emerging agent- based use cases. It categorizes them into distinct scenarios, details their specific authorization requirements, and performs a comprehensive gap analysis against the existing OAuth 2.0 framework [RFC6749] and its common extensions. The analysis identifies fundamental mismatches, the goal of this document is to articulate these gaps clearly, providing a foundation for future work on new extensions within the OAuth Working Group to address the authorization needs of the next generation of ai agents. The IETF Secretariat
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
