Hi OAuth WG, We have published a new version of draft-li-oauth-delegated-authorization<https://datatracker.ietf.org/doc/html/draft-li-oauth-delegated-authorization-01> (GitHub : liuchunchi/li-oauth-delegated-authorization<https://github.com/liuchunchi/li-oauth-delegated-authorization>).
This draft defines a mechanism for clients (e.g. AI agents or user-controlled apps) to delegate a subset of their granted privileges to other parties (e.g. AI agents) in subordinate tokens, enabling fine-grained access control delegation while maintaining security and privacy. Key updates since draft-00: * Privacy Considerations - Added comprehensive analysis of privacy benefits including minimized authorization server visibility, no access pattern correlation, reduced data collection, and network traffic reduction. Also discusses trade-offs compared to Token Exchange (RFC 8693). * Step-up Authorization Integration - Added Appendix B describing integration with step-up authorization challenge. We are also planning a hackathon project<https://wiki.ietf.org/en/meeting/125/hackathon#oauth-delegated-authorization-for-ai-agents> at IETF 125 in Shenzhen that aims to implement this draft in AI agents. Feedback and comments are welcome. Best Regards, Li Ruochen
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
