Episode 108 - GluuFederation/identerati-office-hours GitHub Wiki
Title: The Many Faces of Delegated Authorization
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: George Fletcher, Identerati at Capital One
- Co-Guest: Jen Schreiber, Sr Software Engineer, Identity at Workday
Channels
Description
Delegated Authorization has been around for a long time.
๐ OAuth is about one entity (usually a human) delegating authority to another entity (usually software) regarding resources owned by the first entity.
๐ค User Managed Access (UMA) addressed what became known as โAlice to Bob sharing.โ
But with the rise of AI agents, another key use case has come to the forefront: the โon-behalf-ofโ model, where one entity delegates the authority for another entity to act as a fiduciary of the first. โ ๏ธ Much less work has been done within the industry to address this pattern.
In an world where the AI agents (๐ค, ๐ค , ๐ค ...) might outnumber the humans, what models will we need to enable trusted delegation?
Homework
-
What Agentic Software Really Means: Itโs Not Autonomy, Itโs Delegation, blog
-
Linkedin Post (Feb-2024): ๐๐ฟ๐ฒ ๐๐ฒ๐น๐ฒ๐ด๐ฎ๐๐ถ๐ผ๐ป ๐ฎ๐ป๐ฑ ๐ข๐ป-๐ฏ๐ฒ๐ต๐ฎ๐น๐ณ-๐ผ๐ณ ๐๐๐ผ ๐๐ถ๐ฑ๐ฒ๐ ๐ผ๐ณ ๐๐ต๐ฒ ๐๐ฎ๐บ๐ฒ ๐๐๐ฒ ๐ฐ๐ฎ๐๐ฒ?
-
Linkedin Article (Apr-2025): Delegating Your Personas: As-Known-As Delegation
-
Linkedin Thread (Feb-2024): Some thoughts on how to obtain an on-behalf-of token.
-
Linkedin Article (Mar-2024): What Might an On-Behalf Of Token Look Like
-
Early Slides Delegated Authorization
Takeaways
-
โก Net-net, we're really far away from solving federated delegation. It's not clear what protocols are needed, to obtain what tokens, to input to what policy, defined by what schema, or what claim-to-schema mapping. So the good news, it's there are a lot of known unknowns. But of course there are also unkown-unknowns too.
-
โก UMA "Alice to Bob" sharing (i.e. Alice gives Bob access to her photos)--even this is not really widely possible today. Delegating access to an agent or fiduciary would be even harder.
-
โก The current token exchange process defined by "OAuth Identity and Authorization Chaining Across Domains" is convenient for a limited use case, but pretty inadequate for delegation. The two domains would still need to agree on the taxonomy of the tokens, i.e. the claims and the values of the JSON payload. I still think a bundle of Transaction Tokens, each representing a distinct delegation, could collectively capture a series of delegations. But the designers of transaction tokens unanimously don't like this idea.
-
โก Bespoke solutions are the typical current workaround. But this leaves gaps in audit logs, inconsistent applications, and difficulty scaling.