Episode 108 - GluuFederation/identerati-office-hours GitHub Wiki

Title: The Many Faces of Delegated Authorization

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: George Fletcher, Identerati at Capital One
• Co-Guest: Jen Schreiber, Sr Software Engineer, Identity at Workday

Channels

• Linkedin Event
• Youtube Video

Description

Delegated Authorization has been around for a long time.

🔑 OAuth is about one entity (usually a human) delegating authority to another entity (usually software) regarding resources owned by the first entity.

🤝 User Managed Access (UMA) addressed what became known as “Alice to Bob sharing.”

But with the rise of AI agents, another key use case has come to the forefront: the “on-behalf-of” model, where one entity delegates the authority for another entity to act as a fiduciary of the first. ⚠️ Much less work has been done within the industry to address this pattern.

In an world where the AI agents (🤖, 🤖 , 🤖 ...) might outnumber the humans, what models will we need to enable trusted delegation?

Homework

• What Agentic Software Really Means: It’s Not Autonomy, It’s Delegation, blog

• Linkedin Post (Feb-2024): 𝗔𝗿𝗲 𝗗𝗲𝗹𝗲𝗴𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗢𝗻-𝗯𝗲𝗵𝗮𝗹𝗳-𝗼𝗳 𝘁𝘄𝗼 𝘀𝗶𝗱𝗲𝘀 𝗼𝗳 𝘁𝗵𝗲 𝘀𝗮𝗺𝗲 𝘂𝘀𝗲 𝗰𝗮𝘀𝗲?

• Linkedin Article (Apr-2025): Delegating Your Personas: As-Known-As Delegation

• Linkedin Thread (Feb-2024): Some thoughts on how to obtain an on-behalf-of token.

• Linkedin Article (Mar-2024): What Might an On-Behalf Of Token Look Like

• Early Slides Delegated Authorization

Takeaways

• ⚡ Net-net, we're really far away from solving federated delegation. It's not clear what protocols are needed, to obtain what tokens, to input to what policy, defined by what schema, or what claim-to-schema mapping. So the good news, it's there are a lot of known unknowns. But of course there are also unkown-unknowns too.

• ⚡ UMA "Alice to Bob" sharing (i.e. Alice gives Bob access to her photos)--even this is not really widely possible today. Delegating access to an agent or fiduciary would be even harder.

• ⚡ The current token exchange process defined by "OAuth Identity and Authorization Chaining Across Domains" is convenient for a limited use case, but pretty inadequate for delegation. The two domains would still need to agree on the taxonomy of the tokens, i.e. the claims and the values of the JSON payload. I still think a bundle of Transaction Tokens, each representing a distinct delegation, could collectively capture a series of delegations. But the designers of transaction tokens unanimously don't like this idea.

• ⚡ Bespoke solutions are the typical current workaround. But this leaves gaps in audit logs, inconsistent applications, and difficulty scaling.

oauth chaining Diagram

authzen Diagram

Livestream Audio Archive

here