Episode 108 - GluuFederation/identerati-office-hours GitHub Wiki

Title: The Many Faces of Delegated Authorization

Channels

Description

Delegated Authorization has been around for a long time.

๐Ÿ”‘ OAuth is about one entity (usually a human) delegating authority to another entity (usually software) regarding resources owned by the first entity.

๐Ÿค User Managed Access (UMA) addressed what became known as โ€œAlice to Bob sharing.โ€

But with the rise of AI agents, another key use case has come to the forefront: the โ€œon-behalf-ofโ€ model, where one entity delegates the authority for another entity to act as a fiduciary of the first. โš ๏ธ Much less work has been done within the industry to address this pattern.

In an world where the AI agents (๐Ÿค–, ๐Ÿค– , ๐Ÿค– ...) might outnumber the humans, what models will we need to enable trusted delegation?

Homework

Takeaways

  • โšก Net-net, we're really far away from solving federated delegation. It's not clear what protocols are needed, to obtain what tokens, to input to what policy, defined by what schema, or what claim-to-schema mapping. So the good news, it's there are a lot of known unknowns. But of course there are also unkown-unknowns too.

  • โšก UMA "Alice to Bob" sharing (i.e. Alice gives Bob access to her photos)--even this is not really widely possible today. Delegating access to an agent or fiduciary would be even harder.

  • โšก The current token exchange process defined by "OAuth Identity and Authorization Chaining Across Domains" is convenient for a limited use case, but pretty inadequate for delegation. The two domains would still need to agree on the taxonomy of the tokens, i.e. the claims and the values of the JSON payload. I still think a bundle of Transaction Tokens, each representing a distinct delegation, could collectively capture a series of delegations. But the designers of transaction tokens unanimously don't like this idea.

  • โšก Bespoke solutions are the typical current workaround. But this leaves gaps in audit logs, inconsistent applications, and difficulty scaling.

oauth chaining Diagram

oauth-identity-chaining

authzen Diagram

authzen

Livestream Audio Archive

here