Episode 210 - GluuFederation/identerati-office-hours GitHub Wiki
Title: Attenuating Agentic Delegation Tokens
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Aimable (Niki, Security Engineering @Snap
Channels
Description
Modern AI agent ecosystems often rely on multiple autonomous agents working together to complete tasks, with each agent invoking tools or services on behalf of a user or organization. However, the authorization tokens used for these interactions are generally tied to the identity of the user or service account rather than the specific task being performed. While OAuth scopes can limit access to certain APIs, they do not define which tools an agent may use, what actions it may perform, or which parameters are appropriate for a given task.
As a result, an authorization token granted for a simple activity—such as checking flight availability—may also permit higher-risk actions like booking tickets or charging a corporate payment method. This creates a security gap that can be exploited through prompt injection attacks, model errors, or compromised agents, allowing them to exercise privileges beyond what is necessary for their assigned task. This is a modern example of the classic "confused deputy" problem applied to AI-driven delegation.
The challenge is further complicated by limitations in current identity and authorization frameworks. Architectures such as WIMSE support workload identity and identity propagation across services, while OAuth 2.0 provides mechanisms for issuing and managing access tokens. However, neither framework allows an authorized entity to securely derive a more restrictive token and delegate it downstream to another agent. Consequently, organizations are often forced to either grant every agent in the workflow broad access permissions or require each delegation step to repeatedly communicate with the authorization server.
For AI-driven workflows that execute numerous tool calls in rapid succession, operate across multiple trust domains, or function in environments with limited connectivity, repeatedly contacting the authorization server is often impractical. This highlights the growing need for delegation-aware authorization models that support fine-grained, task-specific permissions while maintaining security and operational efficiency.