| Internet-Draft | OAuth 2.0 Extension: On-Behalf-Of User A | May 2025 |
| Senarath | Expires 3 November 2025 | [Page] |
This specification defines an extension to the OAuth 2.0 Authorization Framework [RFC6749] to enable AI agents to obtain delegated access tokens to act on behalf of users. It introduces a new authorization request parameter, requested_agent, and defines a grant type, urn:ietf:params:oauth:grant-type:agent-authorization_code, specifically designed to facilitate explicit user consent for an agent's actions and enable the agent to exchange an authorization code for a delegated access token using its own authentication credentials (an agent token). The extension ensures secure delegation, explicit user consent captured at the authorization server, and enhanced auditability through specific token claims that document the delegation path from the user to the agent acting via a client application.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 November 2025.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
AI agents are increasingly integrated into systems to perform tasks on behalf of users. These agents often require access to protected resources, necessitating a robust and secure authorization mechanism that accurately reflects the user's intent and the agent's role in the access request. Standard OAuth 2.0 flows, such as the Authorization Code Grant [RFC6749] and the Client Credentials Grant [RFC6749], do not fully address the nuances of agent delegation where explicit user consent for a specific agent's action is required and the agent itself acts as a distinct identity in the token exchange process. While the OAuth 2.0 Token Exchange specification [RFC8693] provides a mechanism for exchanging tokens, it typically focuses on inter-service communication or impersonation flows initiated server-side and doesn't inherently provide a mechanism for obtaining explicit user consent for an agent via the front channel initiated from the authorization endpoint.¶
This specification extends OAuth 2.0 to specifically support scenarios where a user delegates authority to an AI agent. It leverages the existing Authorization Code Grant flow by introducing mechanisms at the authorization endpoint to identify the specific agent for which delegation is sought and by defining a new grant type for the token endpoint that allows the agent to authenticate itself while presenting the user-approved authorization code. The resulting delegated access token explicitly records the identity of the user, the agent, and the client application involved, facilitating clear audit trails.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This specification uses the following terms:¶
An autonomous software entity that acts on behalf of a user. An agent has a distinct identity and authentication credentials separate from the client application that might host or invoke it.¶
A security token (e.g., a JWT [RFC7519]) used by an agent to authenticate itself to the authorization server or resource servers. The sub claim of an agent token identifies the agent.¶
An access token issued by the authorization server to an agent, granting it permission to access protected resources on behalf of a specific user. This token explicitly documents the delegation path.¶
The resource owner who grants consent for an agent to access their protected resources.¶
An application that initiates the authorization flow and facilitates the interaction between the user, agent, and authorization server. This is the "client" as defined in OAuth 2.0 [RFC6749].¶
The server that issues access tokens to the client and agent after successfully authenticating a resource owner and obtaining authorization.¶
The server hosting the protected resources, capable of accepting and validating delegated access tokens. Resource server can be a model context protocol (MCP) server, another agent or genaric protected resource.¶
A temporary, single-use code issued by the authorization server to the client's redirect URI after the user has authenticated and granted consent for a specific agent to act on their behalf. This code is then provided to the agent.¶
The agent holds a valid agent token, obtained via a separate process, which is not covered in this document. The agent token is used to authenticate the agent and authorize it to perform actions on its own behalf.¶
This extension defines a flow where a client application facilitates user consent for an agent, and the agent then uses this consent along with its own authentication to obtain a delegated access token.¶
The client application initiates the flow by directing the user's user-agent to the Authorization Server's authorization endpoint, including a requested_agent parameter identifying the agent.¶
The Authorization Server authenticates the user and presents a consent screen detailing the client, the requested agent, and the scopes. Upon user consent, the Authorization Server issues a short-lived Authorization Code tied to the user, client, and agent, and redirects the user-agent back to the client's redirect_uri.¶
The client receives the Authorization Code (via the user-agent redirect). The client then typically passes this code to the agent.¶
The agent requests a Delegated Access Token from the Authorization Server's token endpoint using the new urn:ietf:params:oauth:grant-type:agent-authorization_code grant type. This request includes the Authorization Code, the PKCE code_verifier, and the agent token.¶
The Authorization Server validates the request, including verifying the Authorization Code, the PKCE code_verifier, and the Agent Token. It ensures the Agent Token corresponds to the requested_agent approved by the user.¶
Upon successful validation, the Authorization Server issues a Delegated Access Token to the agent. This token is typically a JWT containing claims identifying the user (sub), the client (azp), and the agent (act claim).¶
+------------+ +--------+ +--------+ +--------------------+ +----------------+
| User-Agent | | Client | | Agent | | Authorization | | Resource |
| | | | | | | Server | | Server |
+------------+ +--------+ +--------+ +--------------------+ +----------------+
| | | | |
| | (A) Need to act on behalf of user | |
| |<----------------| | |
| | | | |
(B) Open browser with authorization url + code challenge + requested_agent |
|<--------------------| | | |
| | | | |
| (C) Request to authorization endpoint | |
|-------------------------------------------------------------->| |
| | | | |
| (D) User authenticates and consents (show agent + scopes) | |
|<------------------------------------------------------------->| |
| | | | |
| (E) Redirect with Authorization Code | |
|<--------------------------------------------------------------| |
| | | | |
| (F) Authorization Code | | |
|-------------------->| | | |
| | (G) POST /token (code + verifier + agent token) |
| |---------------------------------------->| |
| | | | |
| | (H) Delegated Access Token (JWT) | |
| |<----------------------------------------| |
| | | |
| | (I) Access Resource with Delegated Access Token |
| |------------------------------------------------------------------->|
| | | |(J) JWKS Token validation |
| | | |<-------------------------|
| | | | |
| | (K) Protected Resource Response | |
| |<-------------------------------------------------------------------|
| | | | |
| | (L) Response with Resource Data | |
| |---------------->| | |
¶
The steps in the sequence diagram are as follows:¶
A. Agent requests to access protected resources on behalf of the user.¶
B. Client initiates Authorization Request via user-agent, including requested_agent and PKCE challenge.¶
C. User-agent is redirected to the Authorization Server's authorization endpoint.¶
D. User authenticates and grants consent for the specific agent and requested scopes at the Authorization Server.¶
E. Authorization Server issues Authorization Code and redirects user-agent back to client.¶
F. Client receives the code.¶
G. Client requests Delegated Access Token using the urn:ietf:params:oauth:grant-type:agent-authorization_code grant type, presenting the code, PKCE verifier, and its Agent Token.¶
H. Authorization Server validates the request (code, verifier, and agent token) and issues the Delegated Access Token.¶
I. Client accesses protected resources using the Delegated Access Token.¶
J. Resource Server validates the token (e.g., by verifying the signature and claims offline).¶
K. Resource Server processes the request and returns the requested resource.¶
L. Agent receives the resource data.¶
Upon receiving the Authorization Code, the client then requests a Delegated Access Token from the Authorization Server's token endpoint using the urn:ietf:params:oauth:grant-type:agent-authorization_code grant type.¶
POST /token HTTP/1.1 Host: authorization-server.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:agent-authorization_code& client_id=<client_id>& code=<authorization_code>& code_verifier=<code_verifier>& redirect_uri=<redirect_uri>& agent_token=<agent_token>¶
REQUIRED. The agent token used to authenticate the agent. This token MUST be a valid token issued to the agent and MUST include the sub claim identifying the agent.¶
The request MUST also include the standard OAuth 2.0 parameters such as client_id, code, code_verifier, and redirect_uri.¶
If the Token Request is valid, the Authorization Server issues a Delegated Access Token to the agent. This token SHOULD be a JSON Web Token (JWT) [RFC7519] to include claims that document the delegation.¶
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "<delegated_access_token>",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "<granted_scope>"
}
¶
Similar to the standard Authorization Code Grant (Section 4.1.4 of [RFC6749])¶
If the request is invalid, the Authorization Server returns an error response with an HTTP 400 (Bad Request) status code.¶
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error": "invalid_grant"
}
¶
The Delegated Access Token SHOULD be a JWT Profile for OAuth 2.0 Access Tokens [RFC9068]. It SHOULD carry claims that explicitly document the delegation chain.¶
In addition to standard JWT claims (e.g., iss, aud, exp, iat, jti), a Delegated Access Token issued via this flow MUST contain the following claims:¶
REQUIRED. Actor - represents the party acting on behalf of the subject (Section 4.1 of [RFC8693]). In a Delegated Access Token issued via this flow, this claim MUST contain a JSON object with at least the following member: * sub: REQUIRED. The unique identifier of the Agent that is acting on behalf of the user. * Additional members MAY be included in the act claim.¶
Example Decoded JWT Payload:¶
{
"iss": "https://authorization-server.com/oauth2/token",
"aud": "resource_server",
"sub": "user-456",
"azp": "s6BhdRkqt3",
"scope": "read:email write:calendar",
"exp": 1746009896,
"iat": 1746006296,
"jti": "unique-token-id",
"act": {
"sub": "agent-finance-v1",
"aut": "APPLICATION_AGENT"
},
"aut": "APPLICATION_USER"
}
¶
Resource Servers consuming this token can inspect the sub claim to identify the user and the act.sub claim to identify the specific agent that is performing the action. This provides a clear and auditable delegation path.¶
The security of this flow relies heavily on the Authorization Server's ability to securely authenticate the agent during the Token Request using the Agent Token. The method by which agents obtain and secure their Agent Tokens is critical and outside the scope of this specification but MUST be implemented securely.¶
PKCE [RFC7636] is REQUIRED to prevent authorization code interception attacks, especially relevant if the client (and thus the agent receiving the code) is a public client or runs in an environment where the redirect URI cannot be strictly protected.¶
Authorization Codes MUST be single-use and have a short expiration time to minimize the window for compromise.¶
The Authorization Server MUST bind the Authorization Code to the specific user, client (client_id), and requested agent (requested_agent) during issuance and verify this binding during the Token Request.¶
The consent screen presented to the user SHOULD clearly identify the agent and the requested scopes to ensure the user understands exactly what authority they are delegating and to whom.¶
The claims in the Delegated Access Token (sub, act) provide essential information for auditing actions performed using the token, clearly showing who (user) authorized the action, which application (client) facilitated it, and which entity (agent) performed it.¶
Mechanisms for revoking Delegated Access Tokens are essential. Revocation could be triggered by: * The user revoking consent. * The agent's Agent Token being revoked. * The user's account being disabled. * The agent's identity being disabled. * The client application being disabled.¶
Resource Servers or Authorization Servers MUST have mechanisms to check the revocation status of tokens.¶