Hi all, Pam Dingle and I are proposing a new Internet-Draft: OAuth 2.0 Entity Profiles (https://datatracker.ietf.org/doc/draft-mora-oauth-entity-profiles ).
This draft introduces a mechanism to categorize and describe the two key entities in OAuth flows: clients initiating the flows and subjects (or resource owners) represented in tokens. The draft doesn’t prescribe specific behaviors but instead provides contextual metadata that authorization servers and resource servers can use to make informed policy decisions. We envision that future OAuth extensions and profiles could reference these entity profiles and define verification and handling mechanisms for the entity profiles they target. The primary motivation stems from the emerging AI-agent scenarios, where it’s becoming increasingly critical to know 1) when an OAuth client is an AI agent, 2) when an AI agent is acting on behalf of another agent or a human, and 3) how this context can be consistently represented and interpreted in OAuth flows. We’d greatly appreciate the WG’s feedback and suggestions. Thanks, Sreyanth and Pam
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
