Hello OAuth WG, We have recently published a new Internet-Draft detailing the *Contextual Agent Authorization Mesh (CAAM)*, and we would love to get your eyes on it.
**Draft:** https://datatracker.ietf.org/doc/draft-barney-caam/ Our focus with CAAM is securing the authorization handshake for autonomous agents acting on behalf of users. A significant portion of our approach builds upon existing and proposed OAuth patterns, specifically integrating with Cross-App Access (XAA) and OpenID IPSIE. We are trying to solve the problem of agents operating outside of their designated scope by enforcing ReBAC and Common Ancestor Constraints during the token exchange process. We want to ensure that temporary, scoped credentials (like the ID-JAG in XAA) are contextualized perfectly for the agent's specific task. Given this group's deep expertise in token delegation and cross-application access, your feedback would be invaluable. Specifically, we'd appreciate your thoughts on how CAAM interacts with current OAuth extensions and whether the constraint models we've proposed align well with the direction of XAA. Thank you, Jonathan M. Barney (along with co-authors Roberto Pioli, Darron Watson)
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
