Authorization

20 Articles

Trusting Issuers in Open-World OAuth

Identity Assertion Trust Framework and Domain-Authorized Issuer Trust Method

Self-service agent sign-up exposes a first-contact trust problem: a Resource Authorization Server can verify a perfectly valid JWT and still not know whether the issuer is allowed to assert identities for the user’s domain. That is two questions, not one. Federation proves the issuer is authentic, but not that the namespace owner authorized it, and static allowlists do not scale to onboarding unknown domains at runtime. The Identity Assertion Trust Framework lets a Resource AS publish the evidence it requires. The Domain-Authorized Issuer Trust Method lets a domain owner publish which issuers may assert identities in its namespace, fail-closed, the way mail and the web already pushed authority into DNS. Both compose with ID-JAG and the JWT-bearer grant without changing the grant surface.

OAuth Authorization Federation ID-JAG Open-World OAuth Agentic Identity Trust DNS Internet-Draft

Closing the Gaps in Least-Privilege MCP Tool Calls

AuthZEN, ARAP, and the Task Neither Names

Series Least-Privilege MCP Tool Calls Part 2 of 2

Part one laid out two ways to lock down a single tool call an agent makes through the Model Context Protocol: carry a narrow token, or let the resource decide each call. This part walks the standards that close the gaps. AuthZEN gives a standard way to ask the policy question, the Access Request and Approval Profile turns a denial into a governed request for approval, and a set of proposals carries that approval over the wire. Each makes one call’s authorization more interoperable, and none gives a multi-step task a shared identity. So a string of individually correct calls can still drift from what the user approved. The missing piece is a durable, governed record of the approved task, the object I call a Mission.

OAuth Authorization MCP AuthZEN Fine-Grained Authorization Agentic Identity RAR

Two Models for Least-Privilege MCP Tool Calls

Carry Authority in a Token, or Decide at the Resource

Series Least-Privilege MCP Tool Calls Part 1 of 2

There are two natural ways to lock an agent’s Model Context Protocol (MCP) tool calls down to least privilege. The agent can carry a narrow token scoped to the action, or the server can decide each call as it happens. Carrying a token gives portable proof of what the agent may do, but pushes domain knowledge onto the authorization server and token management onto the client. Deciding at the resource keeps the meaning where it lives, but the decision is not portable. MCP makes the tool boundary first-class for both. This part compares the two models and how to choose. Part two covers the standards that close the per-call gaps and the task object neither names.

OAuth Authorization MCP AuthZEN Fine-Grained Authorization Agentic Identity RAR

Authorization Is the Other Half of Executable Intent

Evals Made Intent Executable for Verification. A Mission Makes It Executable for Authorization.

Microsoft’s ASSERT compiles written behavior requirements into executable evaluations: intent made executable for verification. That answers what the agent did, not what it was allowed to do: an eval produces a verdict, not a binding authorization decision, and for irreversible actions that is the whole difference. The mission is the preventive counterpart: a shaper proposes the request as a bounded, machine-readable object, a trusted authority validates and narrows it, an approver signs off, and enforcement checks every consequential action against it. Same lineage from natural-language intent, a higher bar, and teeth an eval does not have. One approved mission then drives both the runtime boundary and the behavioral eval, while a separate shaping-quality check asks whether the boundary matched the user’s intent in the first place.

Agentic Identity Authorization Delegated Authority AI Agents Evals Standards

Authorization Denied Is No Longer Enough

Closed-world authorization treated denial as the end of the interaction. Agents, runtime discovery, delegation, and mission expansion turn denial into the beginning of governance escalation. The draft AuthZEN access request and approval profile standardizes that handoff without standardizing the workflow engines behind it. Client-Initiated Backchannel Authentication (CIBA) is not the answer because the problem is not authentication freshness. It is whether authority should continue under newly discovered runtime conditions.

Authorization AuthZEN Agentic Identity Delegated Authority IAM OAuth Standards Mission Shaping

Sessions Are Not Missions

Why Agent Harnesses Cannot Own the Mission Layer

Modern agent harnesses make work durable across restarts, devices, background jobs, and sub-agents. That durability is a runtime property, not a governance property. A session answers where the agent can continue working. A mission answers why the agent is allowed to keep working. Conflating them is a central failure mode of long-running autonomous agent systems.

Agentic Identity Delegated Authority IAM OAuth Authorization Security Architecture Sessions MCP

AAuth Now Has a Mission Layer

The new version of AAuth (draft-hardt-aauth-protocol-01) materially changes the earlier comparison. Mission is now first-class in the protocol, with PS-mediated approval, mission-aware token choreography, and governance endpoints. The remaining gap is no longer whether Mission exists, but whether the published model is strong enough to support portable containment rather than just mission correlation and governance hooks.

AAuth Authorization Agentic Identity OAuth Mission Shaping Standards

ID-JAG Beyond the Enterprise IdP

ID-JAG, also often called Cross-App Access (XAA), is centered in the current draft on Enterprise IdP trust, but the issuer that matters is the immediate IdP the downstream authorization server already trusts for SSO and subject resolution, not necessarily the top-level workforce IdP. The same trust pattern can also extend architecturally to CIAM and platform identity layers that federate upstream workforce login while remaining authoritative for downstream product trust, tenant context, and subject resolution.

ID-JAG Authorization IAM OAuth OpenID Connect Agentic Identity CIAM XAA

Why Mission-Bound OAuth Might Be the Wrong Answer

Series Mission-Bound OAuth Part 4 of 4

Mission-Bound OAuth is a serious attempt to govern delegated agent authority using existing OAuth infrastructure. This post takes the pessimistic view: it may be the wrong answer because it asks the authorization server to become a governance engine, a lifecycle controller, and a mission ledger all at once. A cleaner alternative is to treat Mission as a separate authority service and let OAuth be one projection of that model rather than its home.

OAuth Authorization Agentic Identity Architecture IAM

Mission Architecture on AAuth

Series Mission-Bound OAuth Part 3 of 4

Mission-Bound OAuth argues for a durable Mission object that governs delegated authority across approval, lifecycle, delegation, and termination. This follow-up asks whether Dick Hardt’s AAuth draft is a better protocol substrate for the same model, and where AAuth still appears to need an explicit Mission-like authority object.

OAuth Authorization Agentic Identity AAuth

Client Context and ID-JAG for Mission-Bound OAuth

Series Mission-Bound OAuth Part 2 of 4

Rich Authorization Requests are the natural first instinct for agent missions, but audience-bound access tokens and uneven cross-domain interoperability limit how far they can carry a governed task. Mission-Bound OAuth solves that by making the Mission a durable authority object at the authorization server. This post explores the authentication-layer companion profile: OpenID Connect Client Context carries purpose and approval input when the user is present, and ID-JAG carries reduced Mission projections across same-IdP trust domains.

Agentic Identity Delegated Authority IAM OAuth OpenID Connect Authorization ID-JAG

Agents Don't Need Your Passport. They Need Your Authority.

Series You Don't Give Agents Credentials. You Grant Them Power of Attorney. Part 1 of 3

Enterprise IAM was designed for human-paced execution. Agents remove the presence, pacing, and natural scope-limiting that made those controls work. The result is a structural gap that stronger credentials, tighter scopes, and faster JIT provisioning cannot close.

Agentic Identity Delegated Authority IAM OAuth Authorization Security Architecture

From Passports to Power of Attorney

Series You Don't Give Agents Credentials. You Grant Them Power of Attorney. Part 2 of 3

Tokens, credentials, and scopes tell a system what an agent may do. They say nothing about why execution was authorized or when it should end. The Execution Mandate is the primitive that closes that gap: a signed, inspectable authority record that runtime systems can evaluate and revoke throughout the execution lifecycle.

Agentic Identity Delegated Authority IAM OAuth Authorization Security Architecture

Governing the Stay, Not Just the Entry

Series You Don't Give Agents Credentials. You Grant Them Power of Attorney. Part 3 of 3

An Execution Mandate defines what delegated authority looks like. This post builds the control plane that makes it operational: how mandates are issued and held as authoritative artifacts, how authority is evaluated continuously rather than at gates, how governance crosses organizational boundaries, and where enforcement lands in practice.

Agentic Identity Delegated Authority IAM Authorization Security Architecture