Markdown Version | Transcript | Session Recording

Session Date/Time: 01 Jun 2026 17:00

OAUTH

Summary

The OAUTH working group held a virtual interim meeting to discuss the landscape of Agentic AI and its intersection with OAuth. The primary focus of the meeting was an analysis of the rapidly growing list of individual draft submissions related to agents and delegation, and a broader discussion on how the working group should triage, manage, and coordinate this incoming work.

The session featured a presentation by George Fletcher analyzing recent individual submissions, followed by an open discussion on criteria for prioritizing drafts, coordination with other IETF working groups (such as WIMSE) and external standards development organizations (SDOs), and whether to revive a previous effort on identity terminology.

Maxwell Gerber volunteered to take notes for the session.

Key Discussion Points

1. Landscape Analysis of Agent and Delegation Drafts

George Fletcher presented IETF Individual Draft Analysis, detailing a tracking effort (assisted by Claude AI) that identified 32 individual drafts submitted to the IETF over the last six months dealing with agents or delegation.

The presentation organized these drafts into five key areas:

• Delegation Mechanics: Including actor profiles, cryptographically verifiable actor chains, token attenuation, and delegated agent authorization protocols.
• Agent Identity: Including Workload Identity in Multi-System Environments (WIMSE) work, OAuth client instance assertions, and Agent Identity Protocol (AIP) variants.
• Discovery and Transport: Including the proposed Decentralized Autonomous Node (Dawn) BoF.
• Audit and Compliance: Including audit architectures such as Cool Wind.
• Miscellaneous / Grab Bag: A variety of other protocols, including AAuth and the Client Challenge Protocol.

George Fletcher expressed concern that the sheer volume of incoming work is overwhelming for the working group to process and raised the question of how to efficiently evaluate overlaps, identify unique innovations, and decide which work items should be prioritized.

2. Gating and Triage of Individual Drafts

The participants discussed how to manage the influx of drafts without overwhelming the working group or consuming too much face-to-face meeting time.

• Establishing a Rubric: George Fletcher suggested defining a basic rubric or set of criteria that individual drafts must meet before they can be allocated presentation time at meetings.
• Chairs' Criteria for Meeting Slots: Rifaat Shekh-Yusef outlined the criteria the chairs will use to filter agenda requests for the upcoming in-person meeting in Vienna:
  1. Active and serious discussion on the OAUTH mailing list.
  2. A clear, crisp problem statement explaining why the work is needed.
  3. Demonstrated interest and commitment from community members to implement and deploy the proposed solution.
• Problem Statements vs. Solutions: Dick Hardt and Bjorn Hjelm emphasized that the working group should first agree on the problem statement before diving into specific solutions. Bjorn Hjelm noted that many current drafts are proposing solutions without a shared agreement on the underlying problem or standard terminology.
• Use of Virtual Interims: Paul Carleton asked about alternative ways to triage drafts. Rifaat Shekh-Yusef suggested that virtual interim meetings are an ideal venue for discussing and filtering individual drafts, preserving valuable face-to-face time for mature, critical working group items.

3. Pragmatic Near-Term vs. Strategic Long-Term Work

Pieter Kasselman proposed categorizing the incoming work by its target timescale:

• Near-Term (Pragmatic): Addressing immediate gaps in existing OAuth deployments to unblock current implementations.
• Long-Term (Strategic): Major architectural overhauls (such as a family of new specifications) that may take years to mature and require infrastructure replacement.

Dick Hardt shared that his proposal, the AAuth protocol, represents a "clean slate" design rather than layering on top of existing OAuth architecture. He noted that AAuth currently has three active deployments and four more in development, suggesting that while it departs from the OAuth foundation, it is seeing real-world traction.

George Fletcher noted that while simple delegation scenarios should remain simple, the working group needs to holistically look at complex delegation problems (e.g., parent-child guardianship, agent privacy) to identify where gaps exist in current OAuth mechanisms.

4. Coordination with Other Groups and External SDOs

The group discussed the challenge of overlapping work across different venues:

• Within the IETF, related work is appearing in WIMSE, the proposed Dawn BoF, and the Agent-to-Agent BoF.
• Outside the IETF, relevant work is happening in the Decentralized Identity Foundation (DIF), W3C, OASIS, and various academic research channels.

George Fletcher and Pieter Kasselman noted that it is currently impossible for any single individual to monitor all these venues. Rifaat Shekh-Yusef noted that the ongoing OAUTH rechartering effort aims to centralize OAuth-related agent and delegation work within the OAUTH WG to prevent fragmentation, though George Fletcher cautioned that the working group must ensure it has enough dedicated active contributors to handle an expanded charter.

5. Reviving the Terminology Effort

Rifaat Shekh-Yusef asked if there was interest in reviving a previous terminology effort initiated by himself and Dick Hardt.

• Pieter Kasselman expressed skepticism, noting that formal terminology exercises in standards bodies often stall and are rarely utilized in practice.
• Dick Hardt clarified that their original goal was not to invent new definitions, but to build a dynamic reference catalog of existing identity-related terms (such as "credential") to show how they are used across different specifications. The effort stalled due to the administrative overhead of maintaining it as a standard IETF document.

Decisions and Action Items

• No formal decisions were made regarding the adoption of any individual drafts presented.
• The chairs established clear criteria (mailing list discussion, crisp problem statement, and deployment interest) that authors must meet to secure presentation slots at the upcoming Vienna meeting.

Next Steps

• Draft Authors: Authors of individual drafts seeking agenda time for the Vienna meeting must initiate and drive discussions on the OAUTH mailing list to demonstrate community interest and deployment intent.
• Chairs: The chairs will monitor the mailing list and filter Vienna presentation requests based on the agreed-upon gating criteria.

Related Documents

draft-analysis-00