Chain Delegation for OAuth 2.0 Access Tokens

Internet-Draft	OAuth Chain Delegation	March 2026
Liu, et al.	Expires 18 September 2026	[Page]

Abstract

This specification defines the delegation_chain JWT claim for OAuth 2.0 access tokens, enabling secure multi-hop delegation in agent-to-agent scenarios. It provides a cryptographically verifiable chain of delegation events, ensuring end-to-end auditability and preventing privilege escalation across delegation hops.¶

1. Introduction

In multi-agent systems, a primary agent (Agent A) may need to delegate a subset of its authorized operations to a secondary agent (Agent B). While RFC 8693 Token Exchange provides mechanisms for delegation, it does not define how to maintain a verifiable chain of delegation events across multiple hops.¶

This specification introduces the delegation_chain claim, which:¶

Records each delegation hop with cryptographic signatures;¶
Preserves end-to-end auditability back to the original human principal;¶
Prevents privilege escalation beyond the original authorization scope;¶
Enables Resource Servers to validate the complete delegation lineage.¶

This specification complements the act claim defined in [RFC8693] by providing detailed delegation history, while act identifies the immediate actor.¶

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.¶

1.1.1. Applicability

While this specification is optimized for use with Pushed Authorization Requests (PAR) [RFC9126], the mechanism defined herein is designed to be general-purpose and MAY be used with various OAuth 2.0 authorization flows, including but not limited to:¶

Authorization Code Grant (with or without PAR);¶
Client Credentials Grant;¶
Token Exchange [RFC8693];¶
Resource Owner Password Credentials Grant.¶

Different authorization flows may have different security considerations when using this specification. Implementations SHOULD carefully evaluate the security implications based on their specific deployment scenario.¶

3. The delegation_chain Claim

3.1. Claim Definition

Claim Name:: delegation_chain¶
Claim Type:: Array of Objects¶
Usage:: Access tokens (JWT format)¶
Specification:: RFC 7519 (JWT)¶

3.2. Structure

The delegation_chain is an ordered array of delegation records, from most recent to earliest. Each record represents one delegation hop.¶

{
  "delegation_chain": [
    {
      "delegator_wit": "wit://agent-a.example",
      "delegatee_wit": "wit://agent-b.example",
      "delegation_timestamp": 1734516900,
      "root_evidence_ref": "evidence-root-abc123",
      "delegated_policy": {
        "type": "rego",
        "content": "package agent\ndefault allow = false\n\nallow {\n  input.action == \"inventory_check\"\n  input.item_id == \"123\"\n}",
        "entry_point": "allow"
      },
      "operation_summary": "Delegate inventory check for item 123",
      "delegator_signature": "eyJhbGciOiJFUzI1NiIs...",
      "as_signature": "eyJhbGciOiJSUzI1NiIs..."
    }
  ]
}

Figure 1

3.3. Delegation Lifecycle

A delegation record transitions through three phases during its lifecycle:¶

Delegation Proposal Phase: The delegating agent creates a delegation proposal that includes the delegated policy, delegatee identity, and operation context. This phase corresponds to the policy creation process defined in [I-D.ietf-oauth-rego-policy].¶
Delegation Enforcement Phase: The Authorization Server validates the delegation request, verifies user identity (using id_token_hint as defined in [I-D.ietf-oauth-cross-domain-id-token-hint] for the first delegation), and signs the delegation record upon successful validation.¶
Chain Propagation Phase: The signed delegation record is embedded into an access token's delegation_chain claim, enabling multi-hop propagation across trust domains.¶

This three-phase model ensures cryptographic binding between user authorization, agent identity, and policy constraints throughout the delegation chain.¶

3.4. Field Definitions

Table 1: delegation_chain Record Fields
Field	Type	Requirement	Description
delegator_wit	string	REQUIRED	Workload Identity Token (WIT) of the delegating agent.
delegatee_sub	string	REQUIRED	Subject identifier of the receiving agent.
delegation_timestamp	NumericDate	REQUIRED	When this delegation was authorized.
delegated_policy	object	OPTIONAL	A subset of the delegator's authorized policy that is being delegated to the delegatee. This field SHOULD follow the structure defined in [I-D.ietf-oauth-rego-policy]. The delegated policy MUST be equal to or more restrictive than the delegator's policy. Policy permission expansion is NOT allowed.
operation_summary	string	OPTIONAL	Human-readable description of delegated operation.
root_evidence_ref	string	OPTIONAL	Reference to the root authorization evidence record as defined in the authorization evidence specification. This field MUST be present for the first delegation (User → Agent A) and SHOULD be propagated through the chain. The value SHOULD match the `evidence.id` from the root token.
delegator_signature	string	RECOMMENDED	Cryptographic signature from the delegating agent's private key over this delegation record. This provides dual-signature security alongside `as_signature`, preventing malicious AS from forging unauthorized delegations and ensuring non-repudiation.
root_evidence_ref	string	OPTIONAL	Reference to the root authorization evidence record as defined in the authorization evidence specification. This field MUST be present for the first delegation (User → Agent A) and SHOULD be propagated through the chain. The value SHOULD match the `evidence.id` from the root token.
delegator_signature	string	RECOMMENDED	Cryptographic signature from the delegating agent's private key over this delegation record. This provides dual-signature security alongside `as_signature`, preventing malicious AS from forging unauthorized delegations and ensuring non-repudiation.
as_signature	string	REQUIRED	AS signature over this delegation record.

Both as_signature and delegator_signature MUST be computed over the same set of fields using JSON Canonicalization Scheme (JCS) as defined in RFC 8785:¶

delegator_wit¶
delegatee_sub¶
delegation_timestamp¶
delegated_policy (if present)¶
operation_summary (if present)¶
root_evidence_ref (if present)¶

Both signature fields MUST be excluded from their respective signature computations. The signatures MUST use detached JWS format with appropriate algorithm identifiers.¶

The delegator_signature uses the delegating agent's WIT-bound private key, while as_signature uses the Authorization Server's signing key. This dual-signature approach ensures:¶

Malicious AS Prevention: A compromised AS cannot unilaterally forge delegations without the delegator's consent;¶
Non-Repudiation: The delegator cannot deny having authorized the delegation;¶
Complete Trust Chain: User → AS → Delegator → Delegatee.¶

3.5. Chain Ordering

The array MUST be ordered from most recent delegation to earliest:¶

Index 0: Most recent delegation (delegator → current token holder)¶
Index N: Earliest delegation (first agent after human authorization)¶

This ordering allows efficient validation starting from the immediate delegator.¶

4. Delegation Protocol Flow

+--------+       +---------+       +--------+       +---------+
|  User  |       | Agent A |       |   AS   |       | Agent B |
+--------+       +---------+       +--------+       +---------+
    |                 |                 |                 |
    | (1) Authorize   |                 |                 |
    |---------------->|                 |                 |
    |                 |                 |                 |
    |                 | (2) PAR         |                 |
    |                 |---------------->|                 |
    |                 |                 |                 |
    | (3) Consent     |                 |                 |
    |<----------------|---------------->|                 |
    |                 |                 |                 |
    |                 | (4) Token A     |                 |
    |                 | (no chain)      |                 |
    |                 |<----------------|                 |
    |                 |                 |                 |
    |                 | (5) Delegation Request (PAR)      |
    |                 |----------------------------------> |
    |                 |  - subject_token (Token A)        |
    |                 |  - delegatee_wit (Agent B)        |
    |                 |  - delegated_policy (optional)    |
    |                 |                 |                 |
    |                 |                 | (6) Validate    |
    |                 |                 | - Token A valid |
    |                 |                 | - Scope subset  |
    |                 |                 | - Agent B auth  |
    |                 |                 |                 |
    |                 |                 | (7) Issue Token B
    |                 |                 |---------------->|
    |                 |                 | with delegation_chain
    |                 |                 |                 |
    |                 |                 |                 | (8) API Request
    |                 |                 |                 |------------>
    |                 |                 |                 |
    |                 |                 |                 | (9) Validate chain
    |                 |                 |                 |<------------

Figure 2

4.1. Step 1-4: Initial Authorization

Agent A obtains authorization from the user through a standard OAuth flow. The resulting token does not contain a delegation_chain (it is the root authorization).¶

4.2. Step 5: Delegation Request (PAR)

Agent A initiates delegation using Pushed Authorization Request (PAR) with JWT Secured Authorization Request [RFC9126]. The delegation parameters are encoded in a JWT, providing integrity protection and supporting large payloads.¶

POST /par HTTP/1.1
Host: as.example.com
Content-Type: application/oauth-authz-req+jwt
OAuth-Client-Attestation: wit://agent-b.example
OAuth-Client-Attestation-PoP: <PoP-Signature>

eyJhbGciOiJFUzI1NiIsImtpZCI6ImFnZW50LWEta2V5In0.ewogICJpc3MiOiAid2l0Oi8vdHBtMi5udmlkaWEuc2hhMjU2LmFiYzEyMy4uLiIsCiAgImF1ZCI6ICJodHRwczovL2FzLmV4YW1wbGUuY29tIiwKICAicmVzcG9uc2VfdHlwZSI6ICJjb2RlIiwKICAiZ3JhbnRfdHlwZSI6ICJ1cm46aWV0ZjpwYXJhbXM6b2F1dGg6Z3JhbnQtdHlwZTp0b2tlbi1leGNoYW5nZSIsCiAgInN1YmplY3RfdG9rZW4iOiAiPGFnZW50LWEtdG9rZW4-IiwKICAic3ViamVjdF90b2tlbl90eXBlIjogInVybjppZXRmOnBhcmFtczpvYXV0aDp0b2tlbi10eXBlOmFjY2Vzc190b2tlbiIsCiAgInJlcXVlc3RlZF90b2tlbl90eXBlIjogInVybjppZXRmOnBhcmFtczpvYXV0aDp0b2tlbi10eXBlOmFjY2Vzc190b2tlbiIsCiAgInNjb3BlIjogImNhcnQ6cmVhZCIsCiAgImRlbGVnYXRpb25fcmVhc29uIjogIkludmVudG9yeSBjaGVjayBmb3IgaXRlbSBYIiwKICAiZGVsZWdhdGVlX3dpdCI6ICJ3aXQ6Ly9zZ3guaW50ZWwuc2hhMjU2LmRlZjQ1Ni4uLiIKfQ.signature

Figure 3

The JWT payload (decoded) contains:¶

{
  "iss": "wit://agent-a.example",
  "aud": "https://as.example.com",
  "response_type": "code",
  "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
  "subject_token": "<agent-a-token>",
  "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
  "requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
  "delegated_policy": {
    "type": "rego",
    "content": "package agent\ndefault allow = false\n\nallow {\n  input.action == \"inventory_check\"\n  input.item_id == \"123\"\n}",
    "entry_point": "allow"
  }
  "delegatee_wit": "wit://agent-b.example"
}

Figure 4

4.3. Step 6: AS Validation

The AS MUST perform the following validations:¶

Token Validity: Verify Agent A's token is valid and not revoked.¶
Delegation Permission: Confirm the token permits delegation (e.g., includes a delegation scope or flag).¶
Scope Subset: Verify the requested scope is a strict subset of Agent A's authorized scope.¶
Delegatee Authentication: Validate Agent B's credentials (WIT-SVID).¶
Chain Depth: Optionally enforce maximum delegation depth.¶

4.4. Step 7: Token Issuance

Upon successful validation, the AS issues a new token for Agent B with:¶

sub: The original user (unchanged)¶
act: Agent B's identity¶
delegation_chain: Extended with a new record for this hop¶
Reduced scope (as requested)¶

5. Chain Extension

When the AS issues a delegated token, it extends the delegation_chain:¶

5.1. For First Delegation

If Agent A's token has no delegation_chain (root authorization), the AS creates a new chain with one entry:¶

{
  "delegation_chain": [
    {
      "delegator_wit": "wit://agent-a.example",
      "delegatee_wit": "wit://agent-b.example",
      "delegation_timestamp": 1734516900,
      "root_evidence_ref": "evidence-root-abc123",
      "delegated_policy": {
        "type": "rego",
        "content": "package agent\ndefault allow = false\n\nallow {\n  input.action == \"cart_op\"\n}",
        "entry_point": "allow"
      },
      "delegator_signature": "eyJhbGciOiJFUzI1NiIs...",
      "operation_summary": "Delegate cart operations",
      "delegator_signature": "eyJhbGciOiJFUzI1NiIs...",
      "operation_summary": "Delegate cart operations",
      "delegator_signature": "eyJhbGciOiJFUzI1NiIs...",
      "operation_summary": "Delegate cart operations",
      "delegator_signature": "eyJhbGciOiJFUzI1NiIs...",
      "operation_summary": "Delegate cart operations",
      "as_signature": "eyJhbGciOiJSUzI1NiIs..."
    }
  ]
}

Figure 5

5.2. For Subsequent Delegations

If Agent B further delegates to Agent C, the AS prepends a new record:¶

{
  "delegation_chain": [
    {
      "delegator_wit": "wit://agent-b.example",
      "delegatee_wit": "wit://agent-c.example",
      "delegation_timestamp": 1734517800,
      "root_evidence_ref": "evidence-root-abc123",
      "delegated_policy": {
        "type": "rego",
        "content": "package agent\ndefault allow = false\n\nallow {\n  input.action == \"inventory_check\"\n  input.item_id == \"123\"\n}",
        "entry_point": "allow"
      },
      "delegator_signature": "eyJhbGciOiJFUzI1NiIs...",
      "operation_summary": "Check inventory for item 123",
      "delegator_signature": "eyJhbGciOiJFUzI1NiIs...",
      "operation_summary": "Check inventory for item 123",
      "as_signature": "eyJhbGciOiJSUzI1NiIs..."
    },
    {
      "delegator_wit": "wit://agent-a.example",
      "delegatee_wit": "wit://agent-b.example",
      "delegation_timestamp": 1734516900,
      "root_evidence_ref": "evidence-root-abc123",
      "delegated_policy": {
        "type": "rego",
        "content": "package agent\ndefault allow = false\n\nallow {\n  input.action == \"cart_op\"\n}",
        "entry_point": "allow"
      },
      "as_signature": "eyJhbGciOiJSUzI1NiIs..."
    }
  ]
}

Figure 6

6. Resource Server Validation

Resource Servers validate the delegation_chain as follows:¶

6.1. Signature Verification

For each record in the chain, verify the as_signature using the AS's public key. This ensures:¶

The delegation was authorized by the AS;¶
The record has not been tampered with;¶
The delegation metadata is authentic.¶

6.2. Root Authorization Anchor

The last record in the chain (highest index) represents the earliest delegation. Its delegator_wit identifies the agent that holds the root authorization (the token directly authorized by the user).¶

The Resource Server MUST verify that:¶

root token (a token without a delegation_chain claim);¶
This root token was issued by a trusted AS and has not been revoked.¶
The root token contains valid evidence and audit_trail claims as defined in the authorization evidence draft, providing cryptographic proof of user consent.¶

If the RS cannot verify the root authorization anchor, it MUST reject the request.¶

6.3. Dual-Signature Verification

For each delegation record, the Resource Server SHOULD verify both:¶

AS Signature: Using the Authorization Server's public key, confirming the delegation was authorized by the AS;¶
Delegator Signature: Using the delegating agent's WIT-bound public key, confirming the delegator explicitly consented to this delegation.¶

The dual-signature mechanism prevents:¶

Malicious AS from unilaterally forging delegations;¶
Delegators from denying authorized delegations (non-repudiation);¶
Unauthorized privilege escalation through compromised components.¶

6.4. WIT Status Validation

The Resource Server SHOULD verify the current status of all Workload Identity Tokens (WITs) referenced in the delegation_chain by:¶

Checking WIT revocation lists or status endpoints;¶
Validating WIT expiration timestamps;¶
Querying the issuing Identity Provider for current status.¶

If any WIT in the chain has been revoked or expired, the entire delegation_chain MUST be considered invalid, even if individual records remain cryptographically valid.¶

6.5. Chain Continuity

Verify the chain is continuous:¶

Each delegatee_wit matches the delegator_wit of the previous (more recent) record;¶
The final delegatee_sub matches the token's act.sub;¶
Timestamps are in descending order.¶

6.6. Scope Validation

Verify scope constraints are progressively narrowing:¶

Each delegation's delegated_policy MUST be equal to or more restrictive than the previous delegation's scope;¶
The final scope MUST cover the requested operation.¶

9. References

9.1. Normative References

[RFC2119]: Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]: Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC7515]: Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015, <https://www.rfc-editor.org/info/rfc7515>.
[RFC7519]: Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, <https://www.rfc-editor.org/info/rfc7519>.
[RFC8693]: Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J., and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693, DOI 10.17487/RFC8693, January 2020, <https://www.rfc-editor.org/info/rfc8693>.
[RFC8785]: Rundgren, A., Jordan, B., and S. Erdtman, "JSON Canonicalization Scheme (JCS)", RFC 8785, DOI 10.17487/RFC8785, June 2020, <https://www.rfc-editor.org/info/rfc8785>.

9.2. Informative References

[RFC9126]: Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., and F. Skokan, "OAuth 2.0 Pushed Authorization Requests", RFC 9126, DOI 10.17487/RFC9126, September 2021, <https://www.rfc-editor.org/info/rfc9126>.
[I-D.ietf-oauth-identity-chaining]: Schwenkschuster, A., Kasselman, P., Burgin, K., Jenkins, M. J., and B. Campbell, "OAuth Identity and Authorization Chaining Across Domains", Work in Progress, Internet-Draft, draft-ietf-oauth-identity-chaining-08, 9 February 2026, <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-chaining-08>.

Appendix A. Complete Multi-Hop Example

The following shows a token held by Agent C after two delegation hops (User → Agent A → Agent B → Agent C):¶

{
  "iss": "https://as.example.com",
  "sub": "user_12345",
  "aud": "https://api.shop.example",
  "exp": 1734520500,
  "iat": 1734517800,
  "act": {
    "sub": "wit://agent-c.example"
  },

  "delegation_chain": [
    {
      "delegator_wit": "wit://agent-b.example",
      "delegatee_wit": "wit://agent-c.example",
      "delegation_timestamp": 1734517800,
      "root_evidence_ref": "evidence-root",
      "delegated_policy": {
        "type": "rego",
        "content": "package agent\ndefault allow = false\n\nallow {\n  input.action == \"inventory_check\"\n  input.item_id == \"123\"\n}",
        "entry_point": "allow"
      },
      "operation_summary": "Check stock for item 123",
      "delegator_signature": "eyJhbGciOiJFUzI1NiIs...sig2-delegator",
      "as_signature": "eyJhbGciOiJSUzI1NiIs...sig2"
    },
    {
      "delegator_wit": "wit://agent-a.example",
      "delegatee_wit": "wit://agent-b.example",
      "delegation_timestamp": 1734516900,
      "root_evidence_ref": "evidence-root",
      "delegated_policy": {
        "type": "rego",
        "content": "package agent\ndefault allow = false\n\nallow {\n  input.action == \"cart_op\"\n}\nallow {\n  input.action == \"inventory_op\"\n}",
        "entry_point": "allow"
      },
      "operation_summary": "Delegate inventory operations",
      "delegator_signature": "eyJhbGciOiJFUzI1NiIs...sig1-delegator",
      "as_signature": "eyJhbGciOiJSUzI1NiIs...sig1"
    }
  ],

  "evidence": {
    "id": "evidence-root",
    "user_confirmation": {
      "displayed_content": "Allow shopping assistant to manage cart",
      "user_action": "confirmed_via_button_click",
      "timestamp": 1734516000,
      "interface_version": "consent-ui-v2.1"
    },
    "session_context": {
      "session_id": "session_xyz789",
      "channel": "mobile-app"
    },
    "as_signature": "eyJhbGciOiJSUzI1NiIs...sig0"
  },

  "audit_trail": {
    "evidence_ref": "evidence-root",
    "semantic_expansion_level": "medium",
    "interpretation_notes": "User said 'manage cart', delegated to inventory operations"
  }
}

Figure 7

This token shows:¶

Original user: user_12345¶
Current actor: Agent C¶
Delegation path: Agent A → Agent B → Agent C¶
Progressive policy narrowing: cart+inventory → inventory → item:123¶
Original user consent evidence preserved¶

Appendix B. Validation Mechanism

Each delegation hop MUST be represented as a separate JWT access token. The delegating agent signs each token using its private key, creating a cryptographically verifiable chain of custody.¶

B.1. Token Structure

For each delegation from Agent-X to Agent-Y:¶

The token's "iss" claim MUST be the WIT of the delegating agent¶
The token's "sub" claim MUST be the WIT of the delegatee agent¶
The token MUST be signed by the delegating agent's private key¶
The token's "delegation_chain" claim accumulates all previous hops¶

B.2. Verification Requirements

Resource Servers MUST validate:¶

The final token's signature matches the claimed issuer¶
Each hop in the delegation_chain has valid timestamps¶
Policy constraints are maintained or reduced (never expanded)¶
The chain is continuous (each "to" matches next "from")¶
The initial delegator matches the original authorization subject¶

B.3. Security Considerations

This per-hop signing approach provides:¶

Non-repudiation: Each delegator's signature is independent evidence¶
Flexible revocation: Individual hops can be revoked separately¶
Incremental updates: New hops only require generating new tokens¶
Audit-friendly: Each signature represents a discrete authorization event¶

B.4. Comparison with OAuth Identity Chaining

While [I-D.ietf-oauth-identity-chaining] focuses on static identity federation across organizational boundaries, this specification targets dynamic AI agent delegation with the following distinctions:¶

Trust Model: Attestation-based (WIT) vs. pre-configured PKI trust¶
Scope Control: Mandatory contraction vs. static mapping¶
Time Scale: Task-level (minutes/hours) vs. employment-level (months/years)¶
Target: AI workloads vs. human employees¶

This makes the mechanism suitable for AI-to-AI scenarios where agents need temporary, auditable delegation without pre-established trust relationships. Implementations MAY use WIT with attestation evidence for enhanced security, but it is not required by this specification.¶