Internet-Draft Rego Policy in OAuth March 2026
Liu, et al. Expires 18 September 2026 [Page]
Workgroup:
Web Authorization Protocol
Internet-Draft:
draft-liu-oauth-rego-policy-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
D. Liu
Alibaba Group
H. Zhu
Alibaba Group
S. Krishnan
Cisco
A. Parecki
Okta

Rego Policy Language for OAuth 2.0 Authorization

Abstract

This specification defines how to use the Rego policy language in OAuth 2.0 authorization flows using Rich Authorization Requests (RAR). It defines the rego_policy authorization data type for carrying policy proposals in authorization_details, enabling fine-grained, dynamic authorization decisions that go beyond traditional scope-based access control.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 18 September 2026.

Table of Contents

1. Introduction

Traditional OAuth 2.0 authorization relies on static scopes to define access permissions. While scopes work well for coarse-grained access control, they are insufficient for scenarios requiring dynamic, context-aware authorization decisions—particularly in AI agent systems where the permitted operations may depend on runtime conditions such as transaction amounts, time windows, or resource attributes.

This specification extends OAuth 2.0 to support the Rego policy language, as used by Open Policy Agent (OPA). Rego enables expressive, declarative policies that can encode complex authorization rules. By integrating Rego into OAuth flows, this specification enables:

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.

1.2. Applicability

This specification is designed to work with Rich Authorization Requests (RAR) [RFC9396] as the primary mechanism for carrying policy proposals. The rego_policy authorization data type MAY be used with various OAuth 2.0 authorization flows, including but not limited to:

  • Authorization Code Grant (with or without PAR);
  • Client Credentials Grant;
  • Token Exchange [RFC8693];
  • Resource Owner Password Credentials Grant.

Different authorization flows may have different security considerations when using policy proposals. Implementations SHOULD carefully evaluate the security implications discussed in Section 7 based on their specific deployment scenario.

1.3. RAR Integration

This specification defines the rego_policy authorization data type for use with Rich Authorization Requests (RAR) [RFC9396]. The policy proposal is carried within the authorization_details parameter as the primary mechanism.

Key aspects of the RAR integration:

  • Authorization Data Type: The rego_policy type is registered in the RAR Authorization Data Types registry (Section 9.4 of RFC 9396). It contains the policy content, entry point, and optional context.
  • Token Response: The access token includes a policy_ref claim referencing the registered policy. Per RFC 9396 Section 7.1, the token response MAY include enriched authorization information such as the full policy content.
  • Complementary Use: RAR enables structured authorization requests with type-specific details, while Rego Policy enables expressive, Turing-complete policy definitions. Implementations MAY combine rego_policy with other RAR types.

Implementations SHOULD ensure consistency between authorization_details requirements and Rego policy evaluations. The Authorization Server MAY use RAR types to determine applicable policy templates or validation rules.

2. Terminology

Rego:
A declarative policy language designed for Open Policy Agent (OPA). Rego policies define rules that evaluate to allow or deny decisions based on input data.
Open Policy Agent (OPA):
A general-purpose policy engine that evaluates Rego policies against structured input data.
Rich Authorization Requests (RAR):
A framework defined in RFC 9396 for expressing fine-grained authorization requirements through the authorization_details parameter.
rego_policy:
An authorization data type for RAR that carries a Rego policy proposal within the authorization_details parameter.
Policy Reference:
An identifier for a policy that has been validated and registered by the Authorization Server, included in access tokens via the policy_ref claim.

3. RAR Authorization Data Type

This specification defines the rego_policy authorization data type for use with Rich Authorization Requests (RAR).

3.1. rego_policy

The rego_policy authorization data type carries a Rego policy within the authorization_details parameter. It enables clients to propose fine-grained authorization policies as part of the authorization request.

3.1.1. Type Definition

Type Name:
rego_policy
Data Type:
Object
Usage:
authorization_details (RFC 9396)

3.1.2. Structure 

{
  "authorization_details": [
    {
      "type": "rego_policy",
      "policy": {
        "type": "rego",
        "content": "package agent\n\ndefault allow = false\n\nallow {\n  input.action == \"add_to_cart\"\n  input.amount <= 50.0\n}",
        "entry_point": "allow"
      },
      "context": {
        "user": {"id": "user_123", "tier": "premium"},
        "environment": {"channel": "mobile-app"}
      }
    }
  ]
}
Figure 1

The rego_policy authorization data type has the following fields:

type:
REQUIRED. The authorization data type identifier. MUST be "rego_policy" for this specification.
policy:
REQUIRED. An object containing the Rego policy definition.
context:
OPTIONAL. An object providing structured input data for policy evaluation. This data is passed to OPA as the input object.

The policy object has the following fields:

type:
REQUIRED. The policy language type. MUST be "rego" for this specification. Future extensions MAY define additional types.
content:
REQUIRED (if uri not present). The Rego policy as a string. The policy MUST be syntactically valid Rego.
uri:
OPTIONAL. A URI reference to an externally hosted policy. If provided, the AS MAY fetch the policy from this location.
entry_point:
REQUIRED. The rule name that serves as the policy entry point. For authorization decisions, this MUST be "allow".

3.1.3. Policy Requirements

Rego policies used with this specification MUST adhere to the following requirements:

  1. Entry Point: The policy MUST define an allow rule as the entry point. This rule MUST evaluate to a boolean value.
  2. Package Declaration: The policy MUST include a package declaration. The recommended package name is "agent" or a domain-specific namespace.
  3. Default Deny: The policy SHOULD include default allow = false to ensure deny-by-default behavior.
  4. Input Reference: The policy accesses context data via the input object, which is populated from the context field of the rego_policy authorization data type. 
package agent

default allow = false

allow {
  # Authorization rules here
  input.action == "read"
  input.resource.owner == input.user.id
}
Figure 2

3.2. policy_ref Claim

The policy_ref claim is included in access tokens to reference a policy that has been validated and registered by the Authorization Server.

3.2.1. Claim Definition

Claim Name:
policy_ref
Claim Type:
Object
Usage:
Access tokens

3.2.2. Structure 

{
  "policy_ref": {
    "id": "policy-abc123",
    "version": "1",
    "hash": "sha256-2jmj7l5rSw0yVb_vlWAYkK_YBwk=",
    "endpoint": "https://as.example.com/policies/policy-abc123"
  }
}
Figure 3
id:
REQUIRED. A unique identifier for the registered policy, assigned by the Authorization Server.
version:
OPTIONAL. The version of the policy. Useful for policy updates.
hash:
OPTIONAL. A cryptographic hash of the policy content using the format algorithm-base64value (e.g., "sha256-..."). When present, the Resource Server MUST verify that the fetched policy content matches this hash before evaluating the policy. This prevents tampering with policy content during transmission.
endpoint:
OPTIONAL. A URL where the Resource Server can fetch the full policy content if needed.

3.3. Policy Context

The context field within rego_policy provides structured input data for policy evaluation. This data is passed to OPA as the input object.

The context structure is flexible and can include any attributes relevant to policy evaluation. Common categories include:

  • user: User identity and attributes;
  • agent: Agent identity, platform, instance, and client metadata;
  • resource: Target resource attributes;
  • action: Requested action details;
  • environment: Contextual conditions (time, location, channel, language, device fingerprint).

See Section 3.1 for an example of context within the authorization_details structure.

4. Protocol Flow 

+--------+       +--------+       +--------+       +--------+
| Client |       |   AS   |       |   RS   |       |  OPA   |
+--------+       +--------+       +--------+       +--------+
    |                |                |                |
    | (1) AuthZ Req  |                |                |
    | with           |                |                |
    | authorization_ |                |                |
    | details        |                |                |
    | (type=rego_    |                |                |
    |  policy)       |                |                |
    |--------------->|                |                |
    |                |                |                |
    |                | (2) Validate   |                |
    |                | policy syntax  |                |
    |                |                |                |
    |                | (3) Evaluate   |                |
    |                | policy         |                |
    |                |                |                |
    | (4) Enriched   |                |                |
    |    Access Token|                |                |
    |    with        |                |                |
    |    policy_ref  |                |                |
    |<---------------|                |                |
    |                |                |                |
    | (5) API Request|                |                |
    | with token     |                |                |
    |-------------------------------->|                |
    |                |                |                |
    |                |                | (6) Fetch      |
    |                |                | policy via     |
    |                |                | policy_ref     |
    |                |                |--------------->|
    |                |                |                |
    |                |                | (7) Evaluate   |
    |                |                | policy         |
    |                |                |<---------------|
    |                |                |                |
    |                |                | (8) Enforce    |
    |                |                | decision       |
    |                |                |                |
    | (9) Response   |                |                |
    |<--------------------------------|                |
Figure 4

4.1. Step Details

  1. Authorization Request: Client sends authorization request with authorization_details containing an object of type rego_policy, with policy and optional context fields. This leverages RAR (RFC 9396) for structured authorization requests.
  2. Syntax Validation: AS validates that the Rego policy is syntactically correct and safe to execute.
  3. Policy Evaluation: AS evaluates the policy against the request context to determine authorization scope. This may involve checking user consent requirements and policy constraints.
  4. Token Response: AS issues access token with policy_ref claim referencing the registered policy. Per RFC 9396 Section 7.1, the token response MAY include enriched authorization information in additional JSON fields (e.g., policy containing the full policy content) alongside the access token.
  5. API Request: Client presents token to Resource Server.
  6. Policy Fetch: RS retrieves the policy via policy_ref from AS (if not cached). The policy may have been returned directly in the enriched token response.
  7. Policy Evaluation: RS sends policy and request input to OPA for evaluation.
  8. Enforcement: RS enforces OPA's allow/deny decision.
  9. Response: RS returns result to client.

5. Reverse-Guided Authorization

Traditional OAuth error responses indicate authorization failure without providing guidance on how to obtain valid authorization. In AI agent scenarios, where agents may need to autonomously navigate authorization requirements, resource servers can provide structured guidance that enables agents to construct appropriate authorization requests.

5.1. Error Response Format

When an agent's request lacks sufficient authorization, the resource server returns an HTTP 403 Forbidden response with a JSON body containing a rego_profile object. This object provides machine-readable guidance on the required authorization conditions.

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "insufficient_authorization",
  "error_description": "Additional authorization required",
  "rego_profile": {
    "profile_uri": "https://resource.example/policies/purchase",
    "required_scope": ["purchase.create"],
    "required_claims": ["agent_id", "user_id"],
    "constraints": {
      "max_amount": {
        "type": "number",
        "description": "Maximum transaction amount in USD",
        "required": true
      },
      "trigger_source": {
        "type": "string",
        "enum": ["user_initiated", "scheduled"],
        "description": "Source of the operation trigger"
      }
    },
    "confirmation_required": true,
    "evidence_required": true,
    "auth_server": "https://as.example.com",
    "token_endpoint": "https://as.example.com/token"
  }
}
Figure 5: Reverse-Guided Authorization Error Response

5.2. Rego Profile Structure

The rego_profile object contains the following fields:

profile_uri:
REQUIRED. URI of the policy profile document that defines the authorization requirements for this resource.
required_scope:
OPTIONAL. Array of scope values that the access token MUST include.
required_claims:
OPTIONAL. Array of claim names that MUST be present in the token.
constraints:
OPTIONAL. Object defining policy constraints that MUST be satisfied. Each constraint specifies the data type, description, and whether it is required.
confirmation_required:
OPTIONAL. Boolean indicating whether user consent is required. If true, the agent MUST obtain explicit user approval.
evidence_required:
OPTIONAL. Boolean indicating whether authorization evidence recording is required.
auth_server:
REQUIRED. Identifier of the authorization server capable of issuing tokens that satisfy these requirements.
token_endpoint:
REQUIRED. URL of the token endpoint where the agent can request appropriate authorization.

5.3. Agent Adaptive Behavior

Upon receiving a reverse-guided authorization response, the AI agent SHOULD:

  1. Parse the rego_profile to understand authorization requirements.
  2. Verify that the specified auth_server is trusted before proceeding.
  3. Construct a new authorization request including required scopes, policy proposal satisfying constraints, and appropriate policy context.
  4. If confirmation_required is true, initiate user consent flow.
  5. Submit the authorization request to the specified token_endpoint.

This adaptive approach enables agents to "learn" authorization requirements dynamically, reducing the need for pre-programmed knowledge of each resource server's policies.

5.4. Security Considerations

Implementations of reverse-guided authorization MUST consider the following security aspects:

  • Auth Server Verification: Agents MUST verify that the auth_server specified in the rego_profile is trusted before submitting authorization requests. Blindly following redirects could lead to credential theft.
  • Constraint Validation: Agents SHOULD validate that constraint values are reasonable before including them in authorization requests. Malicious resource servers might attempt to induce agents to request excessive permissions.
  • Information Disclosure: The rego_profile reveals authorization requirements, which is acceptable as it only exposes "what is needed" not "why it is needed." This is analogous to OAuth scope definitions.
  • TLS Protection: All communications MUST use TLS to prevent man-in-the-middle attacks on the error response.

6. Authorization Server Processing

6.1. Policy Validation

Upon receiving a policy_proposal, the AS MUST perform the following validation steps:

  1. Syntax Check: Parse the Rego policy and verify it is syntactically valid.
  2. Entry Point Check: Verify the policy defines an allow rule.
  3. Safety Check: Ensure the policy does not contain dangerous operations (e.g., infinite loops, external HTTP calls in restricted environments).
  4. Scope Check: Optionally verify the policy does not exceed the client's registered permissions.

6.2. Policy Registration

After validation, the AS registers the policy:

  1. Assign a unique policy identifier;
  2. Store the policy content (or reference);
  3. Associate the policy with the authorization session;
  4. Optionally, pre-compile the policy for faster evaluation.

6.3. Error Responses

If policy validation fails, the AS MUST return an error:

{
  "error": "invalid_request",
  "error_description": "Invalid Rego policy: syntax error at line 5"
}
Figure 6

7. Resource Server Enforcement

7.1. Policy Retrieval

When the RS receives an access token with a policy_ref claim, it retrieves the policy using one of the following methods:

  • Fetch from AS: Use the endpoint URL in the policy_ref to retrieve the policy.
  • Local Cache: Use a cached copy if available and not expired.
  • Introspection: Include policy content in token introspection response.

7.2. OPA Integration

The RS evaluates the policy using OPA:

POST /v1/data/agent/allow HTTP/1.1
Host: opa.example.com
Content-Type: application/json

{
  "input": {
    "user": {
      "id": "user_12345",
      "tier": "premium"
    },
    "action": "add_to_cart",
    "resource": {
      "type": "cart",
      "id": "cart_789"
    },
    "amount": 45.00
  }
}
Figure 7
{
  "result": true
}
Figure 8

7.3. Enforcement Decision

Based on OPA's response:

  • If result is true: Allow the operation;
  • If result is false: Deny with 403 Forbidden;
  • If evaluation fails: Deny with 500 Internal Server Error.

8. Applicability to Different Authorization Flows

The policy proposal mechanism defined in this specification is designed to be flexible and applicable to various OAuth 2.0 authorization flows. This section provides examples for common use cases beyond PAR.

8.1. Authorization Code Grant (without PAR)

When using traditional authorization code grant without PAR, the policy proposal and policy_context SHOULD be included in a JWT using the "request" parameter as defined in [RFC9101]. This mechanism, known as JWT-Secured Authorization Request (JAR), is specifically designed for redirect-based flows and provides integrity protection while maintaining consistency with the PAR mechanism.

GET /authorize?
  response_type=code&
  client_id=spiffe://agent.example/agent&
  request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImFnZW50LWtleSJ9.ewogICJyZXNwb25zZV90eXBlIjogImNvZGUiLAogICJjbGllbnRfaWQiOiAic3BpZmZlOi8vYWdlbnQuZXhhbXBsZS9hZ2VudCIsCiAgInBvbGljeV9wcm9wb3NhbCI6IHsidHlwZSI6ICJyZWdvIiwiY29udGVudCI6ICIuLi4iLCJlbnRyeV9wb2ludCI6ICJhbGxvdyJ9LAogICJwb2xpY3lfY29udGV4dCI6IHsuLi59LAogICJyZWRpcmVjdF91cmkiOiAiaHR0cHM6Ly9hZ2VudC5leGFtcGxlL2NhbGxiYWNrIiwKICAic3RhdGUiOiAieHl6MTIzIn0.signature&
  state=xyz123 HTTP/1.1
Host: as.example.com
Figure 9

The JWT payload (decoded) contains:

{
  "response_type": "code",
  "client_id": "spiffe://agent.example/agent",
  "authorization_details": [
    {
      "type": "rego_policy",
      "policy": {
        "type": "rego",
        "content": "package agent\\ndefault allow = false\\n\\nallow {\\n  input.action == \"read\"\\n}",
        "entry_point": "allow"
      },
      "context": {
        "user": {"id": "user_123"},
        "agent": {"id": "spiffe://agent.example/agent"}
      }
    }
  ],
  "redirect_uri": "https://agent.example/callback",
  "state": "xyz123"
}
Figure 10

Using the JWT request parameter provides the following benefits:

  • Integrity Protection: The JWT signature prevents tampering with the policy proposal and context;
  • Privacy: Policy content is not exposed in URLs, server logs, or browser history;
  • Consistency: Same structure as PAR, just different transport mechanism;
  • No Length Limits: Avoids URL length restrictions that affect query parameters.

Implementations MUST validate the JWT signature before processing the policy proposal. The client's public key can be obtained through pre-registration or dynamic client registration.

8.2. Client Credentials Grant

In machine-to-machine scenarios using client credentials, the policy proposal can be included in the token request:

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/json

{
  "grant_type": "client_credentials",
  "client_id": "spiffe://agent.example/agent",
  "client_secret": "...",
  "authorization_details": [
    {
      "type": "rego_policy",
      "policy": {
        "type": "rego",
        "content": "...",
        "entry_point": "allow"
      }
    }
  ]
}
Figure 11

8.3. Token Exchange (RFC 8693)

When exchanging tokens, a new policy proposal can be provided to refine or extend the authorized operations:

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/json

{
  "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
  "subject_token": "eyJhbGciOiJSUzI1NiJ9...",
  "authorization_details": [
    {
      "type": "rego_policy",
      "policy": {
        "type": "rego",
        "content": "...",
        "entry_point": "allow"
      }
    }
  ]
}
Figure 12

The resulting access token will include both the original permissions and the new policy constraints.

8.4. Security Considerations by Flow

Different authorization flows have different security characteristics when using RAR with rego_policy:

PAR with RAR (Recommended):
authorization_details is transmitted in the PAR request body with JWT signature protection. Provides integrity and confidentiality. Highest security for policy proposals.
Authorization Code with JAR:
When using JWT-Secured Authorization Request (JAR, RFC 9101), authorization_details is protected by the JWT signature. Implementations MUST validate the JWT before processing.
Client Credentials:
Direct AS communication with TLS; standard client authentication usually sufficient. authorization_details is in the request body.
Token Exchange:
Similar security to Client Credentials; ensure policy binding to the exchanged token subject.

General security requirements for all flows:

  • Integrity Protection: authorization_details SHOULD be signed when transmitted through untrusted channels (e.g., browser redirects). Use JAR or PAR for protection.
  • Length Considerations: Rego policies may be large. Implementations SHOULD use PAR or JAR to avoid URL length limitations.
  • RAR Type Validation: AS MUST validate that the type field is "rego_policy" and reject unknown types.

9. Security Considerations

9.1. Policy Injection

Rego policies submitted by clients are executable code. The AS MUST:

  • Validate policy syntax before registration;
  • Execute policies in sandboxed environments;
  • Limit policy execution time and resource usage;
  • Restrict dangerous built-in functions (e.g., http.send).

9.2. Policy Scope Escalation

Clients MUST NOT be able to propose policies that exceed their registered permissions. The AS SHOULD maintain policy templates or scope hierarchies to enforce this.

9.3. Policy Integrity

The policy_ref in access tokens MUST reference policies stored securely by the AS. Resource Servers MUST fetch policies only from trusted sources.

10. IANA Considerations

10.1. RAR Authorization Data Type Registration

This specification registers the following authorization data type in the "OAuth Authorization Data Types" registry established by RFC 9396:

Type Name:
rego_policy
Description:
A Rego policy for fine-grained authorization decisions, including policy content, entry point, and optional evaluation context.
Change Controller:
IETF
Specification Document:
Section 3 of this document

10.2. JWT Claims Registration

This specification registers the following claims in the "JSON Web Token Claims" registry:

Claim Name:
policy_ref
Claim Description:
A reference to a registered Rego policy in access tokens.
Change Controller:
IETF
Specification Document:
Section 3.2 of this document

11. References

11.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC6749]
Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, , <https://www.rfc-editor.org/info/rfc6749>.
[RFC9126]
Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., and F. Skokan, "OAuth 2.0 Pushed Authorization Requests", RFC 9126, DOI 10.17487/RFC9126, , <https://www.rfc-editor.org/info/rfc9126>.
[RFC7519]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, , <https://www.rfc-editor.org/info/rfc7519>.
[RFC8693]
Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J., and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693, DOI 10.17487/RFC8693, , <https://www.rfc-editor.org/info/rfc8693>.
[RFC9396]
Lodderstedt, T., Richer, J., and B. Campbell, "OAuth 2.0 Rich Authorization Requests", RFC 9396, DOI 10.17487/RFC9396, , <https://www.rfc-editor.org/info/rfc9396>.

11.2. Informative References

[OPA]
Cloud Native Computing Foundation, "Open Policy Agent", , <https://www.openpolicyagent.org/>.
[Rego]
Open Policy Agent, "Rego Policy Language", , <https://www.openpolicyagent.org/docs/latest/policy-language/>.

Appendix A. Example Policies

A.1. Amount-Based Authorization 

package agent

default allow = false

# Allow transactions up to $50
allow {
  input.action == "purchase"
  input.amount <= 50.0
}

# Allow cart modifications without amount limit
allow {
  input.action == "add_to_cart"
}
Figure 13

A.2. Time-Window Authorization 

package agent

default allow = false

# Allow during business hours
allow {
  input.action == "submit_order"
  time.clock(time.now_ns())[0] >= 9
  time.clock(time.now_ns())[0] < 18
}
Figure 14

A.3. Role-Based Authorization 

package agent

default allow = false

# Premium users can access all features
allow {
  input.user.tier == "premium"
}

# Standard users limited to basic actions
allow {
  input.user.tier == "standard"
  input.action == "read"
}
Figure 15

Acknowledgments

The authors would like to thank Brian Campbell for his valuable feedback and insightful discussions during the development of this specification. His contributions helped shape key design decisions.

Authors' Addresses

Dapeng Liu
Alibaba Group
Hongru Zhu
Alibaba Group
Suresh Krishnan
Cisco
Aaron Parecki
Okta