Internet-Draft Rego Policy in OAuth March 2026
Liu, et al. Expires 18 September 2026 [Page]
Workgroup:
Web Authorization Protocol
Internet-Draft:
draft-liu-oauth-rego-policy-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
D. Liu
Alibaba Group
H. Zhu
Alibaba Group
S. Krishnan
Cisco
A. Parecki
Okta
H. Xue
Alibaba Group

Rego Policy Language for OAuth 2.0 Authorization

Abstract

This specification defines how to use the Rego policy language in OAuth 2.0 authorization flows using Rich Authorization Requests (RAR). It defines the rego_policy authorization data type for carrying policy proposals in authorization_details, enabling fine-grained, dynamic authorization decisions that go beyond traditional scope-based access control.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 18 September 2026.

Table of Contents

1. Introduction

Traditional OAuth 2.0 authorization relies on static scopes to define access permissions. While scopes work well for coarse-grained access control, they are insufficient for scenarios requiring dynamic, context-aware authorization decisions—particularly in AI agent systems where the permitted operations may depend on runtime conditions such as transaction amounts, time windows, or resource attributes.

This specification extends OAuth 2.0 [RFC6749] to support the Rego policy language, as used by Open Policy Agent (OPA) [OPA]. Rego [Rego] enables expressive, declarative policies that can encode complex authorization rules. By integrating Rego into OAuth flows, this specification enables:

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.

1.2. RAR Integration

This specification defines the rego_policy authorization data type for use with Rich Authorization Requests (RAR) [RFC9396]. The policy proposal is carried within the authorization_details parameter as the primary mechanism.

Key aspects of the RAR integration:

  • Authorization Data Type: The rego_policy type is defined for use with the authorization_details parameter per RFC 9396. It contains the policy content, entry point, and optional context.
  • Token Response: Per RFC 9396 Section 7.1, the access token includes enriched authorization_details as the primary mechanism for carrying policy information. The policy_ref claim MAY be included as a lightweight alternative (see Section 3.2).
  • Complementary Use: RAR enables structured authorization requests with type-specific details, while Rego Policy enables expressive declarative policy definitions. Implementations MAY combine rego_policy with other RAR types.

Implementations SHOULD ensure consistency between authorization_details requirements and Rego policy evaluations. The Authorization Server MAY use RAR types to determine applicable policy templates or validation rules.

2. Terminology

Rego:
A declarative policy language designed for Open Policy Agent (OPA). Rego policies define rules that evaluate to allow or deny decisions based on input data.
Open Policy Agent (OPA):
A general-purpose policy engine that evaluates Rego policies against structured input data.
Rich Authorization Requests (RAR):
A framework defined in RFC 9396 for expressing fine-grained authorization requirements through the authorization_details parameter.
rego_policy:
An authorization data type for RAR that carries a Rego policy proposal within the authorization_details parameter.
Policy Reference:
An identifier for a policy that has been validated and registered by the Authorization Server, included in JWT [RFC7519] access tokens via the policy_ref claim defined in this specification.

3. RAR Authorization Data Type

This specification defines the rego_policy authorization data type for use with Rich Authorization Requests (RAR).

3.1. rego_policy

The rego_policy authorization data type carries a Rego policy within the authorization_details parameter. It enables clients to propose fine-grained authorization policies as part of the authorization request.

3.1.1. Type Definition

Type Name:
rego_policy
Data Type:
Object
Usage:
authorization_details (RFC 9396)

3.1.2. Structure 

{
  "authorization_details": [
    {
      "type": "rego_policy",
      "policy": {
        "type": "rego",
        "content": "package agent\n\ndefault allow = false\n\nallow {\n  input.user.tier == \"premium\"\n  input.action in {\"manage_portfolio\", \"view_reports\"}\n}",
        "entry_point": "allow"
      },
      "actions": ["manage_portfolio", "view_reports"],
      "locations": ["https://api.example.com/portfolios"]
    }
  ]
}
Figure 1

In addition to the common fields defined in RFC 9396 Section 2 (such as actions, locations, datatypes, and identifier), the rego_policy authorization data type defines the following type-specific fields:

policy:
REQUIRED. An object containing the Rego policy definition.
context:
OPTIONAL. An object providing additional structured data for policy evaluation at authorization time.

The common RAR fields and the Rego policy serve different consumers at different stages of the authorization flow. The common fields (actions, locations) provide a declarative upper bound on the requested operations and resources, enabling the Authorization Server to approve or reject the request without parsing Rego. The Rego policy expresses the conditional authorization logic that the Resource Server evaluates at request time with runtime context as input. This layered design allows Authorization Server implementations to function without embedding a Rego engine, while preserving the full expressiveness of policy-based authorization at the Resource Server.

The AS SHOULD verify that the policy does not exceed the scope declared in the common fields.

The policy object has the following fields:

type:
REQUIRED. The policy language type. MUST be "rego" for this specification. Future extensions MAY define additional types.
content:
REQUIRED (if uri is not present). The Rego policy as a string. The policy MUST be syntactically valid Rego. If both content and uri are present, content takes precedence and uri is ignored.
uri:
OPTIONAL. A URI reference to an externally hosted policy. If provided, the AS MAY fetch the policy from this location. The AS MUST apply SSRF protections when fetching from this URI (see Section 9).
entry_point:
OPTIONAL. The rule name that serves as the policy entry point. Defaults to "allow". For authorization decisions, this SHOULD be "allow". Future extensions MAY define additional entry points for non-boolean evaluations.

3.1.3. Policy Requirements

Rego policies used with this specification MUST adhere to the following requirements:

  1. Entry Point: The policy MUST define an allow rule as the entry point. This rule MUST evaluate to a boolean value.
  2. Package Declaration: The policy MUST include a package declaration. The recommended package name is "agent" or a domain-specific namespace.
  3. Default Deny: The policy SHOULD include default allow = false to ensure deny-by-default behavior.
  4. Input Reference: The policy accesses data via the input object. The structure and content of the input object are determined by the evaluating party (AS or RS) and MAY include token claims, API request parameters, resource attributes, and other contextual data as agreed between the client and the resource server. 
package agent

default allow = false

allow {
  # Authorization rules here
  input.action == "read"
  input.resource.owner == input.user.id
}
Figure 2

3.2. policy_ref Claim

The policy_ref claim is an OPTIONAL shorthand mechanism for referencing a policy in access tokens. When the AS uses Rich Authorization Requests (RAR), the enriched authorization_details array in the access token (per RFC 9396 Section 7.1) is the primary mechanism for carrying policy information. The policy_ref claim MAY be used as a lightweight alternative when:

  • The inline policy content would make the access token exceed practical size limits (see Section 9);
  • The Resource Server already has a cached copy of the policy and only needs an identifier to look it up;
  • The deployment uses opaque (non-JWT) access tokens where token introspection provides the policy content.

When policy_ref is used, the AS performs policy registration as described in Section 6.

3.2.1. Claim Definition

Claim Name:
policy_ref
Claim Type:
Object
Usage:
Access tokens

3.2.2. Structure 

{
  "policy_ref": {
    "id": "policy-abc123",
    "version": "1",
    "hash": "sha256-2jmj7l5rSw0yVb_vlWAYkK_YBwk=",
    "endpoint": "https://as.example.com/policies/policy-abc123"
  }
}
Figure 3
id:
REQUIRED. A unique identifier for the registered policy, assigned by the Authorization Server.
version:
OPTIONAL. The version of the policy. Useful for policy updates.
hash:
OPTIONAL. A cryptographic hash of the policy content using the format algorithm-base64value (e.g., "sha256-..."). When present, the Resource Server MUST verify that the fetched policy content matches this hash before evaluating the policy. This prevents tampering with policy content during transmission.
endpoint:
OPTIONAL. A URL where the Resource Server can fetch the full policy content if needed.

3.3. Policy Context

The context field within rego_policy provides additional structured data that the client wishes to include at authorization request time. This data MAY be merged into the input object during policy evaluation.

The input object used for policy evaluation is constructed by the evaluating party and is not limited to the context field. Common input categories include:

  • user: User identity and attributes (from token claims or AS data);
  • client: Client/agent identity and metadata (from client registration);
  • action: Requested action details (from the API request);
  • resource: Target resource attributes (from the resource server);
  • environment: Contextual conditions (time, location, device).

The specific input structure is determined by bilateral agreement between the client and the resource server, typically documented in developer integration guides.

4. Protocol Flow 

+--------+       +--------+       +--------+       +--------+
| Client |       |   AS   |       |   RS   |       |Policy  |
|        |       |        |       |        |       |Engine  |
+--------+       +--------+       +--------+       +--------+
    |                |                |                |
    | (1) AuthZ Req  |                |                |
    | with           |                |                |
    | authorization_ |                |                |
    | details        |                |                |
    | (type=rego_    |                |                |
    |  policy)       |                |                |
    |--------------->|                |                |
    |                |                |                |
    |                | (2) Validate   |                |
    |                | policy syntax  |                |
    |                |                |                |
    |                | (3) Scope      |                |
    |                | check          |                |
    |                |                |                |
    | (4) Enriched   |                |                |
    |    Access Token|                |                |
    |    with authz_ |                |                |
    |    details     |                |                |
    |<---------------|                |                |
    |                |                |                |
    | (5) API Request|                |                |
    | with token     |                |                |
    |-------------------------------->|                |
    |                |                |                |
    |                |                | (6) Extract    |
    |                |                | policy from    |
    |                |                | authz_details  |
    |                |                |                |
    |                |                | (7) Evaluate   |
    |                |                | policy         |
    |                |                |--------------->|
    |                |                |                |
    |                |                | (8) Result     |
    |                |                |<---------------|
    |                |                |                |
    |                |                | (9) Enforce    |
    |                |                | decision       |
    |                |                |                |
    | (10) Response  |                |                |
    |<--------------------------------|                |
Figure 4

4.1. Step Details

  1. Authorization Request: Client sends authorization request with authorization_details containing an object of type rego_policy, with policy and optional context fields. This leverages RAR (RFC 9396) for structured authorization requests.
  2. Syntax Validation: AS validates that the Rego policy is syntactically correct and safe to evaluate.
  3. Policy Scope Check: AS verifies the policy does not exceed the client's registered permissions and checks user consent requirements. The AS does not perform full runtime policy evaluation (which occurs at the RS).
  4. Token Response: AS issues access token with enriched authorization_details array per RFC 9396 Section 7.1, containing the validated policy.
  5. API Request: Client presents token to Resource Server.
  6. Policy Extraction: RS extracts the Rego policy from the enriched authorization_details in the access token.
  7. Policy Evaluation: RS sends the policy and request input to a Rego-compatible policy engine for evaluation.
  8. Result: The policy engine returns an allow/deny decision.
  9. Enforcement: RS enforces the policy engine's decision.
  10. Response: RS returns result to client.

5. Reverse-Guided Authorization

Traditional OAuth error responses indicate authorization failure without providing guidance on how to obtain valid authorization. In AI agent scenarios, where agents may need to autonomously navigate authorization requirements, resource servers can provide structured guidance that enables agents to construct appropriate authorization requests.

5.1. Error Response Format

When an agent's request lacks sufficient authorization, the resource server returns an HTTP 403 Forbidden response with a JSON body containing a rego_profile object. This object provides machine-readable guidance on the required authorization conditions.

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "insufficient_authorization",
  "error_description": "Additional authorization required",
  "rego_profile": {
    "profile_uri": "https://resource.example/policies/purchase",
    "required_scope": ["purchase.create"],
    "required_claims": ["agent_id", "user_id"],
    "constraints": {
      "max_amount": {
        "type": "number",
        "description": "Maximum transaction amount in USD",
        "required": true
      },
      "trigger_source": {
        "type": "string",
        "enum": ["user_initiated", "scheduled"],
        "description": "Source of the operation trigger"
      }
    },
    "confirmation_required": true,
    "evidence_required": true,
    "auth_server": "https://as.example.com"
  }
}
Figure 5: Reverse-Guided Authorization Error Response

5.2. Rego Profile Structure

The rego_profile object contains the following fields:

profile_uri:
REQUIRED. URI identifying the authorization profile for this resource. This URI serves as an opaque identifier; the document at this URI is intended for developer documentation and is not machine-parsed by the agent.
required_scope:
OPTIONAL. Array of scope values that the access token MUST include.
required_claims:
OPTIONAL. Array of claim names that MUST be present in the token.
constraints:
OPTIONAL. Object defining policy constraints that MUST be satisfied. Each key is a constraint name; the value is an object with the following descriptors: type (data type), description (human-readable explanation), enum (allowed values), and required (boolean, whether the constraint must be provided).
confirmation_required:
OPTIONAL. Boolean indicating whether user consent is required. If true, the agent MUST obtain explicit user approval. When used with JWT Grant Interaction Response [I-D.parecki-oauth-jwt-grant-interaction-response], this corresponds to the interaction_required error code and interaction flow.
evidence_required:
OPTIONAL. Boolean indicating whether authorization evidence recording is required.
auth_server:
REQUIRED. Identifier of the authorization server capable of issuing tokens that satisfy these requirements. The agent can discover the token endpoint and other metadata via OAuth 2.0 Authorization Server Metadata (RFC 8414) using this identifier.

5.3. Agent Adaptive Behavior

Upon receiving a reverse-guided authorization response, the AI agent SHOULD:

  1. Parse the rego_profile to understand authorization requirements.
  2. Verify that the specified auth_server is trusted before proceeding.
  3. Construct a new authorization request including required scopes, policy proposal satisfying constraints, and any additional parameters required by the resource server.
  4. If confirmation_required is true, initiate user consent flow.
  5. Discover the token endpoint via the auth_server's metadata (RFC 8414) and submit the authorization request.

This adaptive approach enables agents to "learn" authorization requirements dynamically, reducing the need for pre-programmed knowledge of each resource server's policies.

5.4. Security Considerations

Implementations of reverse-guided authorization MUST consider the following security aspects:

  • Auth Server Verification: Agents MUST verify that the auth_server specified in the rego_profile is trusted before submitting authorization requests. Agents MUST use only the token endpoint discovered from the auth_server's Authorization Server Metadata ([RFC8414]). Blindly following redirects could lead to credential theft.
  • Constraint Validation: Agents SHOULD validate that constraint values are reasonable before including them in authorization requests. Malicious resource servers might attempt to induce agents to request excessive permissions.
  • Information Disclosure: The rego_profile reveals authorization requirements, which is acceptable as it only exposes "what is needed" not "why it is needed." This is analogous to OAuth scope definitions.
  • TLS Protection: All communications MUST use TLS to prevent man-in-the-middle attacks on the error response.

6. Authorization Server Processing

6.1. Policy Validation

Upon receiving an authorization_details request containing the rego_policy type, the AS MUST perform the following validation steps:

  1. Syntax Check: Parse the Rego policy and verify it is syntactically valid.
  2. Entry Point Check: Verify the policy defines an allow rule.
  3. Safety Check: Ensure the policy does not contain dangerous operations (e.g., external HTTP calls via http.send, excessive resource consumption).
  4. Scope Check: Verify the policy does not exceed the client's registered permissions. The AS SHOULD use the common RAR fields (actions, locations) for scope checking rather than analyzing the Rego policy AST (see Section 3.1).

6.2. Policy Registration

When the AS issues a policy_ref claim instead of embedding the full policy in authorization_details, the AS MUST register the policy:

  1. Assign a unique policy identifier;
  2. Store the policy content;
  3. Associate the policy with the authorization session;
  4. Optionally, pre-compile the policy for faster evaluation.

When the AS embeds the validated policy directly in the enriched authorization_details (the primary path), explicit registration is not required — the policy travels with the token.

6.3. Error Responses

If policy validation fails, the AS MUST return an error:

{
  "error": "invalid_request",
  "error_description": "Invalid Rego policy: syntax error at line 5"
}
Figure 6

7. Resource Server Enforcement

7.1. Policy Retrieval

The RS obtains the Rego policy from the access token. The primary mechanism is to extract the policy from the enriched authorization_details array included in the token per RFC 9396 Section 7.1.

When the token uses the policy_ref claim instead of inline policy content, the RS retrieves the policy using one of the following methods:

  • Fetch from AS: Use the endpoint URL in the policy_ref to retrieve the policy.
  • Local Cache: Use a cached copy if available and not expired.
  • Introspection: Include policy content in token introspection response.

7.2. Policy Engine Integration

After extracting the Rego policy from the token, the RS MUST load the policy into a Rego-compatible policy engine before querying it. Common loading mechanisms include:

  • OPA REST API: PUT /v1/policies/{id} to register the policy, then query the Data API;
  • OPA Go Library: Load the policy programmatically using the embedded OPA SDK;
  • OPA Compile API: Submit the policy and input together for ad-hoc evaluation.

Once loaded, the RS queries the policy engine with the request context as input:

POST /v1/data/agent/allow HTTP/1.1
Host: opa.example.com
Content-Type: application/json

{
  "input": {
    "user": {
      "id": "user_12345",
      "tier": "premium"
    },
    "action": "manage_portfolio",
    "resource": {
      "type": "portfolio",
      "id": "portfolio_001"
    }
  }
}
Figure 7
{
  "result": true
}
Figure 8

7.3. Enforcement Decision

Based on the policy engine's response:

  • If result is true: Allow the operation;
  • If result is false: Deny with 403 Forbidden;
  • If result is undefined (OPA returns an empty object with no result field): Deny with 403 Forbidden. Note that policies following the RECOMMENDED default allow = false pattern (see Section 3.1.3) will always produce a defined boolean result, so undefined only occurs when the default declaration is omitted;
  • If the policy engine is unreachable or encounters an internal error: Deny with 500 Internal Server Error.

8. Applicability to Different Authorization Flows

The rego_policy authorization data type defined in this specification can be used with any OAuth 2.0 authorization flow that supports Rich Authorization Requests (RAR) [RFC9396]. This section illustrates usage with flows that are particularly relevant to AI agent scenarios.

8.1. JWT Grant with Interaction Response

The JWT Authorization Grant Interaction Response [I-D.parecki-oauth-jwt-grant-interaction-response] is the RECOMMENDED flow for AI agent scenarios. In this flow, an agent presents a JWT assertion to the token endpoint. If user interaction (e.g., consent) is required before the token can be issued, the AS returns an interaction_required error with an interaction_uri where the user can complete the interaction. The agent then polls for the token.

When combined with Rego Policy, the agent includes authorization_details containing the rego_policy type in the JWT grant request. The AS validates the policy proposal, performs scope checks, and determines whether user consent is needed before issuing the token.

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=eyJhbGciOiJSUzI1NiJ9...
&authorization_details=%5B%7B%22type%22%3A%22rego_policy%22%2C
  %22policy%22%3A%7B%22type%22%3A%22rego%22%2C
  %22content%22%3A%22package%20agent%5Cn...
  %22entry_point%22%3A%22allow%22%7D%2C
  %22actions%22%3A%5B%22manage_portfolio%22%2C%22view_reports%22%5D%7D%5D
Figure 9: JWT Grant Request with Rego Policy 
HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error": "interaction_required",
  "interaction_uri": "https://as.example.com/interact/abc123",
  "interval": 5,
  "expires_in": 600
}
Figure 10: Interaction Required Response

After the user completes the interaction, the agent retries the same JWT grant request. The AS then issues the access token with the enriched authorization_details containing the validated Rego policy.

8.2. Client Credentials Grant

In machine-to-machine scenarios using client credentials, the policy proposal can be included in the token request:

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=spiffe%3A%2F%2Fagent.example%2Fagent
&client_secret=...
&authorization_details=%5B%7B%22type%22%3A%22rego_policy%22%2C
  %22policy%22%3A%7B%22type%22%3A%22rego%22%2C%22content%22%3A%22...%22%2C
  %22entry_point%22%3A%22allow%22%7D%7D%5D
Figure 11

8.3. Token Exchange (RFC 8693)

When exchanging tokens [RFC8693], a new policy proposal can be provided to refine or restrict the authorized operations:

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
&subject_token=eyJhbGciOiJSUzI1NiJ9...
&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token
&authorization_details=%5B%7B%22type%22%3A%22rego_policy%22%2C
  %22policy%22%3A%7B%22type%22%3A%22rego%22%2C%22content%22%3A%22...%22%2C
  %22entry_point%22%3A%22allow%22%7D%7D%5D
Figure 12

The resulting access token will include the new, more restrictive policy constraints that MUST be a subset of the original token's permissions.

9. Security Considerations

9.1. Policy Injection

Rego policies submitted by clients are evaluable policy definitions. Although Rego is declarative and guarantees termination, the AS MUST:

  • Validate policy syntax before registration;
  • Evaluate policies in sandboxed environments;
  • Limit policy evaluation time and resource usage;
  • Restrict dangerous built-in functions (e.g., http.send).

9.2. Policy Scope Escalation

Clients MUST NOT be able to propose policies that exceed their registered permissions. The AS SHOULD maintain policy templates or scope hierarchies to enforce this.

9.3. Policy Integrity

The policy_ref in access tokens MUST reference policies stored securely by the AS. Resource Servers MUST fetch policies only from trusted sources.

9.4. Policy URI Fetching

When the policy.uri field is present, the AS fetches policy content from a client-provided URI. This introduces Server-Side Request Forgery (SSRF) risks. The AS MUST:

  • Reject URIs pointing to private/internal network addresses (e.g., 10.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, ::1);
  • Enforce HTTPS for all policy URIs;
  • Set strict timeouts and size limits on fetched content;
  • Validate that the fetched content is syntactically valid Rego before any evaluation.

9.5. Policy Size Limits

Rego policies embedded inline within authorization_details can significantly increase token request and access token size. Implementations MUST enforce limits on:

  • Maximum policy source size (RECOMMENDED limit: 4 KB for inline policies). Note that JWT access tokens are typically carried in HTTP Authorization headers, where many proxies and load balancers enforce an 8 KB total header size limit;
  • Maximum policy complexity (e.g., nesting depth, number of rules);
  • Total authorization_details payload size in token requests.

For policies exceeding these limits, clients SHOULD use pre-registered policies referenced via policy_ref rather than inline policy content.

10. IANA Considerations

10.1. RAR Authorization Data Type Registration

This specification defines the following authorization data type for use with the authorization_details parameter defined in RFC 9396:

Type Name:
rego_policy
Description:
A Rego policy for fine-grained authorization decisions, including policy content, entry point, and optional evaluation context.
Change Controller:
IETF
Specification Document:
Section 3 of this document

10.2. JWT Claims Registration

This specification registers the following claims in the "JSON Web Token Claims" registry:

Claim Name:
policy_ref
Claim Description:
A reference to a registered Rego policy in access tokens.
Change Controller:
IETF
Specification Document:
Section 3.2 of this document

10.3. OAuth Extensions Error Registration

This specification registers the following error code in the "OAuth Extensions Error" registry established by RFC 6749:

Error Name:
insufficient_authorization
Error Description:
The request requires higher authorization privileges than provided by the access token. The resource server MAY include a rego_profile object in the response body to guide the client toward obtaining sufficient authorization.
Change Controller:
IETF
Specification Document:
Section 5.1 of this document

11. References

11.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC6749]
Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, , <https://www.rfc-editor.org/info/rfc6749>.
[RFC7519]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, , <https://www.rfc-editor.org/info/rfc7519>.
[RFC9396]
Lodderstedt, T., Richer, J., and B. Campbell, "OAuth 2.0 Rich Authorization Requests", RFC 9396, DOI 10.17487/RFC9396, , <https://www.rfc-editor.org/info/rfc9396>.
[RFC8414]
Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, DOI 10.17487/RFC8414, , <https://www.rfc-editor.org/info/rfc8414>.

11.2. Informative References

[RFC8693]
Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J., and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693, DOI 10.17487/RFC8693, , <https://www.rfc-editor.org/info/rfc8693>.
[I-D.parecki-oauth-jwt-grant-interaction-response]
Parecki, A., Campbell, B., and D. Liu, "JWT Authorization Grant Interaction Response", Work in Progress, Internet-Draft, draft-parecki-oauth-jwt-grant-interaction-response-00, , <https://datatracker.ietf.org/doc/html/draft-parecki-oauth-jwt-grant-interaction-response-00>.
[OPA]
Cloud Native Computing Foundation, "Open Policy Agent", <https://www.openpolicyagent.org/>.
[Rego]
Open Policy Agent, "Rego Policy Language", <https://www.openpolicyagent.org/docs/latest/policy-language/>.

Appendix A. Example Policies

A.1. Amount-Based Authorization 

package agent

default allow = false

# Allow transactions up to $50
allow {
  input.action == "purchase"
  input.amount <= 50.0
}

# Allow cart modifications without amount limit
allow {
  input.action == "add_to_cart"
}
Figure 13

A.2. Time-Window Authorization 

package agent

default allow = false

# Allow during business hours
allow {
  input.action == "submit_order"
  time.clock(time.now_ns())[0] >= 9
  time.clock(time.now_ns())[0] < 18
}
Figure 14

A.3. Role-Based Authorization 

package agent

default allow = false

# Premium users can access all features
allow {
  input.user.tier == "premium"
}

# Standard users limited to basic actions
allow {
  input.user.tier == "standard"
  input.action == "read"
}
Figure 15

Acknowledgments

The authors would like to thank Brian Campbell for his valuable feedback and insightful discussions during the development of this specification. His contributions helped shape key design decisions.

Authors' Addresses

Dapeng Liu
Alibaba Group
Hongru Zhu
Alibaba Group
Suresh Krishnan
Cisco
Aaron Parecki
Okta
Hui Xue
Alibaba Group