OAuth2.0 Extension for Multi-AI Agent Collaboration

AI agents are capable of handling tasks. They can integrate multiple technologies such as natural language understanding, data analysis, and logical reasoning to meet multi-step and cross-scenario requirements. However, a single AI agent has a limited knowledge scope and restricted functions, making it difficult to independently complete complex tasks that span multiple professional domains and require different capabilities. Collaboration among a group of AI agents is an essential approach for such complex tasks. Taking the demand for "real-time health advice" as an example, this intent can be split into three tasks: "collect the user's health data", "predict the user's health status" and "provide health advice based on health status". These tasks need to be accomplished by corresponding professional sub-AI agents: the data collection agent is responsible for privacy-compliant data collection, the health status prediction agent invokes medical models for analysis, and the advice generation agent outputs solutions based on health guidelines. What's more, accordingto some existing research, a leading agent is necessary for coordination. In the above example, the leading agent can receive the intent "give me real-time health advice" from user, understand it and split it into tasks. Additionally, the leading agent selects sub-agents capable of fulfilling the tasks and distributes these tasks to them. These sub-agents can be referred to as a task group. The sub-agents can be refered as task group. Finally, the leading agent integrates the results returned by the sub-AI agents to form complete health advice. Without the leading agent, task execution is prone to confusion and final results are difficult to unify. There are two typical policies for the leading agent to select sub-agents and form a task group: 1) The static policy determines all tasks and sub-agents upfront before execution, enabling predictable scheduling and stable group composition; 2) The dynamic policy incrementally identifies tasks and selects sub-agents during execution, allowing real-time adjustment based on intermediate results and improving adaptability to changing conditions. In such collaborative scenarios, if each sub-AI agent in a task group applies for permissions from the authorization server individually, the authorization server must verify the identity and permissions of each sub-agent one by one and generate access tokens for them. This leads to problems such as frequent interactions, high computing resource consumption on the authorization server, and low efficiency in the token issuance process. Therefore, this draft proposes two efficient authorization methods: 1) The leading agent communicates with the authorization server centrally and applies for access tokens on behalf of all sub-agents in the task group before task execution begins; 2) The leading agent applies for an access token for a specific task and issues task credentials bound to the access token to the corresponding sub-agents. The first method is suitable for the static policy, while the second method is suitable for the dynamic policy. Both methods can greatly simplify the authorization process for sub-AI agents and avoid efficiency loss caused by repeated interactions.

Applier: a role that request the access token on be half of client(s), e.g. a leading AI agent. DPoA: Demonstration Proof of Attribute. This draft uses the terms "authorization server", "client", "resource server" defined by OAuth 2.0

This protocol flow is modeled after and extends it with a *applier_id* field to enable authorization request by the applier.

| Resource | | | | Owner | | |<--(B) Authorization Grant----| | | | +----------------+ |Leading | | Agent | (C) Authorization Grant +----------------+ | |--------(applier_id)--------->| | | | | Authorization | | | (D) Access Token | Server | | |<------(app=applier_id)-------| | +--------+ +----------------+ | | (E) Access Token* | v +--------+ +----------------+ | |-------(F) Access Token*----->| Resource | | Sub- | | Server | | Agent |<---(G) Protected Resource----| | +--------+ +----------------+]]>

Before initiating the protocol, the leading agent registers with the authorization server, as defined in . In this draft, the leading agent's role or capability is incorporated into its registration process. For example, the leading agent's profile includes a "capability" parameter with the value "resolve intent and distribute tasks".

This section refers to step (A) and (B). The leading agent receives a requirement from the user, resolves it and determines the task(s) and sub-agent(s) needed to fulfill the requirement. For example, when the user sends the intent "give me real-time health advice" to the leading agent, the leading agent resolves this intent and identifies three tasks: task 1 (collect the user's health data), task 2 (predict the user's health status) and task 3 (provide health advice based on health status). The leading agent then utilizes the agent discovery process to select sub-agent(s) capable of performing the respective tasks. For instance, task 1 assigned to sub-agent 1, task 2 to sub-agent 2, and task 3 to sub-agent 3. In the subsequent authorization process proposed in this draft, the leading agent is designated as the applier, and the selected sub-agent(s) are designated as the client(s). The leading agent requests authorization from the resource owner, as defined in .

This section refers to step (C) and D). The leading agent requests an access token by authenticating with the authorization server and presenting the authorization grant, as defined in . The message may also include the following parameter: OPTIONAL. The identifier of the applier which is requesting access token on be half of the client(s). The authorization server authenticates the leading agent and validates that the leading agent is capable of requesting access tokens on behalf of sub-agent(s). For example, it checks whether the leading agent's profile includes a "capability" parameter whose value includes "distribute tasks". If the validation is successful, the authorization server may verify grants as defined in . Then the authorization server generates access token and send access token response message to the leading agent. The access token is similar to OAuth2.0, except that it consists of an additional claim to specify the applier. OPTIONAL. The identifier of the applier which is requesting access token on be half of the client(s). The access token includes one *app* parameter and multiple *sbj*-*aud*-*scope* pairs. Below is an example: { "iss": "authorization server ID", "app": "leading agent ID", "sbj": "sub AI agent1 ID", "aud": "resource server 1 ID", "sbj": "sub AI agent 2 ID", "aud": "resource server 1 ID", "resource server 2 ID", "sbj": "sub AI agent 3 ID", "aud": "resource server 2 ID", "resource server 3 ID" ... } If the validation fails, the access token response message may include the reason for failure. has defined types of error response. In this case, the authorization server may use a new error message "unauthorized_applier" to indicate that the leading agent is not capable of requesting access tokens on be half of sub-agent(s).

This section refers to step (E). The leading agent sends the task ID and access token* to the sub-agent(s). Based on local policies and regulations, the leading agent may use privacy protection mechanisms to process the access token. Thus, the access token* may be the same as the access token, or generated from the access token using privacy protection mechanisms. For example, the leading agent uses a selective disclosure algorithm to generate access token 1, access token 2, and access token 3 from the access token received in step (D). Access token 1 may include the leading agent ID and sub-agent 1 ID; access token2 may include the leading agent ID and sub-agent 2 ID; access token3 may include the leading agent ID and sub-agent 3 ID. The applier may then send access token 1 to sub-agent 1, access token 2 to sub-agent 2, and access token 3 to sub-agent 3. The sub-agent(s) validate the proof of the received access token* and check whether the applier ID refers to a trustworthy leading agent. For example, each AI agent is preconfigured with a list of trusted AI agents, and any one of the trusted AI agents that acts as a leading agent will pass the validation. If the validation fails, the client(s) may send a response message to the applier with a failure indication of "unknown_applier".

This section refers to step (F) and (G). The sub-agent(s) execute the task according to message received in step (E). When resources are needed, the sub-agent(s) request the protected resource from the resource server and present the access token*, as defined in . The resource server validates the access token*, as defined in . If the access token* includes multiple *sbj*-*aud* pairs, the resource server may verify that its own ID and the sub-agent's ID are in the same pair. In previous example of the access token, "sub-agent 1 ID"and "resource server 1 ID" are in the same pair. If the validation succeeds, the resource server may provide the resource to the client(s).

This protocol flow is modeled after and extends it with task credentials bound with the access token.

| Resource | | | (B) Authorization Grant | Owner | | |<-----------------------------| | |Leading| +-------------+ | Agent | (C) Authorization Grant +-------------+ | |--------(task, key)---------->| | | | |Authorization| | | (D) Access Token | Server | | |<-------(task, key)-----------| | +-------+ +-------------+ | (E) Access Token* & Task Credential | +---v---+ +-------------+ | | (F) Access Token* | | | Sub- |----------------------------->| Resource | | Agent | (G) Protected Resource | Server | | |<-----------------------------| | +-------+ +-------------+]]>

Before initiating the protocol, the leading agent registers with the authorization server.

This section refers to step (A) and (B). The leading agent receives a requirement from the user, resolves it and determines the task(s) and client(s) needed to fulfill the requirement. The leading agent requests authorization from the resource owner. Detailed prcedures are similar to section 3.2.

This section refers to step (C) and D). The leading agent requests an access token by authenticating with the authorization server and presenting the authorization grant, as defined in . The message may also include the following parameter: OPTIONAL. The identifier or description of the task which is resolved from intent. OPTIONAL. The index that point to the public key of the leading agent that is used to issue task credentials. The authorization server authenticates the leading agent and validates that the leading agent is capable of executing specific task. What's more, the authorization server validated that the leading agent holds the private key related to the *key* received in the request message. If the validation is successful, the authorization server may verify grants as defined in . Then the authorization server generates access token and send access token response message to the applier. The access token is similar to OAuth2.0 and OAuth2.0 DPoP, reuse the *subject* parameter, and add a new parameter to specify the task and related public key. This access token can be named as DPoA token. OPTIONAL. The attribute of the sub-agent that is required to permit the sub-agent to request resources indicated in the access token. In this case, this parameter is set to the indication of public key of the leading agent that is used to issue task credentials. Below is an example: { "iss": authorization server ID, "sbj": task ID, "aud": resource server 1 ID, "att": public key for specific task ... } If the validation fails, the access token response message may include the reason for failure. In this case, the authorization server may use a new error message "unrecognized_pk" to indicate that the validation of *key* sent by the leading agent is wrong.

This section refers to step (E). After the leading agent selects sub-agent to execute task, it generates task credential and sends the credential with access token* to the sub-agent(s). The task credential is used to prove that the subject of the credential is selected by the leading agent to execute specific task. Optionally it includes the information of the related access token. The credential is signed by the leading agent using the private key related to the public key indicated by the *att* parameter in the access token. This credential can have multiple formats. Below is an example: { "issuer": leading agent ID, "subject": sub-agent ID, "attribute": task ID "related token": hash of the access token ... "proof": signature of leading agent } The leading agent may resolve a list of multiple tasks based on one intent from the user. In this case, the *sbj* in the access token may involve several tasks. Based on local policies and regulations, the leading agent may use privacy protection mechanisms to process the access token. For example, the leading agent uses a selective disclosure algorithm to generate access token 1, access token 2, and access token 3 from the access token received in step (D). Access token 1 may include task ID 1; access token2 may include ttask ID 2; access token3 may include task ID 3. The leading agent may then send access token 1 to sub-agent 1, access token 2 to sub-agent 2, and access token 3 to sub-agent 3. The sub-agent(s) validate the the received access token* and task credential, and validate the relationship of them.For example, to validate the task credenial, the sub-agent(s) check whether the *subject* indicates a trusted leading agent, and whether the *proof* value is right; to validate the relationship, the sub-agent(s) check whether the task ID in the access token* is the same as the task credential, whether the key indicated by the access token* can be used to validate the proof of the task credential, and whether the token hash in the task credential is same as the hash of the access token*. If the task credential validation fails, the sub-agent(s) may send a response message to the applier with a failure indication of "invalid_credential". If the relationship validation fails, the sub-agent(s) may send a response message to the applier with a failure indication of "unknown_credential".

This section refers to step (F) and (G). The sub-agent(s) execute the task according to message received in step (E). When resources are needed, the sub-agent(s) request the protected resource from the resource server and present the access token*, as defined in. Meanwhile, the sub-agent(s) send the task credential to the resource server, The resource server validates the access token*, as defined in. And validates the task credential and the relationship between the access token* and the task credential. If the validation succeeds, the resource server may provide the resource to the client(s).

TBD