Skip to content

Define OAuth grant lifecycle profile#6

Merged
SoundBlaster merged 2 commits into
mainfrom
codex/oauth-grant-lifecycle-profile
Jul 11, 2026
Merged

Define OAuth grant lifecycle profile#6
SoundBlaster merged 2 commits into
mainfrom
codex/oauth-grant-lifecycle-profile

Conversation

@SoundBlaster

Copy link
Copy Markdown
Member

Motivation

Dashboard proposals #7, #8, #11, and #12 identify a missing end-to-end OAuth lifecycle: ASP referenced RAR, Token Exchange, introspection, and revocation without defining interoperable Agent Grant request, response, state, or event contracts.

Goals

  • Define a precise OAuth representation of Agent Grant consent and issuance.
  • Prevent Token Exchange from widening authority or losing derivation and revocation linkage.
  • Give resource servers an authoritative, privacy-preserving introspection contract.
  • Define semantic grant revocation and authenticated grant.revoked processing.

Changes

  • Add a collision-resistant RFC 9396 authorization-details type, field contract, PKCE/PAR guidance, consent semantics, and granted-object response requirements.
  • Add an RFC 8693 Token Exchange request/response profile with runtime or actor authentication, resource restriction, attenuation, proof binding, and derivation cascade.
  • Add an RFC 7662 active/inactive introspection contract with tuple, surface, resources, constraints, expiry, and credential binding.
  • Add an RFC 7009 semantic revocation profile and authenticated, idempotent grant.revoked control event.
  • Add OAuth lifecycle conformance requirements, update the end-to-end example, mark review cards Define verifiable provenance and receipt chaining #7/Define the Action Execution Model #8/Add planning controls to RFC review dashboard #11/#12 as present, and regenerate the dashboard.

Validation

  • make review-build PYTHON=/opt/homebrew/opt/python@3.10/libexec/bin/python3
  • make review-check PYTHON=/opt/homebrew/opt/python@3.10/libexec/bin/python3
  • /opt/homebrew/opt/python@3.10/libexec/bin/python3 -m json.tool review/review-data.json >/dev/null
  • Parsed the updated manifest and five OAuth profile JSON examples with duplicate-key rejection.
  • Retrieved RFC 6749, 7009, 7636, 7662, 8693, 8707, 9126, 9396, and 9700 from RFC Editor.
  • Ran repository Markdown hygiene checks.
  • git diff --check

Boundaries and Non-Goals

  • Does not add grant_hash, surface_hash, receipt canonicalization, or signing profiles.
  • Defines special handling for grant.revoked but leaves general event ordering, acknowledgement, replay cursor, retention, and backpressure to proposal #26.
  • Uses standard OAuth grant and token types; it does not register a new agent_delegation grant type or IANA value.
  • This PR is intentionally left unmerged for review.

Notes

  • The Agent Grant authorization-details type uses the repository-controlled URI https://github.com/0al-spec/agent-surface/authorization-details/agent-grant as its collision-resistant identifier.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e8a52b1349

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread drafts/agent-surface.md Outdated
Comment thread drafts/agent-surface.md Outdated

@SoundBlaster SoundBlaster left a comment

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed current head e8a52b1. The existing P2 threads about the RFC 9396 array shape and auth.* manifest endpoint names are valid and are not duplicated below. Local validation passes: the dashboard is current, JavaScript parses, all 21 JSON examples parse without duplicate keys, and git diff --check is clean. I found six additional P1 security/interoperability issues and one P2 consistency issue. I would treat the P1 items as merge blockers. Submitted as COMMENT because the connected GitHub account owns the PR; no merge was performed.

Comment thread drafts/agent-surface.md Outdated
Comment thread drafts/agent-surface.md
Comment thread drafts/agent-surface.md
Comment thread drafts/agent-surface.md
Comment thread drafts/agent-surface.md
Comment thread drafts/agent-surface.md Outdated
Comment thread drafts/agent-surface.md Outdated
@SoundBlaster SoundBlaster merged commit 8752fa7 into main Jul 11, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant