Network Working Group N. Kavian Internet-Draft Jarwin, Inc. (InFlow) Intended status: Standards Track 28 June 2026 Expires: 30 December 2026 OAuth Bearer Session Credential Grant Type for the Agent Enrollment Protocol draft-kavian-aep-oauth-session-credential-01 Abstract This document defines the OAuth Bearer session-credential grant type for the Agent Enrollment Protocol (AEP). The grant type lets an AEP Service issue an OAuth-style Bearer access token through the AEP Grant command while preserving baseline AEP client assertion authentication as the root of trust. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 30 December 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Kavian Expires 30 December 2026 [Page 1] Internet-Draft AEP OAuth June 2026 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 3. Grant Type . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Inspect Configuration . . . . . . . . . . . . . . . . . . . . 3 5. Grant Request . . . . . . . . . . . . . . . . . . . . . . . . 4 6. Grant Response . . . . . . . . . . . . . . . . . . . . . . . 4 7. Credential Presentation . . . . . . . . . . . . . . . . . . . 5 8. Revoke . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 9. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 6 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 11. Security Considerations . . . . . . . . . . . . . . . . . . . 6 12. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 13.1. Normative References . . . . . . . . . . . . . . . . . . 6 13.2. Informative References . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction The Agent Enrollment Protocol (AEP) defines Grant and Revoke commands for optional session credentials [AEP-CORE]. Session credentials are an optimization for deployments that want to reuse existing authentication middleware after an Agent has proven possession of its AEP identity key. This document defines the oauth-bearer grant type. The grant type issues an OAuth Bearer access token [RFC6750] through the AEP Grant command. Grant type request and response bodies are JSON objects [RFC8259] carried over HTTP semantics [RFC9110] as defined by AEP. This grant type does not redefine OAuth authorization grants, refresh tokens, token introspection, or token revocation. When a Service exposes standard OAuth token introspection [RFC7662] or revocation [RFC7009] endpoints, it advertises those endpoints as grant type configuration. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Kavian Expires 30 December 2026 [Page 2] Internet-Draft AEP OAuth June 2026 3. Grant Type The grant type identifier is: oauth-bearer A Service that enables this grant type lists oauth-bearer in commands.grant_types and lists grant and revoke in commands.supported in its AEP Inspect document. 4. Inspect Configuration A Service MAY publish configuration under commands.grant_types_config.oauth-bearer: { "commands": { "grant_types": ["oauth-bearer"], "grant_types_config": { "oauth-bearer": { "access_token_formats": ["opaque"], "default_lifetime_seconds": "900", "introspection_endpoint": "https://api.example.com/i", "revocation_endpoint": "https://api.example.com/r", "scopes_supported": ["read", "write"], "supports_per_credential_revoke": "true" } }, "supported": ["enroll", "grant", "inspect", "revoke", "status"] } } access_token_formats is an array of strings. This document defines opaque and jwt as descriptive values. Agents MUST treat returned access tokens as opaque regardless of the advertised format. default_lifetime_seconds is an AEP-owned numeric value and is therefore represented as a JSON string. introspection_endpoint and revocation_endpoint, when present, are HTTPS URLs for standard OAuth operational tooling. AEP-aware Agents use AEP Revoke for AEP-issued session credentials. scopes_supported, when present, lists Service-defined scope strings an Agent can request. Kavian Expires 30 December 2026 [Page 3] Internet-Draft AEP OAuth June 2026 supports_per_credential_revoke is a string boolean. If absent, the default is "false". A Service that returns credential_id in a Grant response MUST support Revoke with that credential_id. A Service that does not support per-credential Revoke MUST omit credential_id from Grant responses. 5. Grant Request The Agent invokes AEP Grant using baseline Authorization: AEP authentication with op equal to grant. { "grant_type": "oauth-bearer", "requested_scopes": ["read"], "token_format": "opaque" } grant_type MUST be oauth-bearer. requested_scopes is OPTIONAL. A Service MAY grant fewer scopes than requested. Unsupported requested scopes MAY be omitted from the response scopes array. If the Service cannot issue a useful credential for the requested scopes, it MUST return invalid_request. token_format is OPTIONAL. The values defined by this document are opaque and jwt. A Service MAY ignore this preference. 6. Grant Response A successful Grant response is a JSON object: { "access_token": "ya29.example", "credential_id": "tok_01HZY8W7Q2F8J7D3P9G9Z1N6TT", "expires_at": "2026-12-01T00:00:00Z", "scopes": ["read"], "token_format": "opaque", "token_type": "Bearer" } access_token is REQUIRED and contains the Bearer token value. token_type is REQUIRED and MUST be Bearer. expires_at is REQUIRED and is an RFC 3339 [RFC3339] timestamp for credential expiry. Kavian Expires 30 December 2026 [Page 4] Internet-Draft AEP OAuth June 2026 scopes is REQUIRED and contains the granted scope strings. The Service MAY return an empty array when the token has no scope-limited authorization. token_format, when present, describes the Service-selected format. credential_id, when present, is a stable identifier for per-token Revoke. If present, the Service MUST support Revoke with this value. This document does not define refresh tokens. Agents renew by invoking AEP Grant again with a fresh baseline client assertion. 7. Credential Presentation On later HTTP requests, the Agent presents the token using the Bearer authentication scheme: Authorization: Bearer ya29.example Authenticated AEP command endpoints MUST continue to accept baseline AEP authentication. 8. Revoke The Agent invokes AEP Revoke using baseline Authorization: AEP authentication with op equal to revoke. To revoke all OAuth Bearer session credentials of this type for the authenticated Agent: { "grant_type": "oauth-bearer" } To revoke one credential when the Service returned credential_id: { "credential_id": "tok_01HZY8W7Q2F8J7D3P9G9Z1N6TT", "grant_type": "oauth-bearer" } Revoke returns an empty JSON object on success. The Service MUST return success regardless of whether a matching token existed. To revoke all session credentials of every grant type, Agents use the core all_grant_types Revoke request. Kavian Expires 30 December 2026 [Page 5] Internet-Draft AEP OAuth June 2026 9. Error Handling This grant type uses the AEP error vocabulary defined by the core protocol. A token that is expired, malformed, revoked, unknown, or bound to a different Agent fails as not_recognized. 10. IANA Considerations This document requests registration of oauth-bearer in the AEP Grant Types registry. +=============+====================================================+ | Field | Value | +=============+====================================================+ | Grant Type | oauth-bearer | +-------------+----------------------------------------------------+ | Description | OAuth Bearer access token issued through AEP Grant | +-------------+----------------------------------------------------+ | Reference | This document | +-------------+----------------------------------------------------+ Table 1 11. Security Considerations Bearer tokens are usable by any party that presents them. Services SHOULD issue short-lived tokens. Services MUST NOT log raw access token values, and Services MUST support AEP Revoke for every advertised grant type. Agents that suspect token disclosure SHOULD call AEP Revoke using baseline AEP authentication and then fall back to per-request signed client assertions until a new token is issued. Services MUST bind issued tokens to the authenticated AEP Agent identity. JWT access tokens SHOULD include an audience identifying the issuing Service. Services MUST reject tokens whose audience does not identify the receiving Service. 12. Privacy Considerations Bearer tokens can become correlation handles if reused outside the issuing Service. Agents MUST NOT present AEP-issued Bearer tokens to other Services. Services MUST NOT log raw access token values in ordinary logs or telemetry. 13. References 13.1. Normative References Kavian Expires 30 December 2026 [Page 6] Internet-Draft AEP OAuth June 2026 [AEP-CORE] Kavian, N., "The Agent Enrollment Protocol", Work in Progress, Internet-Draft, draft-kavian-agent-enrollment- protocol-01, 27 June 2026, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, . [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, DOI 10.17487/RFC6750, October 2012, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, . [RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, June 2022, . 13.2. Informative References [RFC7009] Lodderstedt, T., Ed., Dronia, S., and M. Scurtescu, "OAuth 2.0 Token Revocation", RFC 7009, DOI 10.17487/RFC7009, August 2013, . [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", RFC 7662, DOI 10.17487/RFC7662, October 2015, . Author's Address N. Kavian Jarwin, Inc. (InFlow) Kavian Expires 30 December 2026 [Page 7] Internet-Draft AEP OAuth June 2026 Email: nas@inflowpay.ai Kavian Expires 30 December 2026 [Page 8]