Shane Deconinck

Explainer

OBO (OAuth On-Behalf-Of)

How agents act on behalf of users with delegated OAuth tokens

The Problem

AI Agents Break OAuth's Assumptions

Traditional App
👤App🌐
App forwards user intent
AI Agent
👤🤖???
Agent creates its own intent

When an agent approves an expense, the audit log shows alice@company.com — but Alice didn’t decide. Who’s accountable?

The Solution

Dual Identity with RFC 8693

👤
sub = authority (whose permissions)
🤖
act = actor (who's deciding)

The On-Behalf-Of token identifies both. APIs can enforce Alice’s limits while logging the agent’s actions. Full accountability.

Try It

Token Exchange Flow

Sequence Diagram
👤Alice 🤖Agent 🔐Auth Server 🌐API OIDC login request ID + access token Delegates Token exchange Validate OBO token Approve $487 expense ✓ Approved Approve $1,250 expense ✗ Limit exceeded Click Start to begin
Alice's Token
OBO Token

The Difference

Audit Log Comparison

Same expense approval. What does the audit log show?
Without OBO
Standard OAuth
Audit Entry
ActionExpense Approved
Amount$487.50
Useralice@company.com
Who decided????
Was it Alice clicking approve?
Or an AI agent acting autonomously?
🤷
With OBO
RFC 8693 Token Exchange
Audit Entry
ActionExpense Approved
Amount$487.50
Authority (sub)👤alice@company.com
Actor (act)🤖expense-agent-001
Alice granted permission.
Agent-001 made the decision.

Stakeholder Benefits

Who Benefits?

🛡️
CISO
"Agent compromised. What did it access?"
Query actor: agent-001 → instant forensic trail across all users.
📋
Compliance
"Who approved this $10K expense?"
Alice (authority) + agent-001 (actor). Both logged. Full accountability.
⚙️
Platform
"Which agents are misbehaving?"
Per-agent metrics. Spot anomalies. Rate limit or revoke specific agents.
🤖
AI Team
"Is agent v2 making better decisions?"
Compare rejection rates per agent version. A/B test with real audit data.

Limitations

Where OBO Falls Short

OBO works within a single trust domain. It breaks down when:
Multi-Hop Delegation
Agent A calls Agent B calls Agent C. The act claim only captures one layer. Who's really acting?
Cross-Organization
Agent from Org A needs to call API in Org B. Different auth servers, no shared trust anchor.
User Consent Opacity
RFC 8693 is backend-only. The user consents to the initial token, but every exchange after that is invisible. No front-channel interaction, no visibility into what scopes the agent requests or which downstream services receive tokens.
Emerging fix: IETF draft-oauth-ai-agents-on-behalf-of-user adds front-channel consent for AI agent delegation.
For emerging solutions to these challenges, see my blog post.

Learn More

BLOG AI Agents Beyond PoCs: IAM Emerging Patterns
Deep dive on OBO, agent identity, and the accountability problem
EXPLAINER MCP (Model Context Protocol)
How agents connect to tools and data
EXPLAINER A2A (Agent-to-Agent Protocol)
How agents talk to each other
 RFC 8693: OAuth 2.0 Token Exchange
The official IETF specification