.-------------------------. | Authorization Domain | | | | +-----------------+ | +--------+ | | | | | |---(a) Auth request---+--->| | | | | | | | | | End |---(b) User consent---+--->| Authorization | | | User | | | Server | | | |<--(c) Auth code------+----| | | | | | | | | +--------+ | +-----------------+ | ^ | | ^ | | (a) | | (c) | | | | Auth| | Auth | | | | Req | | Code .-----(d) Token Exchange----' | | | | | | | | | v | | | | +--------+ | .--(e) Access Token-------------' | | |-----' | | | | | | | +-----------------+ | | AI |<-------' | | Resource Server | | | Agent | | | | | | |---(f) Request w/ Token--->| +-------------+ | | | | | | | Resource | | | | |<--(g) Response-------+----| | Metadata | | | +--------+ | | +-------------+ | | | | +-----+ +-----+ | | | | |Tool | |Tool | | | | | | A1 | | A2 | | | | | +-----+ +-----+ | | | +-----------------+ | '-------------------------' +--------+ +--------+ +---------------+ +-----------+ |End User| |AI Agent| |Resource Server| |Auth Server| +---+----+ +---+----+ +-------+-------+ +-----+-----+ | | (1) Get metadata | | | |------------------->| | | | | | | | (1) Res. metadata | | | |< - - - - - - - - - | | | | | | | | (2) Get AS metadata for each AD | | |----------------------------------------->| | | | | | | (2) AS metadata | | | |<- - - - - - - - - - - - - - - - - - - - -| | | | | | |----\ | | | | | (3) Scope aggregation | | |<---/ within each AD | | | | | | (4a) Init auth | | | |<---------------| | | | | | | | (4b) User authentication + consent | |---------------------------------------------------------->| | | | | | (4c) Redirect back to agent | |< - - - - - - - - - - - - - - - - - - - - - - - - - - - - -| | | | | | (4d) Auth code | | | | - - - - - - - >| | | | | (4e) Token exchange | | |----------------------------------------->| | | | | | | (4f) Access token w/ aggregated scopes | | |<- - - - - - - - - - - - - - - - - - - - -| | | | | | +----------+--------------------+---------------+ | | | LOOP: Repeat for each step w/ resource req. | | | |-----------------------------------------------| | | | |(5) Request resource w/ token | | | | |------------------->| | | | | | | | | | | |(5) Resource responses | | | | |<- - - - - - - - - -| | | | +----------+--------------------+---------------+ | | | | | +---+----+ +---+----+ +-------+-------+ +-----+-----+ |End User| |AI Agent| |Resource Server| |Auth Server| +--------+ +--------+ +---------------+ +-----------+ +--------+ +--------+ +---------------+ +-----------+ |End User| |AI Agent| |Resource Server| |Auth Server| +---+----+ +---+----+ +-------+-------+ +-----+-----+ | | (1) Get metadata | | | |------------------->| | | | | | | | (1) Res. metadata | | | |< - - - - - - - - - | | | | | | +--+----------------+--------------------+---------------------+----+ | LOOP: Repeat for each request with scope deficiency | |-------------------------------------------------------------------| | | | (2) Request resource | | | | |------------------->| | | | | | | | | | | | (2) Unauthorized error | | | | |< - - - - - - - - - | | | | | | | | | | | | (3) Fetch AS metadata | | | | |----------------------------------------->| | | | | | | | | | | (3) AS metadata | | | | | |< - - - - - - - - - - - - - - - - - - - - | | | | | | | | | | (4a) Init auth | | | | | |<---------------| | | | | | | | | | | | (4b) User authentication + consent | | | |---------------------------------------------------------->| | | | | | | | | | (4c) Redirect back to agent | | | |< - - - - - - - - - - - - - - - - - - - - - - - - - - - - -| | | | | | | | | | (4d) Auth code | | | | | | - - - - - - - >| | | | | | | (4e) Token exchange | | | | |----------------------------------------->| | | | | | | | | | | (4f) Access token w/ requested scopes | | | | |< - - - - - - - - - - - - - - - - - - - - | | | | | | | | | | | (5) Request resource w/ access token | | | | |------------------->| | | | | | | | | | | | (5) Resource responses | | | | |< - - - - - - - - - | | | +--+----------------+--------------------+---------------------+----+ | | | | +---+----+ +---+----+ +-------+-------+ +-----+-----+ |End User| |AI Agent| |Resource Server| |Auth Server| +--------+ +--------+ +---------------+ +-----------+