Skip to content

Formalize scope intersection and introspection response fields#1

Open
jpelaez-23blocks wants to merge 1 commit into
mainfrom
feat/formalize-scope-and-introspection
Open

Formalize scope intersection and introspection response fields#1
jpelaez-23blocks wants to merge 1 commit into
mainfrom
feat/formalize-scope-and-introspection

Conversation

@jpelaez-23blocks
Copy link
Copy Markdown

@jpelaez-23blocks jpelaez-23blocks commented May 18, 2026

Summary

  • Scope Resolution section — defines MUST behavior for scope intersection when agents request specific scopes. Prevents scope escalation, enables least-privilege token requests.
  • Required Introspection Fields table — makes agent-specific fields (agent_id, agent_address, agent_name, agent_role, agent_status) normative with MUST/SHOULD requirements. Enables target APIs to make identity-aware authorization decisions.

Both additions are non-breaking. They formalize behavior that the reference implementation (23blocks Auth API) already enforces in production.

Motivation

After building a full AID implementation end-to-end (registration, token exchange, introspection, lifecycle management, and a production frontend), we identified two areas where the spec was informational but should be normative:

  1. What happens when an agent requests scopes it doesn't have? The spec showed scope as a parameter but didn't define the intersection/rejection behavior.
  2. The introspection response included agent fields in an example but didn't specify them as required. Without normative field names, different auth server implementations could return different shapes, breaking interoperability.

Test plan

  • Verify scope resolution section is clear and unambiguous
  • Verify introspection field table matches reference implementation output
  • Confirm no breaking changes to existing spec sections

🤖 Generated with Claude Code

@claude
feat(spec): formalize scope intersection and introspection response f…
87af0b2 
…ields

Add two normative sections based on production implementation experience:

1. Scope Resolution — defines the MUST behavior when agents request
   specific scopes: intersection with registered scopes, invalid_scope
   rejection for escalation attempts, and least-privilege token requests.

2. Required Introspection Fields — makes agent-specific fields
   (agent_id, agent_address, agent_name, agent_role, agent_status)
   normative with a MUST/SHOULD table, enabling target APIs to make
   identity-aware authorization decisions.

Both additions are non-breaking — they formalize behavior that the
reference implementation (23blocks Auth API) already enforces.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jpelaez-23blocks