Skip to the content.

The Agent Provider Role — Deep Dive & Design Decisions

Sources: draft-hardt-oauth-aauth-protocol (normative agent-token requirements), draft-hardt-aauth-bootstrap-01 (informational enrollment/refresh patterns), draft-hardt-aauth-events-00 (AP as event inbox), draft-hardt-httpbis-signature-key-05 (key schemes used in the ceremonies).

1. What an AP is

The AP is the trust anchor for a fleet of agents. It:

The AP deliberately sees very little: enrollment and refresh requests, and (if events are enabled) event deliveries. It does not see the agent’s traffic to PSes, resources, or ASes.

2. Key model (bootstrap draft, two-key pattern)

Per platform, the recommended pattern is two keys per agent install:

Why: an ephemeral-key leak is bounded to one token lifetime; the durable key’s attack surface is only the AP refresh path. Receivers can’t tell the patterns apart (they only check cnf.jwk vs the HTTP signature), so a single-key pattern (durable key used for everything) is equally valid where simplicity wins.

Ceremonies on the wire (Signature-Key schemes)

3. Identifier strategy

sub = aauth:{local}@{ap-domain}. Requirements: local[a-z0-9._+-], non-empty, ≤255, stable for the lifetime of the install (across ephemeral rotations), + reserved for sub-agents. The bootstrap draft allows any opaque scheme; deriving from the durable key thumbprint or random assignment at enrollment are the canonical options.

Our choice: random 16-char lowercase base32 (Crockford alphabet folded to lowercase, no ambiguous letters) assigned at enrollment, stored with the enrollment record. Rationale vs thumbprint-derivation: survives a future “re-key this enrollment” admin operation, and leaks nothing about the key. Per-install identity: a new durable key = a new agent; the PS handles cross-device grouping.

Sub-agents: local = {parent_local}+{discriminator}, discriminator non-empty, [a-z0-9._-] (no nested +).

4. Normative obligations checklist (what the code must enforce)

From the protocol spec:

From the events spec (AP-specific):

5. Non-normative surface we must design ourselves

The bootstrap draft explicitly leaves enrollment/refresh endpoints AP-internal. Our design (documented in docs/api.md, rationale here):

5.1 Enrollment — POST /enroll

Body: {"enrollment_token": "...", "ps": "https://ps.example"?, "platform": "..."?}, signed with sig=hwk using the durable key (proof of possession at enrollment).

5.2 Token issuance / refresh — POST /agent-token

5.3 Sub-agent tokens — POST /subagent-token

Signed with the parent’s current agent token (sig=jwt scheme; the parent’s ephemeral key signs the request). Body: {"discriminator": "search1", "cnf_jwk": {...}} — the sub-agent generates its own key pair and hands the public key to the parent out of band.

5.4 Events plumbing (agent side)

5.5 Admin — under /admin/*, bearer token from config (constant-time compare)

6. Scale & multi-instance requirements

7. Security notes specific to the AP

8. What we intentionally do NOT implement