Delegated Authorization for Agents Constrained to Semantic Task-to-Scope Matching

TL;DR

This paper presents a semantic task-to-scope matching model for delegated authorization in AI agents, introducing ASTRA dataset for benchmarking and highlighting current limitations and future research directions.

Contribution

It introduces a novel semantic matching model for constrained authorization and provides the first dataset, ASTRA, for benchmarking such authorization flows.

Findings

Model shows potential for semantic matching in authorization.

Limitations increase with more scopes needed for tasks.

Highlights need for improved semantic matching techniques.

Abstract

Authorizing Large Language Model driven agents to dynamically invoke tools and access protected resources introduces significant risks, since current methods for delegating authorization grant overly broad permissions and give access to tools allowing agents to operate beyond the intended task scope. We introduce and assess a delegated authorization model enabling authorization servers to semantically inspect access requests to protected resources, and issue access tokens constrained to the minimal set of scopes necessary for the agents' assigned tasks. Given the unavailability of datasets centered on delegated authorization flows, particularly including both semantically appropriate and inappropriate scope requests for a given task, we introduce ASTRA, a dataset and data generation pipeline for benchmarking semantic matching between tasks and scopes. Our experiments show both the potential and current limitations of model-based matching, particularly as the number of scopes needed for task completion increases. Our results highlight the need for further research into semantic matching techniques enabling intent-aware authorization for multi-agent and tool-augmented applications, including fine-grained control, such as Task-Based Access Control (TBAC).