Components of an on-behalf-of delegation pattern
While at the OAuth Security Workshop (Feb 2025) and more recently the Internet Identity Workshop (April 2025), I had multiple conversations around delegated authorization; and especially the on-behalf-of use case. These ranged from personal conversations over drinks to more formally organized discussions as “un-conference” sessions (thanks to @Dean Saxe and @Mark Haines for running those).
There is much yet to distill from those conversations but I wanted to share a few thoughts that crystalized as the discussions unfolded. Here are some key characteristics for the on-behalf-of use case.
Where I think this gets really interesting is in every day use cases like the following…
I’d like to delegate authority to my daughter to use my Costco card so that she can do the shopping for me this week. At our local Costco stores, they are scanning every card on entrance to the store and comparing the image on the card with the person presenting it. This begs the question of how do I create such a policy that it could be presented at entrance to a Costco store and be accepted as valid?
It would be nice to be able to leverage digital credentials for this though I know of no ongoing work to try and spec out how that might be possible. I want the delegation to have the following properties:
I realize we (the global we) haven’t designed (applied) standards for even the basic on-behalf-of use cases. However, I don’t think we should limit ourselves to just the simple use cases but rather define mechanisms that will work for future needs as well. I’d love to hear your thoughts in the comments!
P.S. For those interested, there is work happening around this topic in
Thanks for this. Curious if a key characteristic would be that the verifier could see information about both parties in the transaction (e.g., X is acting on behalf of Y) and then record that in case they needed to explain the circumstances of the transaction (e.g., Y looked at X's medical record and that was permitted because Y could prove delegation)?
Identity @ Zillow
7moWe have quite a few different use cases in the real estate industry, where there are fiduciaries acting on behalf of a buyer or seller, and where a delegated authorization can then be further delegated in case one of these fiduciaries goes on vacation. I'm starting to think more and more around this use case and how it applies to our business model.
CEO @ WebBadge.com (Beta 🆙) | 2x Technical Solo-Founder | 1% for the Planet Member | Early Investors, Founding Team Members & Strategic Partners Welcome | Webby Honoree • Lovie Shortlist • Davey🥈 | Qualcomm & UCSD Alum
7mo+1 to “leverage digital credentials” to grant authority! Similar to how “something you know” (like a password or PIN), “something you have” (like a smartphone or security token), and “something you are” (like a fingerprint or facial recognition) are used for #MFA, “what you have” (like verifiable credentials or badges) is used for authorization—on the frontend. 💡On the backend, how much can we leverage #AI to dynamically interpret, design, and implement authorization policies, conditions, and constraints—given how Costco, Sam’s Club, and other memberships may vary in policies and options regarding what’s acceptable? #ConsumerAuthorization #Authorization
trustregistry.us = No Human Left Behind. Let's fix this now!
7moKantara is currently focused on delegation for disadvantaged users. The point is to raise inclusion for digital public infrastructure to all humans. Comments welcomed. I see lots of synergy with George's approach. https://docs.google.com/document/d/1uGJkFPUuHtj_hFJsOrEQ7qHxTfBocPmN/edit?usp=sharing&ouid=109794657323597753486&rtpof=true&sd=true
Well credential may be a way, but we currently solve exactly this use-case for another large retailer using essentially Attribute-enhanced ReBAC. This is quite typical of Relationship-based and Context-based access control. And so is B2B, B2B2C !