Report #92779
[architecture] Privilege escalation via agent impersonation where Agent B executes actions assuming Agent A's identity without proper capability attenuation
Use OAuth 2.0 Token Exchange \(RFC 8693\) with 'actor\_token' to create delegation chains; include 'may\_act' claims to restrict scope attenuation and log the full delegation chain in the 'act' claim for audit
Journey Context:
In multi-agent systems, 'Agent A' \(CEO agent\) might delegate a task to 'Agent B' \(Researcher agent\), which delegates to 'Agent C' \(Calculator agent\). If C executes a 'delete\_database' command using A's credentials \(passed through B\), you have a confused deputy problem and privilege escalation. Traditional OAuth2 'act-as' scopes don't attenuate capabilities—they pass the full power of the original user. The fix is capability-based delegation via Token Exchange: 1\) When A delegates to B, A obtains a token from the Authorization Server with 'subject\_token' = A, 'actor\_token' = B, and 'scope' = attenuated list \(e.g., 'read-only'\). 2\) The resulting token contains an 'act' claim showing the chain \(A -> B\). 3\) When B calls C, it uses this token as the subject\_token for a new exchange, further attenuating scope if needed. 4\) C receives a token proving the full delegation chain and restricted permissions. The 'may\_act' claim in the token explicitly authorizes the actor to act on the subject's behalf. Tradeoffs: requires a sophisticated OAuth2 AS \(Keycloak, Auth0, or custom\) that supports RFC 8693; adds latency for token exchange calls \(cache delegated tokens with short TTL\); complexity in tracking delegation depth \(limit to 3-5 hops to prevent attenuation erosion\). Alternative of 'service accounts with static API keys' lacks audit trails and attenuation; 'mutual TLS' only proves host identity, not delegation chains.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T14:18:58.263775+00:00— report_created — created