Actor Interfaces Guide β
π Overview β
The Open Agent Auth framework provides five actor interfaces that define the core responsibilities of different roles in the Agent Operation Authorization Protocol (AOA). Each actor is an independent entity with encapsulated state and behavior, following the Actor Model pattern.
π Actor Architecture β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Framework Layer Actors β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Agent β βResourceServerβ β AuthzServer β β
β β (Client) β β (Server) β β (Server) β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β
β ββββββββββββββββ ββββββββββββββββ β
β β User IDP β β Agent IDP β β
β β (Server) β β (Server) β β
β ββββββββββββββββ ββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββποΈ Actor Responsibilities β
| Actor | Role | Primary Responsibility |
|---|---|---|
| Agent | Client | Manages authorization requests from the agent side |
| ResourceServer | Server | Protects resources with five-layer verification |
| AuthorizationServer | Server | Issues Agent Operation Authorization Tokens (AOAT) |
| UserIdentityProvider | Server | Handles user authentication and ID Token issuance |
| AgentIdentityProvider | Server | Manages agent workload identities and WIT issuance |
π€ Agent Actor β
Overview β
The Agent actor handles authorization requests from the agent side, managing the complete OAuth 2.0 flow with PAR extension. It orchestrates workload creation, OAuth client registration, PAR submission, and authorization context preparation.
Key Methods β
java
public interface Agent extends FrameworkOAuth2TokenClient {
// Start OIDC authorization flow
String initiateAuthorization(InitiateAuthorizationRequest request);
// Issue Workload Identity Token (WIT)
WorkloadContext issueWorkloadIdentityToken(IssueWitRequest request);
// Register OAuth client via DCR (Agent role)
DcrResponse registerOAuthClient(WorkloadContext workloadContext);
// Submit Pushed Authorization Request
ParResponse submitParRequest(ParSubmissionRequest request);
// Generate authorization redirect URL
String generateAuthorizationUrl(String requestUri);
String generateAuthorizationUrl(String requestUri, String state);
// Handle authorization callback
AgentOperationAuthToken handleAuthorizationCallback(AuthorizationResponse response);
// Prepare authorization context for tool execution
AgentAuthorizationContext prepareAuthorizationContext(PrepareAuthorizationContextRequest request);
// Clean up resources
void clearAuthorizationContext(WorkloadContext workloadContext);
}Usage Example β
java
@Service
public class AgentService {
@Autowired
private Agent agent;
public String initiateAuthorizationFlow(String userId, String redirectUri) {
// Step 1: Initiate authorization
InitiateAuthorizationRequest request = InitiateAuthorizationRequest.builder()
.redirectUri(redirectUri)
.state(generateRandomState())
.build();
String authUrl = agent.initiateAuthorization(request);
return authUrl;
}
public AuthenticationResponse exchangeUserIdToken(String code, String state) {
// Step 2: Exchange authorization code for ID Token
ExchangeCodeForTokenRequest request = ExchangeCodeForTokenRequest.builder()
.code(code)
.state(state)
.build();
return agent.exchangeCodeForToken(request);
}
public DcrResponse registerOAuthClient(WorkloadContext workloadContext) {
// Step 3: Register OAuth client
return agent.registerOAuthClient(workloadContext);
}
public WorkloadContext issueWorkloadIdentityToken(String idToken, String operationType) {
// Step 3: Issue Workload Identity Token (WIT)
IssueWitRequest request = IssueWitRequest.builder()
.userIdentityToken(idToken)
.context(AgentRequestContext.builder()
.operationType(operationType)
.resourceId("resource-123")
.metadata(Map.of("key", "value"))
.build())
.build();
return agent.issueWorkloadIdentityToken(request);
}
public ParResponse submitParRequest(WorkloadContext workloadContext,
String operationProposal,
Object evidence) {
// Step 4: Submit PAR request
ParSubmissionRequest request = ParSubmissionRequest.builder()
.workloadContext(workloadContext)
.operationProposal(operationProposal)
.evidence(evidence)
.build();
return agent.submitParRequest(request);
}
public String generateAuthorizationUrl(String requestUri) {
// Step 5: Generate authorization URL
return agent.generateAuthorizationUrl(requestUri);
}
public AgentOperationAuthToken handleCallback(String code, String state) {
// Step 6: Handle authorization callback
AuthorizationResponse response = AuthorizationResponse.builder()
.authorizationCode(code)
.state(state)
.build();
return agent.handleAuthorizationCallback(response);
}
public AgentAuthorizationContext prepareContext(WorkloadContext workloadContext,
AgentOperationAuthToken aoat) {
// Step 7: Prepare authorization context
PrepareAuthorizationContextRequest request = PrepareAuthorizationContextRequest.builder()
.workloadContext(workloadContext)
.aoat(aoat)
.build();
return agent.prepareAuthorizationContext(request);
}
public void cleanup(WorkloadContext workloadContext) {
// Step 8: Clean up resources
agent.clearAuthorizationContext(workloadContext);
}
}Complete Workflow β
User β Agent β Agent User IDP β Agent IDP β Authorization Server β AS User IDP
β β β β β β
β β 1. initiateAuthorization() β β
β βββββββββββββββββββββ>β β β
β β β β β β
β β 2. exchangeUserIdToken() β β
β β<ββββββββββββββββββββββ β β
β β β β β β
β β 3. issueWorkloadIdentityToken() β β β
β β βββββββββββββββββββββββββββββ>β β
β β β β β β
β β 4. registerOAuthClient() β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ>β
β β β β β β
β β 5. submitParRequest() β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ>β
β β β β β β
β β 6. generateAuthorizationUrl() β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ>β
β β β β β β
β β β β β 7. authenticate() β
β β β β βββββββββββββββββββ>β
β β β β β β
β β 8. handleAuthorizationCallback() β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ>β
β β β β β β
β β 9. prepareAuthorizationContext() β β
β β β β β β
β β 10. clearAuthorizationContext() β β
β β β β β βπ‘οΈ ResourceServer Actor β
Overview β
The ResourceServer actor provides five-layer verification for incoming requests, ensuring comprehensive security validation before granting access to protected resources.
Key Methods β
java
public interface ResourceServer {
// Five-layer verification
ValidationResult validateRequest(ResourceRequest request);
// Log access attempts
void logAccess(AuditLogEntry auditLog);
}Five-Layer Verification Architecture β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Five-Layer Verification β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Layer 1: Workload Authentication (WIT validation) β
β - Validate WIT signature β
β - Check WIT claims (iss, sub, exp, aud, cnf) β
β β
β Layer 2: Request Integrity (WPT validation) β
β - Verify WPT signature using WIT's public key β
β - Check request integrity β
β β
β Layer 3: User Authentication (AOAT validation) β
β - Validate AOAT signature β
β - Extract user ID and policy ID β
β β
β Layer 4: Identity Consistency β
β - Verify user-workload binding (user_id == workload.user) β
β β
β Layer 5: Policy Evaluation β
β - Evaluate OPA policy with request context β
β - Return authorization decision (allow/deny) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββUsage Example β
java
@RestController
@RequestMapping("/api/resources")
public class ResourceController {
@Autowired
private ResourceServer resourceServer;
@GetMapping("/{resourceId}")
public ResponseEntity<?> getResource(
@PathVariable String resourceId,
@RequestHeader("X-Workload-Identity") String wit,
@RequestHeader("X-Workload-Proof") String wpt,
@RequestHeader("Authorization") String aoat) {
// Build resource request
ResourceRequest request = ResourceRequest.builder()
.wit(wit)
.wpt(wpt)
.aoat(aoat)
.resourceId(resourceId)
.operation("read")
.build();
// Validate request using five-layer verification
ValidationResult result = resourceServer.validateRequest(request);
if (!result.isValid()) {
// Log access attempt
AuditLogEntry auditLog = AuditLogEntry.builder()
.userId(result.getUserId())
.workloadId(result.getWorkloadId())
.resourceId(resourceId)
.operation("read")
.decision(AuditDecision.DENIED)
.reason(result.getFailureReason())
.timestamp(Instant.now())
.build();
resourceServer.logAccess(auditLog);
return ResponseEntity.status(HttpStatus.FORBIDDEN)
.body("Access denied: " + result.getFailureReason());
}
// Access granted - return resource
Object resource = getResourceById(resourceId);
// Log successful access
AuditLogEntry auditLog = AuditLogEntry.builder()
.userId(result.getUserId())
.workloadId(result.getWorkloadId())
.resourceId(resourceId)
.operation("read")
.decision(AuditDecision.ALLOW)
.timestamp(Instant.now())
.build();
resourceServer.logAccess(auditLog);
return ResponseEntity.ok(resource);
}
}Validation Result Structure β
java
public class ValidationResult {
private boolean valid;
private String userId;
private String workloadId;
private String failureReason;
private Map<String, Object> layerResults;
// Layer-specific validation results
private boolean witValid;
private boolean wptValid;
private boolean aoatValid;
private boolean identityConsistent;
private boolean policyAllowed;
}π AuthorizationServer Actor β
Overview β
The AuthorizationServer actor handles authorization requests, manages user authorization, and issues Agent Operation Authorization Tokens (AOAT). It implements OAuth 2.0 Dynamic Client Registration (DCR) and Pushed Authorization Request (PAR) protocols.
Key Methods β
java
public interface AuthorizationServer extends FrameworkOAuth2TokenClient, FrameworkOAuth2TokenServer {
// Process Pushed Authorization Request
ParResponse processParRequest(ParRequest parRequest);
// Issue Agent Operation Authorization Token
AgentOperationAuthToken issueAoat(AoatIssuanceRequest request);
// Register OAuth client via DCR (Authorization Server role)
DcrResponse registerOAuthClient(String clientAssertion, List<String> redirectUris);
}Usage Example β
java
@Service
public class AuthorizationService {
@Autowired
private AuthorizationServer authorizationServer;
public DcrResponse registerOAuthClient(String wit, List<String> redirectUris) {
// Register OAuth client using DCR
return authorizationServer.registerOAuthClient(wit, redirectUris);
}
public ParResponse processParRequest(ParRequest request) {
// Process PAR request
return authorizationServer.processParRequest(request);
}
public AgentOperationAuthToken issueAoat(AoatIssuanceRequest request) {
// Issue Agent OA Token
return authorizationServer.issueAoat(request);
}
}DCR Workflow β
Agent β Authorization Server β JWKS Endpoint
β β β
β 1. registerOAuthClient(WIT) β
βββββββββββββββββββββββββββββββ>β
β β β
β β 2. Get public key β
β ββββββββββββββββββββ>β
β β β
β β 3. Return public key
β β<ββββββββββββββββββββ
β β β
β β 4. Validate WIT β
β β 5. Register client β
β β (client_id = WIT.sub)
β β β
β 6. Return DcrResponse β
β<βββββββββββββββββββββββββββββββπ€ UserIdentityProvider Actor β
Overview β
The UserIdentityProvider actor handles user authentication and ID Token issuance. Both Agent User IDP and AS User IDP implement this interface with their specific authentication strategies.
Key Methods β
java
public interface UserIdentityProvider extends FrameworkOAuth2TokenServer {
// Authenticate user and issue ID Token
AuthenticationResponse authenticate(AuthenticationRequest request);
}Usage Example β
java
@Service
public class UserAuthenticationService {
@Autowired
private UserIdentityProvider userIdentityProvider;
public AuthenticationResponse authenticateUser(String username, String password) {
AuthenticationRequest request = AuthenticationRequest.builder()
.username(username)
.password(password)
.build();
return userIdentityProvider.authenticate(request);
}
}Authentication Flow β
Client β User IDP Service β Core Module
β β β
β 1. authenticate(request) β
βββββββββββββββββββββββββββ>β
β β β
β β 2. Validate credentials
β βββββββββββββββββ>β
β β β
β β 3. Return IdToken
β β<βββββββββββββββββ
β β β
β 4. Format Response β
β β 5. Return AuthResponse
β<βββββββββββββββββββββββββββπ€ AgentIdentityProvider Actor β
Overview β
The AgentIdentityProvider actor manages agent workload identities and issues Workload Identity Tokens (WIT). It extends standard WIMSE Workload IDP capabilities with agent-specific functionality.
Key Methods β
java
public interface AgentIdentityProvider {
// Create agent workload
WorkloadInfo createAgentWorkload(String idToken, AgentRequestContext context);
// Issue Workload Identity Token
WorkloadIdentityToken issueWit(String agentWorkloadId);
WorkloadIdentityToken issueWit(IssueWitRequest request);
// Revoke agent workload
void revokeAgentWorkload(String agentWorkloadId);
// Get agent workload information
WorkloadInfo getAgentWorkload(String agentWorkloadId);
}Usage Example β
java
@Service
public class AgentWorkloadService {
@Autowired
private AgentIdentityProvider agentIdentityProvider;
public WorkloadInfo createWorkload(String idToken, String operationType) {
AgentRequestContext context = AgentRequestContext.builder()
.operationType(operationType)
.resourceId("resource-123")
.metadata(Map.of("key", "value"))
.build();
return agentIdentityProvider.createAgentWorkload(idToken, context);
}
public WorkloadIdentityToken issueWit(String workloadId) {
return agentIdentityProvider.issueWit(workloadId);
}
public void revokeWorkload(String workloadId) {
agentIdentityProvider.revokeAgentWorkload(workloadId);
}
}WIT Structure β
json
{
"iss": "wimse://example.com",
"sub": "agent-instance-123",
"exp": 1704067200,
"jti": "wit-abc123",
"cnf": {
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "...",
"y": "..."
}
}
}π Actor Interactions β
Complete AOA Flow with All Actors β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Complete Actor Interaction Flow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. Agent initiates user authentication β
β AgentAapExecutor.initiateUserAuth() β Agent User IDP β
β β
β 2. Agent exchanges authorization code for ID Token β
β AgentAapExecutor.exchangeUserIdToken() β Agent User IDP β
β β
β 3. Agent requests authorization URL β
β AgentAapExecutor.requestAuthUrl() β AgentIdentityProvider β
β ββ> Creates workload, issues WIT, registers OAuth client β
β ββ> Submits PAR, generates authorization URL β
β β
β 4. User authenticates and authorizes β
β AuthorizationServer β UserIdentityProvider β
β β
β 5. Agent exchanges authorization code for AOAT β
β AgentAapExecutor.exchangeAgentAuthToken() β AuthorizationServerβ
β β
β 6. Agent builds authorization context β
β AgentAapExecutor.buildAuthContext() β
β β
β 7. ResourceServer validates request β
β ResourceServer.validateRequest() β
β β
β 8. Agent cleans up resources β
β AgentAapExecutor.cleanup() β AgentIdentityProvider β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββπ Best Practices β
1. Always Clean Up Resources β
java
try {
// Perform authorization flow
AgentAuthorizationContext context = agent.prepareAuthorizationContext(request);
// Use context
} finally {
// Always clean up
agent.clearAuthorizationContext(workloadContext);
}2. Validate Input Parameters β
java
public WorkloadContext issueWorkloadIdentityToken(
OperationRequestContext context,
AgentUserBindingProposal proposal,
String oauthClientId) {
Objects.requireNonNull(context, "Context must not be null");
Objects.requireNonNull(proposal, "Proposal must not be null");
Objects.requireNonNull(oauthClientId, "OAuth client ID must not be null");
return agent.issueWorkloadIdentityToken(IssueWitRequest.builder()
.context(context)
.proposal(proposal)
.oauthClientId(oauthClientId)
.build());
}3. Handle Exceptions Gracefully β
java
try {
ValidationResult result = resourceServer.validateRequest(request);
} catch (FrameworkValidationException e) {
log.error("Validation failed", e);
throw new AuthorizationException("Unable to validate request", e);
}4. Log Security Events β
java
AuditLogEntry auditLog = AuditLogEntry.builder()
.userId(userId)
.workloadId(workloadId)
.resourceId(resourceId)
.operation(operation)
.decision(decision)
.timestamp(Instant.now())
.build();
resourceServer.logAccess(auditLog);π Related Documentation β
- Framework Layer Overview
- Executor Interfaces Guide
- Spring Boot Controllers Guide
- User Guide
- Configuration Guide
Version: 0.1.0-beta.1-SNAPSHOT
Last Updated: 2026-02-08