[Extension]: OID4VP for In-Task Authorization

[AlexanderShenshin]

Motivation

Currently, A2A relies on standard web security schemes (OAuth2, APIKey, mTLS). While these effectively handle Service Identity and Access Control, they have limitations regarding Decentralized Trust:

• Permissions vs. Qualifications: OAuth 2.0 Access Tokens typically assert that an agent is allowed to access a resource (e.g., scope: "tasks.read"). They do not easily prove inherent qualifications, certifications, or regulatory status of the agent itself (e.g., "This agent is a Licensed Financial Advisor").
• Centralization Bottlenecks: To validate an agent's qualifications via standard OAuth, the Authorization Server must be the single source of truth for all claims. This limits the ability of agents to present proofs issued by third parties (e.g., government bodies) without complex federation.
• Static Trust: Authorization often happens at the connection level. There is no standard flow for "step-up" verification where a specific Task requires the agent to present a specific credential dynamically.
• Interop with Verifiable Credentials the users may already have: There is no way for an Agent to leverage VCs or mdocs that the user may already have in his wallet (such as Google Wallet or Apple Wallet) as part of general adoption of VCs and decentralized identity and corresponding regulations (such as eIDAS2/EUDI in EU, mDL/mdoc in US, etc.)

Extension concept

We propose to extend auth options in A2A protocol to support Verifiable Credentials (VCs) using the OID4VP (OpenID for Verifiable Presentations), specifically by supporting OID4VP as one of In-Task Authorization mechanisms.

This would also enable Just-In-Time (JIT) authorization – server can dynamically request information from specific VCs during a Task execution without breaking the protocol flow.
Please see Additional context section for benefits overview.

Proposed OID4VP In-Task Auth flow

sequenceDiagram
    participant C as A2A Client 
    participant S as A2A Server 
    participant V as OID4VP Verifier 
    participant W as OID4VP Wallet
    
    C -->> S: O-O-B Communication 
    S ->> C: Additional authorization needed<br/>Task status: TASK_STATE_AUTH_REQUIRED<br/>Message response with authorizationRequest object
    C ->> W: OID4VP Wallet invocation
    W ->> V: Requests Authorization Request 
    V ->> W: Authorization Request
    W ->> W: Requests End-User consent (if applicable)
    W ->> W: Creates a Verifiable Presentation (VP) that matches Authorization Request
    W ->> V: VP
    V ->> V: Verifies VP
    V ->> S: Approves task execution (out-of-band)
    S ->> C: Additional authorization passed<br/>Task status: TASK_STATE_WORKING<br/>(received via Task subscription or status polling)

Loading

Such integration of OID4VP can be supported as an extension and looks like a good "default" option for supporting VC-based auth and trust frameworks, while also having a potential to become one of the "common workflows" for A2A in future.
Use cases involving VCs and decentralized trust are expected to become more relevant in near future (eIDAS2/EUDI in EU, mDL/mdoc in US) and OID4VP standard is being widely adopted.

We published a draft version of OID4VP In-Task Authorization extension.

Any feedback is much appreciated!

Additional context

Benefits for A2A use cases

Decentralization & Vendor Neutrality

Reliance on centralized Authorization Servers creates a single point of failure and a trust bottleneck.

By using OID4VP and DIDs, trust is decoupled. An "Airline Agent" can verify a "Corporate Booking Agent" based on a credential issued by a totally different entity (e.g., a Travel Association), without pre-registering API keys or federating auth servers. OID4VP allows agents to cryptographically prove capabilities using credentials issued by third-party Trust Anchors (e.g., Governments, Regulatory Bodies) without the Verifier needing to integrate with those issuers directly.

Granular, Context-Aware Security (JIT)

Standard OAuth often results in over-privileged sessions where an agent is granted broad scopes (e.g., write:all) at connection time.

The JIT (Just-in-Time) flow allows for the Principle of Least Privilege. A session can start with low privileges, and the Server can request high-assurance credentials only when a specific sensitive task is requested (e.g., "Transfer Funds").

Bridging AI Agents with Human Wallets

Many high-value credentials (e.g., National IDs, Corporate Signing Keys) reside in human-controlled Digital Wallets, not on servers.

The JIT flow enables Human-in-the-Loop authentication. A Client Agent can receive a challenge, forward it to a user's mobile wallet for approval/signing, and return the result. This effectively allows an AI agent to act as a bridge to a human's legal identity.

Interoperability with modern Identity approaches and integration with existing Wallets

The VCs can be presented from various wallets (such as Google Wallet, Apple Wallet, etc.) which improves interoperability and enables conformance with modern digital identity patterns and regulations (such as eIDAS2 / EUDI).

Non-Repudiation & Auditability

API Key usage logs are mutable and difficult to prove in a dispute.

A Verifiable Presentation is cryptographically signed by the Holder and bound to a specific request nonce. This provides a non-repudiatable audit trail proving exactly which credential was presented for which task, essential for liability in autonomous agent networks.

Code of Conduct

• I agree to follow this project's Code of Conduct

[amye]

Discussed in 17 Feb's TSC meeting - we think this is a job for AI-Card! https://github.com/Agent-Card/ai-card

[The-Nexus-Guard]

This is a really well-framed proposal. The distinction between "permissions" (OAuth scopes) and "qualifications" (verifiable credentials about the agent itself) is exactly the gap that needs addressing.

The AI-Card pointer from @amye is relevant — and I think OID4VP and agent identity systems are complementary layers:

1. OID4VP handles credential presentation — "prove you have this qualification" at task-time
2. Agent identity (DIDs, keypairs) handles the underlying question — "who are you, cryptographically?" — which OID4VP builds on
3. Trust scoring (discussed in Feature: Trust scoring extension for agent-to-agent delegation #1501 and Proposal: Agent Identity Verification and Trust Framework #1497) provides the reputation layer — "should I trust this agent based on history?"

We've been building AIP which implements layer 2 — each agent gets a DID and keypair, signs interactions, and builds trust through vouch chains. OID4VP would be a natural extension for presenting verifiable credentials about an AIP-registered agent.

Practical question: for the in-task authentication flow you describe, would you envision the VP request happening during A2A task negotiation (before tasks/send), or as part of an extended handshake? The former seems cleaner but requires spec changes; the latter could work as an extension today.

[AlexanderShenshin]

@The-Nexus-Guard Thanks for this feedback and sharing related work (AIP and other proposals)!
It's great to see emerging decentralized identity solutions for agents ecosystem, I believe that all those pieces are complementary.

Regarding the question on in-task authentication flow - here we consider VP request (as other steps of OID4VP flow) happening as part of "In-Task Authentication" scope included in task execution. We can think about it as extended handshake for a task.

In principle, OID4VP flow can be integrated as part of top-level A2A session auth by leveraging OID4VP for OAuth authorization, but this is naturally out of scope of A2A itself.

[aeoess]

This maps directly to what we've built in the Agent Passport System. Your distinction between "permissions" (OAuth scopes) and "qualifications" (verifiable properties) is the exact gap our W3C VC layer addresses.

APS generates three VC types from protocol objects: passport VCs (agent identity + capabilities), delegation VCs (scoped authority chains), and floor attestation VCs (values compliance). These are standard W3C Verifiable Credentials with Ed25519 signatures — any OID4VP verifier can consume them.

The in-task authorization flow you describe (agent presents VCs mid-conversation) works with our createVerifiablePresentation() — agent bundles relevant VCs into a VP, signs it, and the receiving agent verifies without a central authority.

Running implementation: npm install agent-passport-system (v1.21.4, 1183 tests). The VC layer has 10 dedicated tests including adversarial scenarios (tampered VCs, expired credentials, holder mismatch in presentations).

Would be interested in mapping your OID4VP extension to our existing VC types — the credential schemas might be directly compatible.