Delegated Authorization for Agents Constrained to Semantic Task-to-Scope Matching
This addresses security risks in multi-agent and tool-augmented applications by enabling intent-aware authorization, though it is incremental as it builds on existing concepts like Task-Based Access Control.
The paper tackles the problem of overly broad permissions in authorizing LLM-driven agents to access protected resources by introducing a delegated authorization model that constrains access tokens to minimal necessary scopes based on semantic task-to-scope matching. It also presents ASTRA, a dataset for benchmarking this matching, with experiments showing limitations as scope numbers increase.
Authorizing Large Language Model driven agents to dynamically invoke tools and access protected resources introduces significant risks, since current methods for delegating authorization grant overly broad permissions and give access to tools allowing agents to operate beyond the intended task scope. We introduce and assess a delegated authorization model enabling authorization servers to semantically inspect access requests to protected resources, and issue access tokens constrained to the minimal set of scopes necessary for the agents' assigned tasks. Given the unavailability of datasets centered on delegated authorization flows, particularly including both semantically appropriate and inappropriate scope requests for a given task, we introduce ASTRA, a dataset and data generation pipeline for benchmarking semantic matching between tasks and scopes. Our experiments show both the potential and current limitations of model-based matching, particularly as the number of scopes needed for task completion increases. Our results highlight the need for further research into semantic matching techniques enabling intent-aware authorization for multi-agent and tool-augmented applications, including fine-grained control, such as Task-Based Access Control (TBAC).