Internet-Draft OAuth Mission Expansion July 2026
McGuinness Expires 8 January 2027 [Page]
Workgroup:
Web Authorization Protocol
Internet-Draft:
draft-mcguinness-oauth-mission-expansion-latest
Published:
Intended Status:
Standards Track
Expires:
Author:
K. McGuinness
Independent

Mission Expansion for OAuth 2.0

Abstract

Mission-Bound Authorization for OAuth 2.0 commits a Mission's authority at a single approval event and defers widening: enlarging authority requires a new approval, a successor Mission. This document defines that successor mechanism as an OPTIONAL, layered extension to the issuance profile. When an action falls outside an active Mission's Authority Set but the deployment's governance policy permits widening, a client initiates expansion: it submits a new Mission Intent through Pushed Authorization Requests, bound to the predecessor Mission's grant, and a fresh approval event records a successor Mission. The successor carries a predecessor member on its mission claim linking it to the Mission it replaces; on the successor's activation the predecessor enters a terminal superseded state. Expansion never widens authority without a new consent: the successor's authority comes only from its own approval. A deployment that never expands a Mission is unaffected by this document.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-expansion.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-mcguinness-oauth-mission-expansion/.

Source for this draft and an issue tracker can be found at https://github.com/mcguinness/mission-bound-authorization.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 8 January 2027.

Table of Contents

1. Introduction

Mission-Bound Authorization for OAuth 2.0 [I-D.draft-mcguinness-oauth-mission] (the "issuance profile") makes a Mission a first-class OAuth artifact: a structured, human-approved, integrity-bound task whose authority bounds and outlives every token an agent derives. It commits the Authority Set once, at the approval event, and deliberately defines no mid-stream authorization upgrade. As that profile states, widening authority requires a new approval, a successor Mission, as specified by this companion profile.

This document is that successor mechanism. A task an agent pursues does not always stay within the authority approved for it: the agent encounters an action the approved Authority Set does not cover, yet one the deployment's governance policy would permit under a fresh consent. Expansion is the governed path from that shortfall to a new approval. It does not patch or widen the existing Mission; it creates a new Mission, through the issuance profile's own flow, linked to the one it replaces.

The mechanism reuses the issuance profile end to end. An expansion is a new Mission Intent submitted through Pushed Authorization Requests ([RFC9126]), bound to the predecessor Mission's grant, leading to a fresh approval event ([I-D.draft-mcguinness-oauth-mission]) with its own intent_hash, authority_hash, and Mission record. The successor's authority comes only from that approval. This document adds exactly three things on top of the issuance profile: a way to bind an expansion request to the predecessor it expands; a predecessor lineage member on the resulting Mission; and a terminal superseded predecessor state with the reconciliation rules that keep concurrent expansions consistent.

1.1. Status: an OPTIONAL extension

This document is OPTIONAL. It is a layered extension to the issuance profile, not a change to it. A deployment that implements [I-D.draft-mcguinness-oauth-mission] and never expands a Mission is fully conformant to that profile and is unaffected by this document: it issues no expansion request, records no predecessor member, and never enters the superseded state this document introduces. The issuance profile's lifecycle (active, revoked, expired) is complete without expansion; the superseded state defined here (Section 7) is relevant only when expansion is used.

A Mission Issuer claims conformance to this document only when it adjudicates expansion; otherwise it remains a plain issuance-profile Mission Issuer. Nothing here places a new requirement back on the issuance profile.

1.2. Expansion is not step-up

Expansion is a governance operation. It is distinct from authentication step-up [RFC9470]. A request denied because an acr or amr constraint requires fresh authentication is satisfied by step-up, not by expansion: the Authority Set does not change. A request denied because the requested authority is not in the active Mission's Authority Set requires expansion: the Authority Set must be enlarged through a new approval event. The two are not interchangeable; Section 13.4 treats the security consequence of conflating them.

1.3. Relationship to the issuance profile

This document depends normatively on the issuance profile and is not implementable alone. It reuses, without restating, that profile's Mission Intent, submission via PAR, authority derivation, approval event with its integrity anchors, Mission record, the mission claim, the subset rule, and the lifecycle and issuance gating. It uses the terms Agent (Client), Subject, Approver, Mission Issuer, Mission Intent, Authority Set, Mission, and derived token as defined there.

Where this document refers to "the issuance profile" without a section, it means [I-D.draft-mcguinness-oauth-mission] as a whole.

1.4. Scope

This document defines:

  • the expansion request: how a client initiates a successor Mission and how that request is bound to the predecessor's grant (Section 4);

  • the predecessor lineage member on the successor's mission claim and Mission record (Section 6);

  • the terminal superseded predecessor state and its transition (Section 7);

  • replacement expansion as the mode, with branch expansion deferred (Section 8);

  • concurrent-expansion reconciliation, with a closed set of reconciliation status codes (Section 9); and

  • the expansion denial reasons (Section 10).

This document does NOT define:

  • a way to widen an existing Mission in place; expansion always creates a new Mission;

  • runtime per-action enforcement or the classification of a denial as expansion-eligible; that is the runtime layer's concern (Section 3.2, [I-D.draft-mcguinness-mission-runtime]);

  • branch expansion, in which predecessor and successor both remain active (Section 8);

  • multi-hop or cross-domain expansion; an expansion is adjudicated by the predecessor's Mission Issuer (its issuer); or

  • policy-adjudicated expansion within a pre-consented authority ceiling; that is progressive authorization, defined by an experimental companion ([I-D.draft-mcguinness-oauth-mission-progressive]). Under this document alone, every expansion is adjudicated by a fresh human approval.

2. Conventions and Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

All JSON shown in this document is non-normative and illustrative; the member definitions in the surrounding text are authoritative.

The following terms apply in addition to those inherited from the issuance profile (Section 1.3).

Predecessor Mission:

The active Mission an expansion enlarges. It is the baseline for the successor and is referenced by the successor's mission.predecessor member (Section 6).

Successor Mission:

The Mission a replacement expansion creates through a fresh approval event. It carries its own Authority Set, integrity anchors, and mission_id, and a predecessor member linking it to the predecessor (Section 6).

Expansion request:

A Mission Intent submitted via PAR, bound to a predecessor Mission's grant, that asks the Mission Issuer to adjudicate a successor (Section 4).

3. Expansion Overview

3.1. Protocol flow

 Agent (client)               Mission Issuer (AS)
     |                            |
     | denied: action outside     |
     | active Mission's authority |
     |                            |
     | 1. PAR: mission_intent +   | resolve predecessor
     |    predecessor grant -----> | from the grant;
     |    <----- request_uri ----- | gate predecessor active
     |                            |
     | 2. authorization request ->| fresh consent for the
     |                            | broader authority
     |    <-------- code --------- | -> successor active
     |                            |    -> predecessor
     |                            |       superseded (atomic)
     |                            |
     | 3. token request --------> | derive under successor
     |    <----- access token ---- | (mission.predecessor set)
     v

The shape is the issuance profile's own creation flow ([I-D.draft-mcguinness-oauth-mission]), with one addition at step 1: the request is bound to the predecessor Mission's grant, so the Mission Issuer adjudicates a successor of a specific predecessor rather than an unrelated new Mission. The fresh consent at step 2 is what supplies the broader authority; the successor's authority comes only from this approval.

3.2. Eligibility

A client initiates expansion after an action is denied because the requested authority is outside the active Mission's Authority Set and the deployment's governance policy permits widening it. This document does not define how a denial is classified as expansion-eligible; that classification belongs to the component that denies the action.

A Mission-aware Resource Server enforces the token's authority statelessly and refuses an out-of-bounds action with its usual insufficient-authority error ([I-D.draft-mcguinness-oauth-mission]). The runtime enforcement profile [I-D.draft-mcguinness-mission-runtime] is one source of an expansion-eligible denial: in that profile a deny is terminal for the attempted action, and the authority-expandable-denial escalation that turns such a deny into an expansion is named there as out of scope. This document defines that expansion. This document does not require any particular denial source: a client that knows, by any means, that an action needs authority the active Mission lacks MAY initiate expansion. Whether the Mission Issuer adjudicates a successor remains its decision (Section 5); an eligible denial is not an authorization in favor of expansion.

4. The Expansion Request

An expansion request is an ordinary Mission creation request under the issuance profile, with one added binding to the predecessor.

4.1. Submission via PAR

A client initiates an expansion exactly as it creates any Mission: it submits a Mission Intent through a Pushed Authorization Request ([RFC9126]) using the mission_intent request parameter, per [I-D.draft-mcguinness-oauth-mission]. The Mission Intent describes the broadened task: it carries the goal, resources, constraints, and controls the successor needs, including the authority the denied action required. The Mission Issuer derives the successor's Authority Set from this Intent and bounds it by policy exactly as for any Mission; this document adds no authority-derivation rule.

To mark the request as an expansion, the client additionally supplies the predecessor request parameter:

predecessor:

REQUIRED for an expansion request. A string. The mission_id of the predecessor Mission the successor expands. Its presence signals that this Mission creation is an expansion and names the predecessor whose mission.predecessor lineage member and superseded transition the Mission Issuer applies. It names the predecessor for cross-checking and audit; it does not by itself select or authorize one (the grant does, Section 4.2). The parameter is carried through PAR with mission_intent; like mission_intent, an AS MUST reject a predecessor value presented directly on a front-channel authorization request rather than through a PAR-issued request_uri with invalid_request.

predecessor_token:

REQUIRED for an expansion request. A string. The predecessor Mission's refresh token, presented as proof that the client controls the predecessor's grant. The Mission Issuer resolves the predecessor from this token and binds the expansion to it (Section 4.2); this value, not predecessor, selects the predecessor authoritatively. It is carried through PAR with mission_intent; an AS MUST reject a predecessor_token presented directly on a front-channel authorization request rather than through a PAR-issued request_uri with invalid_request. Because it carries a refresh token, it MUST be sent only on the client-authenticated PAR back channel and MUST NOT appear on any front channel.

The predecessor parameter names the predecessor but does not by itself authorize expanding it. Authorization comes from the grant binding of Section 4.2: a client MUST NOT be able to expand a Mission merely by naming its mission_id.

4.2. Binding the request to the predecessor's grant

The issuance profile binds a Mission to the authorization grant the Mission Issuer issues, and resolves the Mission from the grant the client presents, never from a client-supplied mission_id ([I-D.draft-mcguinness-oauth-mission], grant binding). An expansion request MUST be bound to the predecessor's grant the same way.

Because expansion runs as an interactive approval event, a PAR submission followed by an authorization-code flow (Section 5), the binding is established at the PAR submission, which is a client-authenticated back-channel request. In the same PAR request that carries mission_intent and predecessor, the client MUST present the predecessor Mission's refresh token in the predecessor_token parameter (Section 4.1). The Mission Issuer MUST resolve the predecessor from that refresh token, applying the same grant-to-Mission resolution the issuance profile uses for a presented refresh token, and MUST verify that the resolved Mission is the Mission named in predecessor.

Establishing the binding at PAR, before the approval event, is deliberate: the Mission Issuer resolves the predecessor from a real grant and confirms it is active and owned by this client before prompting the Approver. A client that merely names a mission_id it does not hold a grant for cannot reach the consent step, so expansion cannot be used to drive approval prompts against another party's Mission.

The grant, not the identifier, determines the predecessor. The Mission Issuer MUST refuse an expansion request whose predecessor value does not match the Mission resolved from the presented grant, with invalid_grant. A client that does not hold a grant for the named predecessor cannot present its refresh token and so cannot expand it.

Presenting the predecessor's refresh token in the PAR request MUST follow the issuance profile's handling for that token: a sender-constrained refresh token MUST be presented in conformance with its sender constraint. When the token is DPoP-bound [RFC9449], the PAR request MUST carry a DPoP proof bound to the PAR endpoint (its htu and htm); when it is mTLS-bound [RFC8705], the mutual-TLS connection of the PAR request satisfies the constraint. Presenting the token for expansion MUST NOT rotate it and MUST NOT register as a replay in the deployment's refresh-token replay detection: the token is used here only to bind and resolve the predecessor, not to refresh. The successor's authority still comes only from the fresh consent at the approval event, never from authority the binding token could itself derive.

Because expansion reuses the issuance profile's grant binding, it needs no opaque expansion ticket or other new bearer: the predecessor is identified and authorized by the grant the client already holds for it, and a client cannot name an arbitrary predecessor.

4.3. Predecessor must be active

The Mission Issuer MUST resolve the predecessor from the presented grant and verify it is in the active state before adjudicating. An expansion request against a predecessor that is not active MUST be refused with invalid_grant and a reconciliation status (Section 9):

  • if the predecessor made a terminal exit from active (it is revoked, expired, or already superseded, Section 7), the status is predecessor_state_changed;

  • if the predecessor is in a non-terminal non-active state, for example suspended where the Mission Status profile [I-D.draft-mcguinness-oauth-mission-status] is deployed, the status is predecessor_not_active.

Issuance gating in the issuance profile already refuses to derive from a non-active Mission; this rule extends the same gate to adjudicating an expansion of one.

5. Adjudication

Adjudication of an expansion is a fresh approval event under the issuance profile ([I-D.draft-mcguinness-oauth-mission]). The Mission Issuer runs the approval event as it does for any Mission, with the expansion-specific steps noted:

  1. Resolve the predecessor from the presented grant and verify it is the Mission named in predecessor and is active (Section 4.2, Section 4.3).

  2. Derive the successor's Authority Set from the submitted Mission Intent and bound it by policy, exactly as for any Mission. The successor's authority is whatever this derivation and the fresh consent yield; it is not the predecessor's authority plus a delta computed by this document. A deployment that wants the successor to retain the predecessor's authority expresses that authority in the expansion Mission Intent so the derivation reproduces it.

  3. Authenticate the Approver and obtain fresh consent for the derived Authority Set, satisfying any controls.acr, and render the Subject when the Approver is not the Subject, per the issuance profile's approval event. The consent disclosure MUST reflect the successor's authority being adjudicated. (The experimental progressive authorization companion defines a policy-adjudicated override of this step for expansions within a pre-consented ceiling, [I-D.draft-mcguinness-oauth-mission-progressive].)

  4. Compute the successor's integrity anchors (intent_hash, authority_hash) and create the successor Mission record in the active state, with its predecessor member set (Section 6), atomically with the predecessor's transition to superseded (Section 7).

The expansion is governed by the consent obtained at step 3. Expansion never widens authority without a new consent: if the Approver declines, no successor is created and the predecessor is untouched (Section 10).

5.1. Successor expiry

The successor's expires_at MUST NOT exceed the predecessor's expires_at unless the Mission Issuer's policy explicitly permits extension and the extension is disclosed to the Approver at the expansion consent event. Expansion is an authority-addition mechanism, not a lifetime-extension mechanism. The issuance profile caps every derived credential's exp at the Mission's expires_at; a successor that silently outlived its predecessor would let expansion launder a longer-lived Mission past the originally approved horizon.

6. The Predecessor Mission Reference

The successor records a lineage link to the predecessor as a predecessor member, both on the successor's mission claim and on the successor's Mission record.

The issuance profile's mission claim is an open object: additional members MAY appear alongside id, issuer, and authority_hash, each defined by the profile that introduces it, and a consumer MUST ignore members it does not understand and MUST NOT use any additional member to grant or widen authority ([I-D.draft-mcguinness-oauth-mission]). This document introduces one such member:

predecessor:

REQUIRED on a successor Mission; absent otherwise. A string. The mission_id of the Mission this Mission succeeded by expansion. Present on every Mission created by expansion and absent on a Mission that was not created by expansion. It is a lineage and audit reference only: it links the successor to the Mission it replaced so that the expansion chain is observable in audit. Consistent with the issuance profile's open-mission-claim rule, predecessor MUST NOT grant or widen authority, and a consumer that does not understand it MUST ignore it. The successor's authority comes only from its own authority_hash, never from its predecessor.

The same predecessor value is recorded on the successor's immutable Mission record so that the lineage is durable independently of any derived token.

This document defines two further lineage members:

related_to:

OPTIONAL. A string. The mission_id of a Mission this Mission is related to by lineage without superseding it, used for a non-superseding link such as a branch (Section 8). Unlike predecessor, its presence does not imply that the referenced Mission was superseded and it carries no lifecycle consequence. Like predecessor, it is lineage and audit context only: it MUST NOT grant or widen authority, and a consumer that does not understand it MUST ignore it.

successor:

OPTIONAL. A string. The mission_id of the successor that superseded this Mission by expansion, recorded on the superseded predecessor's Mission record at supersession (Section 7). It is the reverse of the successor's predecessor link, letting a consumer that holds a superseded predecessor discover its successor directly. It is lineage and audit context only and MUST NOT grant or widen authority. The Status profile surfaces it in the status response ([I-D.draft-mcguinness-oauth-mission-status]) and the Signals profile in the superseded lifecycle event ([I-D.draft-mcguinness-oauth-mission-signals]).

predecessor, related_to, and successor are each a bare Mission Identifier string, not an object like the parent member of a Child Mission ([I-D.draft-mcguinness-oauth-mission-child-delegation]): same-issuer succession needs only the identifier to resolve the linked Mission at the shared issuer, whereas parentage carries cascade semantics and cross-object integrity that require a structured member.

Properties:

Example successor mission claim on a derived token (non-normative; other token claims omitted):

{
  "mission": {
    "id": "msn_2Yt7Qv9LqMv4z7sA2bN1k0YpEdHc9RfX",
    "issuer": "https://as.example.com",
    "authority_hash":
      "sha-256:Td9bM7sX1cF8gH2vJ4kE5pNQl3KvZ4mP5x0wQrR6tY2",
    "predecessor": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-"
  }
}

7. The Superseded Predecessor State

This document adds one terminal state to the issuance profile's lifecycle, used only by expansion:

superseded:

A predecessor Mission that a successor has replaced through a replacement expansion. Terminal and non-active.

A deployment that never expands a Mission never produces this state; the issuance profile's active/revoked/expired lifecycle is unchanged for it. The transition is:

Table 1
From Event To
active successor activates by expansion superseded

The transition has these requirements:

7.1. No implicit rollback

The Mission Issuer MUST NOT implicitly resurrect a superseded predecessor when its successor is later revoked, expired, or itself superseded; superseded is terminal. A deployment that needs "revert to the predecessor's authority" semantics expresses that as a new approval event creating a new Mission that carries the relevant authority, with its own predecessor link preserving the lineage. A rollback is therefore a new governed Mission, not a state reversal.

8. Replacement Expansion

A successful expansion is a replacement: the successor replaces the predecessor, and the predecessor becomes superseded (Section 7). Replacement is the only mode this document defines.

Under replacement, exactly one successor is created per predecessor, and the predecessor is no longer active once the successor activates. The successor carries its own complete Authority Set as derived and consented at the expansion approval event; it does not inherit the predecessor's authority by reference. A deployment that wants the successor to retain the predecessor's authority alongside the new authority expresses the combined authority in the expansion Mission Intent, so the successor's authority_hash commits exactly the authority the Approver saw and approved (Section 5).

A branch mode, in which the predecessor and the successor both remain active after expansion (for example, a separately scoped child task running alongside the original), is OPTIONAL and is not defined here. A deployment that needs a separately scoped task alongside a still-active Mission creates an ordinary new Mission under the issuance profile and MAY set that Mission's related_to member (Section 6) to the original Mission's mission_id to preserve lineage; it does not set predecessor, which would imply a supersession, so the original remains active. An atomic, grant-bound branch expansion that creates such a child within a single expansion approval event is deferred to a future revision of this document.

9. Concurrent Expansion Reconciliation

More than one expansion request MAY be in flight against the same predecessor at once. Because replacement produces exactly one successor per predecessor (Section 8), the Mission Issuer MUST serialize adjudications against the same predecessor so that concurrent expansions cannot each produce a successor.

The Mission Issuer MUST serialize expansion adjudications against the same predecessor with compare-and-set semantics. At the moment of adjudication, in the same atomic step that would activate the successor and supersede the predecessor, the Mission Issuer MUST verify:

  1. the predecessor resolved from the presented grant is still in the active state; and

  2. no other replacement expansion has already produced a successor for this predecessor (equivalently, the predecessor has not already transitioned to superseded).

If either check fails, the Mission Issuer MUST refuse the request with invalid_grant and the applicable reconciliation status from the closed set below. The losing or otherwise stale expansion request is rejected; it does not produce a second successor.

The reconciliation status codes are:

superseded_by_concurrent_expansion:

A concurrent replacement expansion has already produced a successor; the predecessor is now superseded rather than active. The client SHOULD discover the existing successor and re-evaluate whether a further expansion is still required (an expansion of the successor is a new expansion against the successor as predecessor).

predecessor_state_changed:

The predecessor made a terminal exit from active (to revoked, expired, or superseded) before this request could be adjudicated, including the cases caught at request binding (Section 4.3). The client MUST NOT retry the same expansion against this predecessor.

predecessor_not_active:

The predecessor is in a non-terminal non-active state (for example suspended under the Mission Status profile [I-D.draft-mcguinness-oauth-mission-status]) and cannot be expanded until it returns to active. The client MAY retry the expansion after the predecessor is active again.

The two terminal-exit codes overlap in the superseded case by design: superseded_by_concurrent_expansion is the specific reconciliation outcome when the cause is a concurrent expansion that has already won, and predecessor_state_changed is the general outcome for any other terminal exit from active. A Mission Issuer SHOULD return the specific code when it can attribute the change to a concurrent expansion. predecessor_not_active is distinct from both: it reports a reversible, non-terminal state, so it invites the retry the terminal codes forbid.

The Mission Issuer conveys the reconciliation status in a mission_expansion_status member of the OAuth error response body, alongside the invalid_grant error:

mission_expansion_status:

A string carrying one code from this document's closed sets: a reconciliation status (Section 9) or an expansion denial reason (Section 10). It is returned in the error response of the step that failed: the PAR error response for a binding or reconciliation failure, and the approval or token error response for a denial.

10. Expansion Denial Reasons

An adjudication that completes with the Approver declining, or with the Mission Issuer refusing on policy grounds, denies the expansion: no successor is created and the predecessor remains active and untouched. Such a denial is an OAuth error at the approval or token step per the issuance profile (typically invalid_request for a request the Mission Issuer will not derive a valid Authority Set from, or the approval flow's own decline path). It MAY additionally carry one machine-readable reason code from the closed set below:

out_of_policy:

The Mission Issuer's governance policy refuses the requested authority class for this Mission, independent of who approves.

approver_rejected:

The Approver declined the expansion at the consent step.

out_of_scope_for_purpose:

The requested authority is incompatible with the Mission's recorded purpose; a different Mission, not an expansion of this one, is the appropriate vehicle.

A companion profile MAY extend this set by specification (the experimental progressive authorization companion defines out_of_ceiling, [I-D.draft-mcguinness-oauth-mission-progressive]); a consumer MUST treat an unrecognized reason code as a denial with no further semantics.

A Mission Issuer MUST NOT use a reason code to disclose policy boundaries beyond the adjudicated request (Section 13.5); omitting the reason code is always permitted. When present, a reason code is carried in the mission_expansion_status member of the OAuth error response body (Section 9), the same member that carries a reconciliation status.

Two failure classes are not denial reasons and use the issuance profile's error vocabulary directly: an expansion request whose predecessor does not match the grant-resolved Mission, or whose predecessor is not active, fails with invalid_grant (Section 4.2, Section 4.3); an expansion Mission Intent the Mission Issuer cannot parse or cannot derive a valid Authority Set from fails with invalid_request or, where the issuance profile uses it, invalid_authorization_details ([RFC9396]), exactly as for any Mission creation.

11. Worked Example

The Q3 reconciliation Mission msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9- authorizes reading invoices and posting journal entries under $500. Mid-task the agent finds an adjustment of $1,200, outside the active Mission's authority. It cannot widen in place; it requests an expansion, submitting a new Mission Intent through PAR bound to the predecessor's grant:

POST /par HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

mission_intent=%7B...journal-entries%20cap%20%242000...%7D&
predecessor=msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-&
predecessor_token=<refresh%20token%20bound%20to%20the%20predecessor>&
client_id=s6BhdRkqt3

The Mission Issuer resolves the predecessor from the grant, confirms it matches predecessor and is active, derives the successor's Authority Set, and obtains fresh consent from alice for the widened cap. On approval it creates the successor active and supersedes the predecessor atomically. The successor's token carries a predecessor member:

{
  "mission": {
    "id": "msn_2Yt7Qv9LqMv4z7sA2bN1k0YpEdHc9RfX",
    "issuer": "https://as.example.com",
    "authority_hash":
      "sha-256:Td9bM7sX1cF8gH2vJ4kE5pNQl3KvZ4mP5x0wQrR6tY2",
    "predecessor": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-"
  }
}

The predecessor is now superseded: it derives no new tokens, its already-issued tokens run out their short lifetimes, and the task continues under the successor. The widening came only from alice's fresh consent; the successor's authority_hash commits the widened Authority Set it was actually approved for, not the predecessor's plus a delta.

12. Conformance

An implementation claims conformance to this document only in the Mission Issuer role and only when it adjudicates expansion. A conforming expansion-capable Mission Issuer MUST:

An expansion-capable Mission Issuer is also a conforming issuance-profile Mission Issuer ([I-D.draft-mcguinness-oauth-mission]); this document adds the expansion surface to that role. A Resource Server requires no new behavior: it enforces a successor's tokens exactly as it enforces any Mission-bound token, and treats the predecessor member, if it reads it at all, as audit context it MUST NOT use to grant authority (Section 6).

Under this document, every expansion is adjudicated by a fresh human approval. The experimental progressive authorization companion defines a further OPTIONAL capability, Expansion with Progressive Authorization, with its own conformance requirements ([I-D.draft-mcguinness-oauth-mission-progressive]).

13. Security Considerations

Expansion's central guarantee is the issuance profile's, applied to the successor: a user's fresh approval bounds every token derived for the broadened task. The risks specific to expansion are in the predecessor binding, the predecessor-to-successor handoff, and the lineage link.

13.1. Predecessor confusion

A client could attempt to expand a Mission it does not control, for example by naming another tenant's or subject's mission_id in the predecessor parameter.

Mitigations:

  • The predecessor is resolved from the grant the client presents, not from the predecessor value; the Mission Issuer MUST verify the resolved Mission matches the named one and MUST refuse a mismatch with invalid_grant (Section 4.2). A client that holds no grant for the named predecessor cannot expand it.

  • The issuance profile's integrity anchors are issuer-bound, so a Mission's governance state cannot be transplanted across Mission Issuers; an expansion is adjudicated only at the predecessor's own issuer.

13.3. Race against predecessor lifecycle

Between the moment a client decides to expand and the moment the Mission Issuer adjudicates, the predecessor may be revoked, expire, or be superseded by a concurrent expansion. Without serialization an expansion could appear to succeed against a predecessor that is no longer authoritative, or two successors could be created.

Mitigations:

  • The Mission Issuer MUST verify predecessor state and the no-existing-successor condition in the same atomic step that would activate the successor (Section 9), and serializes adjudications against the same predecessor.

  • A failed check refuses with invalid_grant and a reconciliation status that tells the client whether to discover an existing successor or stop, without leaking the predecessor's new internal state beyond that (Section 9).

13.4. Expansion versus step-up

Conflating expansion with authentication step-up [RFC9470] would route an authentication shortfall through an approval event the Approver did not need to perform, surfacing irrelevant consent and risking approval fatigue, or conversely would treat a genuine authority shortfall as a mere re-authentication and silently widen nothing.

Mitigation: a denial that is an authentication shortfall (acr, amr) is satisfied by step-up and MUST NOT be routed to expansion; a denial that is an authority shortfall is the one expansion addresses (Section 1.2). The component that classifies the denial (Section 3.2) makes this distinction.

13.5. Policy probing

A client could submit many expansion requests for the same predecessor to map the Mission Issuer's policy boundary from the denial reasons.

Mitigations:

  • The Mission Issuer SHOULD rate-limit expansion requests per predecessor per client.

  • A denial reason MUST NOT disclose policy boundaries beyond the adjudicated request (Section 10); a denial reports whether the requested authority was approved, not the full surface of what would have been.

13.6. Audit linkage

The predecessor member makes the expansion chain observable: an authorized auditor can trace a successor back through its predecessors to the original Mission. This is a core governance property of expansion. An implementation that omits the member breaks the chain and defeats it; the member is therefore REQUIRED on a successor (Section 6).

General OAuth security guidance applies to the underlying credentials through the issuance profile.

14. Privacy Considerations

The privacy surface expansion adds over the issuance profile is the lineage link and the authority detail disclosed when a task is broadened.

14.1. Predecessor-chain correlation

The predecessor member that gives audit linkage (Section 13.6) is also a correlation surface: it links a successor to its predecessor across distinct approval events, so a party that can read the chain can correlate the evolving task over time, which is more than any single Mission discloses. This is intrinsic to the governance value of expansion. Deployments SHOULD scope read access to the predecessor member, and to any Mission-state surface that exposes it, to parties with a governance need, rather than exposing the chain to every credential audience. The issuance profile's Mission Identifier correlation considerations apply to each Mission in the chain.

14.2. Disclosure of the broadened task

The expansion Mission Intent and the consent disclosure rendered at the expansion approval event reveal how the approved task is evolving. The Mission Issuer SHOULD render that disclosure only to the Approver and authorized governance consumers, consistent with the issuance profile's treatment of consent disclosure.

15. IANA Considerations

Consistent with the issuance profile, which establishes no registry of mission claim members and registers the mission claim as an open object, this document defines the predecessor member of the mission claim (Section 6) without registering it in a dedicated registry: it is a member defined by this profile, carried inside the already-registered mission claim. No new claim, parameter, or token-introspection registration is required for the lineage link.

This document defines two closed sets of symbolic codes, the expansion reconciliation status codes (Section 9) and the expansion denial reasons (Section 10), both conveyed in the mission_expansion_status member of the OAuth error response body (Section 9). mission_expansion_status is a member of the OAuth error response JSON body, not an OAuth protocol parameter, and is namespaced to this document's error responses, so it requires no registration. Like the issuance profile's restraint with mission members, the codes are documented in this specification rather than placed in new IANA registries: the closed sets are small and fully specified here. Should interoperable extension of either set prove necessary, a future revision can create a "Mission Expansion Reconciliation Status" registry and a "Mission Expansion Denial Reason" registry with a Specification Required [RFC8126] policy; this document does not create them.

This document registers two parameters in the "OAuth Parameters" registry:

As with mission_intent in the issuance profile, PAR [RFC9126] carries authorization-request parameters without a distinct usage location, so the pushed submission of these parameters needs no separate registration. predecessor_token carries a refresh token and MUST be submitted only through PAR, never on a front-channel authorization request (Section 4.1).

Acknowledgments

The author thanks the reviewers of the Mission-Bound Authorization for OAuth 2.0 profile for feedback on the expansion model and its composition with the issuance flow.

References

Normative References

[I-D.draft-mcguinness-oauth-mission]
McGuinness, K., "Mission-Bound Authorization for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission.html>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8705]
Campbell, B., Bradley, J., Sakimura, N., and T. Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens", RFC 8705, DOI 10.17487/RFC8705, , <https://www.rfc-editor.org/rfc/rfc8705>.
[RFC9126]
Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., and F. Skokan, "OAuth 2.0 Pushed Authorization Requests", RFC 9126, DOI 10.17487/RFC9126, , <https://www.rfc-editor.org/rfc/rfc9126>.
[RFC9396]
Lodderstedt, T., Richer, J., and B. Campbell, "OAuth 2.0 Rich Authorization Requests", RFC 9396, DOI 10.17487/RFC9396, , <https://www.rfc-editor.org/rfc/rfc9396>.
[RFC9449]
Fett, D., Campbell, B., Bradley, J., Lodderstedt, T., Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of Possession (DPoP)", RFC 9449, DOI 10.17487/RFC9449, , <https://www.rfc-editor.org/rfc/rfc9449>.

Informative References

[I-D.draft-mcguinness-mission-runtime]
McGuinness, K., "Mission-Bound Runtime Enforcement", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-mission-runtime.html>.
[I-D.draft-mcguinness-oauth-mission-child-delegation]
McGuinness, K., "Mission Child Delegation for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-child-delegation.html>.
[I-D.draft-mcguinness-oauth-mission-progressive]
McGuinness, K., "Mission Progressive Authorization for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-progressive.html>.
[I-D.draft-mcguinness-oauth-mission-signals]
McGuinness, K., "Mission Lifecycle Signals for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-signals.html>.
[I-D.draft-mcguinness-oauth-mission-status]
McGuinness, K., "Mission Status and Lifecycle for OAuth 2.0", , <https://mcguinness.github.io/mission-bound-authorization/draft-mcguinness-oauth-mission-status.html>.
[RFC8126]
Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, , <https://www.rfc-editor.org/rfc/rfc8126>.
[RFC9470]
Bertocci, V. and B. Campbell, "OAuth 2.0 Step Up Authentication Challenge Protocol", RFC 9470, DOI 10.17487/RFC9470, , <https://www.rfc-editor.org/rfc/rfc9470>.

Author's Address

Karl McGuinness
Independent