2026-05-29 –, Arena
This session explores the possibility of applying the concept of "Elicitation in URL mode", introduced in MCP, to the OAuth world to make cross-domain multi-hop API calls secure and compares it with the existing token-exchange based method.
When a resource server hosting APIs receives an access request from a client with an access token, the resource server sometimes needs to access an API hosted by other resource server in a different trust domain to complete the initial request. It is called "cross-domain multi-hop API calls". In the cross-domain multi-hop API calls, the resource server may need to convey user context in subsequent API calls. An example of this is when a resource server needs to access a user's documents stored in Google Docs.
Token exchange-based methods exist to do this securely. Specifically, IETF Internet Draft Identity and Authorization Chaining Across Domains based on RFC 8693 OAuth 2.0 Token Exchange and RFC 7523 JWT Authorization Grant. In this specification, the first resource server receives a JWT authorization grant from the authorization server in the same trust domain of the first resource server by token exchange, and the first resource server sends the grant to the authorization server in the same trust domain of the next resource server and receive an access token for accessing the next resource server.
This session explores the possibility of an alternative method. The idea is to apply the concept of "Elicitation in URL mode", introduced in the Model Context Protocol (MCP), to the OAuth world. In this concept, the first resource server plays the role of a client and receives an access token from the authorization server in the same trust domain of the next resource server by authorization code grand and so on.
The speaker describes the issues that arise when applying the concept to cross-domain multi-hop API calls in OAuth and the solutions for them. In addition, the speaker compares the existing token exchange-based method and the elicitation-based method, and discusses which method is preferable in what cases.
Finally, the speaker considers whether the elicitation-based method can be standardized as an OAuth extension.
The session would contribute to providing the alternative method for cross-domain multi-hop API calls in OAuth and making it more secure.
Takashi Norimatsu, Ph.D. in Engineering, Senior OSS Specialist, Hitachi, Ltd. is a maintainer of Keycloak, IAM OSS, CNCF incubating project. He has been implemented and contributed to Keycloak security features like FAPI 1.0/FAPI 2.0/FAPI-CIBA security profiles, Model Context Protocol (MCP) authorization part, WebAuthn/Passkeys support. He leads Keycloak's community "OAuth SIG" (Ex FAPI-SIG) for supporting OAuth/OIDC and its related security features to Keycloak.