# Delegated Authentication

## Overview

Delegated authentication allows AI agents to act on behalf of users while maintaining complete audit trails and security boundaries. This enables scenarios like:

- Support agents handling tickets on behalf of customers
- Automated services performing scheduled tasks for users
- Administrative operations with proper authorization chains

## The Delegation Triangle

```
   Delegator (User/Principal)
         /\
        /  \
       /    \
      /      \
   Grant    Audit
    /          \
   /            \
Delegate      Resource
(Agent)       (System)
```

## Key Concepts

### Delegation Token

A cryptographically signed credential containing:

| Field | Description |
|-------|-------------|
| Delegator | The principal granting authority |
| Delegate | The agent receiving authority |
| Scope | Specific operations and resources allowed |
| Expiration | Time limit for the delegation |
| Purpose | Human-readable reason for delegation |
| Chain | For multi-hop delegations |

### Delegation Chain

Tracks the full authorization path for audit:

```
User → Support Agent → Automation Bot
```

Each hop is recorded, validated, and can be revoked.

### Scope Definition

Precisely defines what the delegate can do:

- **Operations**: read, update, create_note
- **Resources**: customer_profile, support_tickets
- **Conditions**: max_amount, time_window, ticket_ids

## Security Model

### Principle of Least Privilege

Delegated permissions are the intersection of:
1. What the delegator grants
2. What the delegate already possesses

This prevents privilege escalation through delegation.

### Security Guarantees

- **Cryptographic verification**: Tokens are signed and validated
- **Scope enforcement**: Delegates cannot exceed granted permissions
- **Audit trail**: Complete "who did what for whom" tracking
- **Expiration handling**: Time-based security boundaries
- **Chain limits**: Prevent deep delegation chains

## Use Cases

### Customer Support

Support agents access customer data with:
- Scoped permissions (view profile, update billing)
- Time-limited access (shift duration)
- Full audit trail for compliance

### Microservices

Services maintain user context across calls:
- User → API Gateway → Order Service → Payment Service
- Each hop tracked in delegation chain
- Original user identity preserved

### Scheduled Jobs

Background processes run with user permissions:
- User authorizes nightly backup
- Automation service acts on user's behalf
- Time-windowed access (2am-4am only)

## Compliance Benefits

### Audit Trail

Every delegated operation records:
- **Who**: Complete identity chain (delegator → delegate)
- **What**: Exact operations and data accessed
- **When**: Precise timestamps
- **Why**: Purpose and context

### Regulatory Support

- **HIPAA**: Patient data access with delegation context
- **PCI-DSS**: Financial operations with approval chains
- **GDPR**: Data access with clear legal basis
- **SOX**: Financial controls with separation of duties

---

Copyright MACAW Security. All rights reserved.