User to AI Agent Delegation using ID-JAG Tokens (client assertion)
The user authenticates with Okta via the origin application. This produces an access token and/or ID token that represents the user's identity.
Using the OIDC standard authentication flow, redirect the user to Okta for authentication. The Agentic App exchanges the authorization code for an access token that will be used as the subject_token in token exchange.
The origin application sends the user's token to the AI Agent via a secure channel. The agent uses this token to obtain delegated authorization — first exchanging it for an ID-JAG token, then exchanging the ID-JAG for an access token from the custom authorization server.
The AI Agent exchanges the user's token for an ID-JAG (Identity Assertion) token via Token Exchange (RFC 8693). Uses a JWT client assertion signed with the Agent's private key for authentication.
The AI Agent exchanges the ID-JAG token for an access token from the Custom Authorization Server using the JWT Bearer grant (RFC 7523). Uses the same JWT client assertion for authentication.
The AI Agent now has a scoped access token and can make API calls on behalf of the user.
Test the access token by making an authenticated API request to a resource server.