feat(auth): Implement OAuth 2.0 Token Exchange for agent-to-user delegation

## Summary

Implement OAuth 2.0 Token Exchange (RFC 8693) to provide cryptographic proof of user delegation when AI agents act on behalf of users. This replaces the current implicit trust model with explicit, auditable authorization.

## Current State (Pattern 1: Implicit Delegation)

Currently, when an AI agent performs actions on behalf of a user, it:

1. Authenticates itself via SPIFFE JWT-SVID (proves agent identity)
2. Passes `user_id` as a parameter to MCP tools
3. The MCP server trusts the authenticated agent to provide the correct user context

```
┌──────────────┐       ┌──────────────┐       ┌──────────────┐
│  Human User  │       │   AI Agent   │       │  MCP Server  │
└──────┬───────┘       └──────┬───────┘       └──────┬───────┘
       │                      │                      │
       │ "Search my docs"     │                      │
       │─────────────────────►│                      │
       │                      │                      │
       │                      │ MCP call with:       │
       │                      │ • X-SPIFFE-JWT (agent identity)
       │                      │ • user_id parameter  │
       │                      │─────────────────────►│
       │                      │                      │
       │                      │   ✓ Validate agent   │
       │                      │   ✓ Trust user_id    │
       │                      │                      │
```

**Limitations:**
- No cryptographic proof that the user authorized this specific agent
- No scope limitation (agent can claim to act as any user)
- Limited auditability ("agent searched" vs "user authorized agent to search")
- Requires high trust in agent implementations

## Proposed State (Pattern 2: OAuth 2.0 Token Exchange)

Implement RFC 8693 Token Exchange so agents can exchange their SPIFFE identity + user consent for a delegated token:

```
┌──────────────┐       ┌──────────────┐       ┌──────────────┐       ┌──────────────┐
│  Human User  │       │   AI Agent   │       │ Auth Server  │       │  MCP Server  │
└──────┬───────┘       └──────┬───────┘       └──────┬───────┘       └──────┬───────┘
       │                      │                      │                      │
       │ Grant consent        │                      │                      │
       │ (scope: search)      │                      │                      │
       │─────────────────────►│                      │                      │
       │                      │                      │                      │
       │                      │ Token Exchange:      │                      │
       │                      │ • subject_token (agent SVID)                │
       │                      │ • actor_token (user consent)                │
       │                      │ • scope: rag:search  │                      │
       │                      │─────────────────────►│                      │
       │                      │                      │                      │
       │                      │◄─────────────────────│                      │
       │                      │ Delegated token:     │                      │
       │                      │ "Agent X acts as     │                      │
       │                      │  User Y for scope Z" │                      │
       │                      │                      │                      │
       │                      │ MCP call with delegated token               │
       │                      │─────────────────────────────────────────────►
       │                      │                      │                      │
       │                      │                      │   ✓ Verify delegation│
       │                      │                      │   ✓ Check scope      │
       │                      │                      │   ✓ Audit trail      │
```

## Benefits of Token Exchange

| Aspect | Current (Pattern 1) | Proposed (Pattern 2) |
|--------|---------------------|----------------------|
| **Trust Model** | Server trusts agent to pass correct user_id | Cryptographic proof of delegation |
| **Scope** | Implicit (all operations) | Explicit (specific actions/resources) |
| **Auditability** | "Agent searched as user X" | "User X authorized Agent for scope Y at time T" |
| **Revocation** | Must revoke agent entirely | Can revoke specific delegations |
| **Least Privilege** | Agent has full user context | Agent only has granted scopes |

## Implementation Tasks

### Phase 1: Token Exchange Endpoint
- [ ] Add `/auth/token-exchange` endpoint implementing RFC 8693
- [ ] Support `urn:ietf:params:oauth:grant-type:token-exchange` grant type
- [ ] Validate subject_token (agent SPIFFE JWT-SVID)
- [ ] Validate actor_token (user authorization)
- [ ] Issue delegation token with `act` claim

### Phase 2: Delegation Token Format
- [ ] Define JWT structure for delegation tokens:
  ```json
  {
    "sub": "user-uuid",
    "act": {
      "sub": "spiffe://rag-modulo.example.com/agent/search-enricher/abc123"
    },
    "scope": "rag:search rag:read",
    "aud": ["mcp-server"],
    "exp": 1234567890
  }
  ```
- [ ] Implement token signing and validation
- [ ] Add delegation chain support for multi-hop scenarios

### Phase 3: MCP Server Integration
- [ ] Update `MCPAuthenticator` to validate delegation tokens
- [ ] Extract both agent and user identity from delegation claims
- [ ] Enforce scope restrictions on tool invocations
- [ ] Add audit logging for delegated operations

### Phase 4: User Consent Flow
- [ ] Design consent UI for users to authorize agents
- [ ] Implement consent storage and revocation
- [ ] Add scope selection (which tools/resources agent can access)
- [ ] Support time-limited delegations

## References

- [RFC 8693: OAuth 2.0 Token Exchange](https://datatracker.ietf.org/doc/html/rfc8693)
- [SPIFFE JWT-SVID Specification](https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md)
- [SPIRE Token Exchange](https://spiffe.io/docs/latest/spire-about/spire-concepts/#token-exchange)

## Related Issues

- #698 - Expose RAG Modulo as MCP Server
- #695 - SPIFFE/SPIRE Integration Architecture

## Acceptance Criteria

1. Agents can exchange SPIFFE JWT-SVID + user consent for delegation token
2. MCP server validates delegation tokens and enforces scopes
3. Audit logs clearly show "User X authorized Agent Y to perform action Z"
4. Users can view and revoke active agent delegations
5. Delegation tokens have configurable expiration (default: 1 hour)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(auth): Implement OAuth 2.0 Token Exchange for agent-to-user delegation #716

Summary

Current State (Pattern 1: Implicit Delegation)

Proposed State (Pattern 2: OAuth 2.0 Token Exchange)

Benefits of Token Exchange

Implementation Tasks

Phase 1: Token Exchange Endpoint

Phase 2: Delegation Token Format

Phase 3: MCP Server Integration

Phase 4: User Consent Flow

References

Related Issues

Acceptance Criteria

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Aspect	Current (Pattern 1)	Proposed (Pattern 2)
Trust Model	Server trusts agent to pass correct user_id	Cryptographic proof of delegation
Scope	Implicit (all operations)	Explicit (specific actions/resources)
Auditability	"Agent searched as user X"	"User X authorized Agent for scope Y at time T"
Revocation	Must revoke agent entirely	Can revoke specific delegations
Least Privilege	Agent has full user context	Agent only has granted scopes

feat(auth): Implement OAuth 2.0 Token Exchange for agent-to-user delegation #716

Description

Summary

Current State (Pattern 1: Implicit Delegation)

Proposed State (Pattern 2: OAuth 2.0 Token Exchange)

Benefits of Token Exchange

Implementation Tasks

Phase 1: Token Exchange Endpoint

Phase 2: Delegation Token Format

Phase 3: MCP Server Integration

Phase 4: User Consent Flow

References

Related Issues

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions