Enterprise-Managed Authorization
AuthOS exposes an OAuth form endpoint for MCP and Cross-App Access style enterprise-managed authorization.
This capability is Beta. Public end-to-end, conformance, and abuse-case evidence is incomplete; the endpoint names and discovery metadata should not be read as a general OAuth/OIDC certification. See the current project status.
Current scope: AuthOS issues ID-JAGs from existing AuthOS service-scoped JWTs, records them as one-time authorization grants, and redeems those AuthOS-issued ID-JAGs into normal AuthOS bearer tokens for registered service resource URIs. Third-party enterprise IdP ID-JAG assertions are not accepted by this endpoint.
Endpoints
| Method | Path | Purpose |
|---|---|---|
POST |
/oauth/token |
Token exchange and JWT bearer grant |
POST |
/oauth2/token |
Alias for /oauth/token |
Existing device-flow clients continue to use POST /auth/token.
OIDC discovery keeps token_endpoint on /auth/token for compatibility and
publishes enterprise_token_endpoint for this flow.
Request an ID-JAG
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&requested_token_type=urn:ietf:params:oauth:token-type:id-jag
&audience=https://auth.example.com
&resource=https://api.example.com/mcp
&subject_token=AUTHOS_SERVICE_JWT
&subject_token_type=urn:ietf:params:oauth:token-type:access_token
&client_id=SERVICE_CLIENT_ID
Response:
{
"issued_token_type": "urn:ietf:params:oauth:token-type:id-jag",
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Im9hdXRoLWlkLWphZytqd3Qi...",
"token_type": "N_A",
"expires_in": 300
}
Requested scope values are accepted only when the subject token already
contains those scopes. A normal AuthOS service login token should omit scope
for coarse resource access.
Exchange the ID-JAG
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&assertion=ID_JAG
&client_id=SERVICE_CLIENT_ID
&client_secret=SERVICE_CLIENT_SECRET
Response:
{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6...",
"token_type": "Bearer",
"expires_in": 86400
}
The ID-JAG assertion is single-use. The bearer token uses the requested resource
URI as aud, includes scope when one was granted, and is stored in the AuthOS
session table for revocation. No refresh token is returned from the JWT bearer
exchange.
Discovery
/.well-known/openid-configuration advertises:
enterprise_token_endpointurn:ietf:params:oauth:grant-type:token-exchangeurn:ietf:params:oauth:grant-type:jwt-bearerurn:ietf:params:oauth:grant-profile:id-jagurn:ietf:params:oauth:token-type:id-jag