Who did what, as whom, when.
OASP treats identity and audit as part of the protocol, not a layer bolted on top. Scopes at every level, an IdP-agnostic Principal contract, on-behalf-of with scope-pinned containment — and an audit trail that is a conformance requirement.
Every conformant Server MUST emit AuditEvents. Audit is not optional.
Five scope dimensions. N at every level.
A Principal is placed by five independent dimensions — and can hold many values in each. Access composes across them; nothing is a single flat tenant id.
The model is a shape, not a schema for your IdP — you map your existing groups, roles, and tenancy onto it.
IdP-agnostic. OIDC-mappable.
The Principal claims contract says what a Principal must assert — not where it came from. A subject, its scopes, and a claims bag you populate from your identity provider.
OIDC is the common case and maps cleanly, but nothing in OASP is bound to it. Bring SAML, an internal directory, or a machine-identity system — the contract is the same.
Agents act for people — inside a boundary.
When an agent acts on a user’s behalf, it carries a Credential pinned to a scope it cannot exceed. Delegation is explicit, bounded, and auditable.
→
The audit trail is part of the protocol.
In most systems, audit is a feature someone remembers to add. In OASP it is a conformance requirement: a conformant Server MUST emit an AuditEvent for every consequential action.
The result: “what did the agent do, as whom, when” is answerable by any implementation that passes the kit — a property a regulated-sector evaluator can rely on before choosing a vendor.