XYZ is a proposed delegation protocol in the spirit of OAuth 2, but designed with the decade of experience that we have now with OAuth 2 and its extensions. The XYZ protocol is not intended to be directly compatible with OAuth 2, much in the same way that OAuth 2 was not directly compatible with OAuth 1. However, the concepts and many of the goals should feel familiar to developers used to these existing protocols and their extensions. Concepts from OAuth 2, OIDC, PKCE, UMA, CIBA, OBUK, FAPI, and a host of other extensions and profiles were analyzed and adapted in the design of XYZ, but with a mind toward taking the best aspects of all of them and applying them in a consistent way.
XYZ has several core features that drive its design principles, and these are key to providing a consistent data model:
And most importantly, XYZ seeks to build out a protocol that doesn't have the same assumptions as OAuth 2 by carefully examining and questioning all aspects of OAuth 2 and its extensions. Nothing is considered sacred, even as we build in a world already full of OAuth 2. This lets us question the utility of protocol elements like the
client_id and figure out if and how they fit into the new world.
The XYZ protocol is one of the inputs in the newly-formed Grant Negotiation Authorization Protocol (GNAP) working group in the IETF. This is a new working group, and discussion is happening now on the firstname.lastname@example.org mailing list. The XYZ protocol has been submitted as an individual draft, but the GNAP protocol will take its own shape after the working group is officially formed.
GNAP will one day be a formal standard, and as that standardization process takes place, XYZ will transition to being an implementation of that standard.
This website is the most comprehensive and complete collections of information about the XYZ project, and it tends to get updated before other artifacts do.
In addition to the website, I've been fortunate to present XYZ and its concepts at a few different places so far.
I've also written a number of articles on the topic of XYZ and the choices behind the protocol design.
Several others in the wider OAuth community have also provided some great discussions on XYZ and the concepts driving this new work.
Protocol proposals without implementations are merely thought experiments, and XYZ has always sought to ground all of its ideas in trial implementations. To date there are several code bases that can be downloaded, examined, and tried out. These have changed as the protocol has changed, and will continue to do so as GNAP takes shape. As such, things might be quirky or in a somewhat unfinished, experimental state at any time.