From f08fa6634829766b1723e22d93193b87baad706f Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Thu, 2 Feb 2023 11:47:54 +0000
Subject: [PATCH] feat: Added authz support  for ics20 (backport #3079) (#3101)

---
 docs/ibc/proto-docs.md                        |  54 ++
 modules/apps/transfer/types/authz.pb.go       | 695 ++++++++++++++++++
 modules/apps/transfer/types/codec.go          |   6 +
 modules/apps/transfer/types/errors.go         |   1 +
 .../transfer/types/transfer_authorization.go  | 127 ++++
 .../types/transfer_authorization_test.go      | 282 +++++++
 .../types/{ack_test.go => types_test.go}      |  11 +
 .../ibc/applications/transfer/v1/authz.proto  |  31 +
 8 files changed, 1207 insertions(+)
 create mode 100644 modules/apps/transfer/types/authz.pb.go
 create mode 100644 modules/apps/transfer/types/transfer_authorization.go
 create mode 100644 modules/apps/transfer/types/transfer_authorization_test.go
 rename modules/apps/transfer/types/{ack_test.go => types_test.go} (59%)
 create mode 100644 proto/ibc/applications/transfer/v1/authz.proto

diff --git a/docs/ibc/proto-docs.md b/docs/ibc/proto-docs.md
index 91154efa20b..5ec2d594cf0 100644
--- a/docs/ibc/proto-docs.md
+++ b/docs/ibc/proto-docs.md
@@ -154,6 +154,10 @@
   
     - [Msg](#ibc.applications.transfer.v1.Msg)
   
+- [ibc/applications/transfer/v2/authz.proto](#ibc/applications/transfer/v2/authz.proto)
+    - [PortChannelAmount](#ibc.applications.transfer.v2.PortChannelAmount)
+    - [TransferAuthorization](#ibc.applications.transfer.v2.TransferAuthorization)
+  
 - [ibc/applications/transfer/v2/packet.proto](#ibc/applications/transfer/v2/packet.proto)
     - [FungibleTokenPacketData](#ibc.applications.transfer.v2.FungibleTokenPacketData)
   
@@ -2296,6 +2300,56 @@ Msg defines the ibc/transfer Msg service.
 
 
 
+<a name="ibc/applications/transfer/v2/authz.proto"></a>
+<p align="right"><a href="#top">Top</a></p>
+
+## ibc/applications/transfer/v2/authz.proto
+
+
+
+<a name="ibc.applications.transfer.v2.PortChannelAmount"></a>
+
+### PortChannelAmount
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| `source_port` | [string](#string) |  | the port on which the packet will be sent |
+| `source_channel` | [string](#string) |  | the channel by which the packet will be sent |
+| `spend_limit` | [cosmos.base.v1beta1.Coin](#cosmos.base.v1beta1.Coin) | repeated | spend limitation on the channel |
+| `allowed_addresses` | [string](#string) | repeated |  |
+
+
+
+
+
+
+<a name="ibc.applications.transfer.v2.TransferAuthorization"></a>
+
+### TransferAuthorization
+TransferAuthorization allows the grantee to spend up to spend_limit coins from
+the granter's account for ibc transfer on a specific channel
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| `allocations` | [PortChannelAmount](#ibc.applications.transfer.v2.PortChannelAmount) | repeated | port and channel amounts |
+
+
+
+
+
+ <!-- end messages -->
+
+ <!-- end enums -->
+
+ <!-- end HasExtensions -->
+
+ <!-- end services -->
+
+
+
 <a name="ibc/applications/transfer/v2/packet.proto"></a>
 <p align="right"><a href="#top">Top</a></p>
 
diff --git a/modules/apps/transfer/types/authz.pb.go b/modules/apps/transfer/types/authz.pb.go
new file mode 100644
index 00000000000..95f24eca332
--- /dev/null
+++ b/modules/apps/transfer/types/authz.pb.go
@@ -0,0 +1,695 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: ibc/applications/transfer/v1/authz.proto
+
+package types
+
+import (
+	fmt "fmt"
+	_ "github.com/cosmos/cosmos-proto"
+	github_com_cosmos_cosmos_sdk_types "github.com/cosmos/cosmos-sdk/types"
+	types "github.com/cosmos/cosmos-sdk/types"
+	_ "github.com/cosmos/gogoproto/gogoproto"
+	proto "github.com/cosmos/gogoproto/proto"
+	io "io"
+	math "math"
+	math_bits "math/bits"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+
+// Allocation defines the spend limit for a particular port and channel
+type Allocation struct {
+	// the port on which the packet will be sent
+	SourcePort string `protobuf:"bytes,1,opt,name=source_port,json=sourcePort,proto3" json:"source_port,omitempty" yaml:"source_port"`
+	// the channel by which the packet will be sent
+	SourceChannel string `protobuf:"bytes,2,opt,name=source_channel,json=sourceChannel,proto3" json:"source_channel,omitempty" yaml:"source_channel"`
+	// spend limitation on the channel
+	SpendLimit github_com_cosmos_cosmos_sdk_types.Coins `protobuf:"bytes,3,rep,name=spend_limit,json=spendLimit,proto3,castrepeated=github.com/cosmos/cosmos-sdk/types.Coins" json:"spend_limit"`
+	// allow list of receivers, an empty allow list permits any receiver address
+	AllowList []string `protobuf:"bytes,4,rep,name=allow_list,json=allowList,proto3" json:"allow_list,omitempty"`
+}
+
+func (m *Allocation) Reset()         { *m = Allocation{} }
+func (m *Allocation) String() string { return proto.CompactTextString(m) }
+func (*Allocation) ProtoMessage()    {}
+func (*Allocation) Descriptor() ([]byte, []int) {
+	return fileDescriptor_b1a28b55d17325aa, []int{0}
+}
+func (m *Allocation) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *Allocation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_Allocation.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *Allocation) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Allocation.Merge(m, src)
+}
+func (m *Allocation) XXX_Size() int {
+	return m.Size()
+}
+func (m *Allocation) XXX_DiscardUnknown() {
+	xxx_messageInfo_Allocation.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Allocation proto.InternalMessageInfo
+
+func (m *Allocation) GetSourcePort() string {
+	if m != nil {
+		return m.SourcePort
+	}
+	return ""
+}
+
+func (m *Allocation) GetSourceChannel() string {
+	if m != nil {
+		return m.SourceChannel
+	}
+	return ""
+}
+
+func (m *Allocation) GetSpendLimit() github_com_cosmos_cosmos_sdk_types.Coins {
+	if m != nil {
+		return m.SpendLimit
+	}
+	return nil
+}
+
+func (m *Allocation) GetAllowList() []string {
+	if m != nil {
+		return m.AllowList
+	}
+	return nil
+}
+
+// TransferAuthorization allows the grantee to spend up to spend_limit coins from
+// the granter's account for ibc transfer on a specific channel
+type TransferAuthorization struct {
+	// port and channel amounts
+	Allocations []Allocation `protobuf:"bytes,1,rep,name=allocations,proto3" json:"allocations"`
+}
+
+func (m *TransferAuthorization) Reset()         { *m = TransferAuthorization{} }
+func (m *TransferAuthorization) String() string { return proto.CompactTextString(m) }
+func (*TransferAuthorization) ProtoMessage()    {}
+func (*TransferAuthorization) Descriptor() ([]byte, []int) {
+	return fileDescriptor_b1a28b55d17325aa, []int{1}
+}
+func (m *TransferAuthorization) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *TransferAuthorization) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_TransferAuthorization.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *TransferAuthorization) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_TransferAuthorization.Merge(m, src)
+}
+func (m *TransferAuthorization) XXX_Size() int {
+	return m.Size()
+}
+func (m *TransferAuthorization) XXX_DiscardUnknown() {
+	xxx_messageInfo_TransferAuthorization.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_TransferAuthorization proto.InternalMessageInfo
+
+func (m *TransferAuthorization) GetAllocations() []Allocation {
+	if m != nil {
+		return m.Allocations
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*Allocation)(nil), "ibc.applications.transfer.v1.Allocation")
+	proto.RegisterType((*TransferAuthorization)(nil), "ibc.applications.transfer.v1.TransferAuthorization")
+}
+
+func init() {
+	proto.RegisterFile("ibc/applications/transfer/v1/authz.proto", fileDescriptor_b1a28b55d17325aa)
+}
+
+var fileDescriptor_b1a28b55d17325aa = []byte{
+	// 435 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x52, 0x4d, 0x6e, 0xd3, 0x40,
+	0x14, 0x8e, 0x9b, 0x0a, 0x29, 0x13, 0xc1, 0xc2, 0xa2, 0xc8, 0xa9, 0xc0, 0x89, 0xbc, 0x40, 0xde,
+	0x64, 0x86, 0xc0, 0x22, 0x52, 0x57, 0x34, 0xdd, 0x76, 0x51, 0x2c, 0x56, 0x6c, 0xa2, 0xf1, 0x64,
+	0xb0, 0x47, 0x8c, 0xfd, 0x2c, 0xcf, 0xd8, 0xa8, 0x3d, 0x05, 0x48, 0x9c, 0x82, 0x35, 0x87, 0xa8,
+	0x58, 0x75, 0xc9, 0x2a, 0xa0, 0xe4, 0x06, 0x3d, 0x01, 0xf2, 0xcc, 0x14, 0x5c, 0x21, 0xb1, 0xb2,
+	0xdf, 0xcf, 0xf7, 0xde, 0xf7, 0xbe, 0xf9, 0x50, 0x2c, 0x52, 0x46, 0x68, 0x55, 0x49, 0xc1, 0xa8,
+	0x16, 0x50, 0x2a, 0xa2, 0x6b, 0x5a, 0xaa, 0xf7, 0xbc, 0x26, 0xed, 0x82, 0xd0, 0x46, 0xe7, 0x57,
+	0xb8, 0xaa, 0x41, 0x83, 0xff, 0x54, 0xa4, 0x0c, 0xf7, 0x3b, 0xf1, 0x5d, 0x27, 0x6e, 0x17, 0xc7,
+	0x13, 0x06, 0xaa, 0x00, 0xb5, 0x36, 0xbd, 0xc4, 0x06, 0x16, 0x78, 0xfc, 0x38, 0x83, 0x0c, 0x6c,
+	0xbe, 0xfb, 0x73, 0xd9, 0xd0, 0xf6, 0x90, 0x94, 0x2a, 0x4e, 0xda, 0x45, 0xca, 0x35, 0x5d, 0x10,
+	0x06, 0xa2, 0xb4, 0xf5, 0xe8, 0xcb, 0x01, 0x42, 0xa7, 0x52, 0x82, 0x5d, 0xe6, 0x2f, 0xd1, 0x58,
+	0x41, 0x53, 0x33, 0xbe, 0xae, 0xa0, 0xd6, 0x81, 0x37, 0xf3, 0xe2, 0xd1, 0xea, 0xc9, 0xed, 0x76,
+	0xea, 0x5f, 0xd2, 0x42, 0x9e, 0x44, 0xbd, 0x62, 0x94, 0x20, 0x1b, 0x5d, 0x40, 0xad, 0xfd, 0xd7,
+	0xe8, 0x91, 0xab, 0xb1, 0x9c, 0x96, 0x25, 0x97, 0xc1, 0x81, 0xc1, 0x4e, 0x6e, 0xb7, 0xd3, 0xa3,
+	0x7b, 0x58, 0x57, 0x8f, 0x92, 0x87, 0x36, 0x71, 0x66, 0x63, 0x5f, 0xa2, 0xb1, 0xaa, 0x78, 0xb9,
+	0x59, 0x4b, 0x51, 0x08, 0x1d, 0x0c, 0x67, 0xc3, 0x78, 0xfc, 0x72, 0x82, 0xdd, 0x8d, 0x1d, 0x7f,
+	0xec, 0xf8, 0xe3, 0x33, 0x10, 0xe5, 0xea, 0xc5, 0xf5, 0x76, 0x3a, 0xf8, 0xfa, 0x73, 0x1a, 0x67,
+	0x42, 0xe7, 0x4d, 0x8a, 0x19, 0x14, 0x4e, 0x10, 0xf7, 0x99, 0xab, 0xcd, 0x07, 0xa2, 0x2f, 0x2b,
+	0xae, 0x0c, 0x40, 0x25, 0xc8, 0xcc, 0x3f, 0xef, 0xc6, 0xfb, 0xcf, 0x10, 0xa2, 0x52, 0xc2, 0xc7,
+	0xb5, 0x14, 0x4a, 0x07, 0x87, 0xb3, 0x61, 0x3c, 0x4a, 0x46, 0x26, 0x73, 0x2e, 0x94, 0x8e, 0x3e,
+	0x7b, 0xe8, 0xe8, 0xad, 0xd3, 0xfd, 0xb4, 0xd1, 0x39, 0xd4, 0xe2, 0xca, 0x2a, 0x74, 0x81, 0xc6,
+	0xf4, 0x8f, 0x5e, 0x2a, 0xf0, 0x0c, 0xcd, 0x18, 0xff, 0xef, 0xd5, 0xf0, 0x5f, 0x81, 0x57, 0x87,
+	0x1d, 0xeb, 0xa4, 0x3f, 0xe2, 0xe4, 0xf9, 0xf7, 0x6f, 0xf3, 0xc8, 0x9d, 0x69, 0x9d, 0x70, 0x77,
+	0xe7, 0xbd, 0xcd, 0xab, 0x37, 0xd7, 0xbb, 0xd0, 0xbb, 0xd9, 0x85, 0xde, 0xaf, 0x5d, 0xe8, 0x7d,
+	0xda, 0x87, 0x83, 0x9b, 0x7d, 0x38, 0xf8, 0xb1, 0x0f, 0x07, 0xef, 0x96, 0xff, 0x4a, 0x20, 0x52,
+	0x36, 0xcf, 0x80, 0xb4, 0x4b, 0x52, 0xc0, 0xa6, 0x91, 0x5c, 0x75, 0xee, 0xeb, 0xb9, 0xce, 0xe8,
+	0x92, 0x3e, 0x30, 0x26, 0x78, 0xf5, 0x3b, 0x00, 0x00, 0xff, 0xff, 0x61, 0xe8, 0x65, 0x9c, 0x9f,
+	0x02, 0x00, 0x00,
+}
+
+func (m *Allocation) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Allocation) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *Allocation) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.AllowList) > 0 {
+		for iNdEx := len(m.AllowList) - 1; iNdEx >= 0; iNdEx-- {
+			i -= len(m.AllowList[iNdEx])
+			copy(dAtA[i:], m.AllowList[iNdEx])
+			i = encodeVarintAuthz(dAtA, i, uint64(len(m.AllowList[iNdEx])))
+			i--
+			dAtA[i] = 0x22
+		}
+	}
+	if len(m.SpendLimit) > 0 {
+		for iNdEx := len(m.SpendLimit) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.SpendLimit[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintAuthz(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x1a
+		}
+	}
+	if len(m.SourceChannel) > 0 {
+		i -= len(m.SourceChannel)
+		copy(dAtA[i:], m.SourceChannel)
+		i = encodeVarintAuthz(dAtA, i, uint64(len(m.SourceChannel)))
+		i--
+		dAtA[i] = 0x12
+	}
+	if len(m.SourcePort) > 0 {
+		i -= len(m.SourcePort)
+		copy(dAtA[i:], m.SourcePort)
+		i = encodeVarintAuthz(dAtA, i, uint64(len(m.SourcePort)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
+func (m *TransferAuthorization) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TransferAuthorization) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *TransferAuthorization) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.Allocations) > 0 {
+		for iNdEx := len(m.Allocations) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Allocations[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintAuthz(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0xa
+		}
+	}
+	return len(dAtA) - i, nil
+}
+
+func encodeVarintAuthz(dAtA []byte, offset int, v uint64) int {
+	offset -= sovAuthz(v)
+	base := offset
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return base
+}
+func (m *Allocation) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.SourcePort)
+	if l > 0 {
+		n += 1 + l + sovAuthz(uint64(l))
+	}
+	l = len(m.SourceChannel)
+	if l > 0 {
+		n += 1 + l + sovAuthz(uint64(l))
+	}
+	if len(m.SpendLimit) > 0 {
+		for _, e := range m.SpendLimit {
+			l = e.Size()
+			n += 1 + l + sovAuthz(uint64(l))
+		}
+	}
+	if len(m.AllowList) > 0 {
+		for _, s := range m.AllowList {
+			l = len(s)
+			n += 1 + l + sovAuthz(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *TransferAuthorization) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if len(m.Allocations) > 0 {
+		for _, e := range m.Allocations {
+			l = e.Size()
+			n += 1 + l + sovAuthz(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovAuthz(x uint64) (n int) {
+	return (math_bits.Len64(x|1) + 6) / 7
+}
+func sozAuthz(x uint64) (n int) {
+	return sovAuthz(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *Allocation) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuthz
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Allocation: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Allocation: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SourcePort", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuthz
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SourcePort = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SourceChannel", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuthz
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SourceChannel = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SpendLimit", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuthz
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SpendLimit = append(m.SpendLimit, types.Coin{})
+			if err := m.SpendLimit[len(m.SpendLimit)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllowList", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuthz
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.AllowList = append(m.AllowList, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuthz(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TransferAuthorization) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuthz
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TransferAuthorization: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TransferAuthorization: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Allocations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuthz
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Allocations = append(m.Allocations, Allocation{})
+			if err := m.Allocations[len(m.Allocations)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuthz(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthAuthz
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipAuthz(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	depth := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowAuthz
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAuthz
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+		case 1:
+			iNdEx += 8
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAuthz
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if length < 0 {
+				return 0, ErrInvalidLengthAuthz
+			}
+			iNdEx += length
+		case 3:
+			depth++
+		case 4:
+			if depth == 0 {
+				return 0, ErrUnexpectedEndOfGroupAuthz
+			}
+			depth--
+		case 5:
+			iNdEx += 4
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+		if iNdEx < 0 {
+			return 0, ErrInvalidLengthAuthz
+		}
+		if depth == 0 {
+			return iNdEx, nil
+		}
+	}
+	return 0, io.ErrUnexpectedEOF
+}
+
+var (
+	ErrInvalidLengthAuthz        = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowAuthz          = fmt.Errorf("proto: integer overflow")
+	ErrUnexpectedEndOfGroupAuthz = fmt.Errorf("proto: unexpected end of group")
+)
diff --git a/modules/apps/transfer/types/codec.go b/modules/apps/transfer/types/codec.go
index f1fcf135f50..92ed91ef58a 100644
--- a/modules/apps/transfer/types/codec.go
+++ b/modules/apps/transfer/types/codec.go
@@ -3,6 +3,7 @@ package types
 import (
 	"bytes"
 
+	"github.com/cosmos/cosmos-sdk/x/authz"
 	"github.com/cosmos/gogoproto/jsonpb"
 	"github.com/cosmos/gogoproto/proto"
 
@@ -23,6 +24,11 @@ func RegisterLegacyAminoCodec(cdc *codec.LegacyAmino) {
 func RegisterInterfaces(registry codectypes.InterfaceRegistry) {
 	registry.RegisterImplementations((*sdk.Msg)(nil), &MsgTransfer{})
 
+	registry.RegisterImplementations(
+		(*authz.Authorization)(nil),
+		&TransferAuthorization{},
+	)
+
 	msgservice.RegisterMsgServiceDesc(registry, &_Msg_serviceDesc)
 }
 
diff --git a/modules/apps/transfer/types/errors.go b/modules/apps/transfer/types/errors.go
index 0f0cb7c42a4..d4f85cf4fa7 100644
--- a/modules/apps/transfer/types/errors.go
+++ b/modules/apps/transfer/types/errors.go
@@ -14,4 +14,5 @@ var (
 	ErrSendDisabled            = sdkerrors.Register(ModuleName, 7, "fungible token transfers from this chain are disabled")
 	ErrReceiveDisabled         = sdkerrors.Register(ModuleName, 8, "fungible token transfers to this chain are disabled")
 	ErrMaxTransferChannels     = sdkerrors.Register(ModuleName, 9, "max transfer channels")
+	ErrInvalidAuthorization    = sdkerrors.Register(ModuleName, 10, "invalid transfer authorization")
 )
diff --git a/modules/apps/transfer/types/transfer_authorization.go b/modules/apps/transfer/types/transfer_authorization.go
new file mode 100644
index 00000000000..fed33b0a909
--- /dev/null
+++ b/modules/apps/transfer/types/transfer_authorization.go
@@ -0,0 +1,127 @@
+package types
+
+import (
+	sdk "github.com/cosmos/cosmos-sdk/types"
+	sdkerrors "github.com/cosmos/cosmos-sdk/types/errors"
+	"github.com/cosmos/cosmos-sdk/x/authz"
+
+	channeltypes "github.com/cosmos/ibc-go/v7/modules/core/04-channel/types"
+	host "github.com/cosmos/ibc-go/v7/modules/core/24-host"
+)
+
+const gasCostPerIteration = uint64(10)
+
+var _ authz.Authorization = &TransferAuthorization{}
+
+// NewTransferAuthorization creates a new TransferAuthorization object.
+func NewTransferAuthorization(allocations ...Allocation) *TransferAuthorization {
+	return &TransferAuthorization{
+		Allocations: allocations,
+	}
+}
+
+// MsgTypeURL implements Authorization.MsgTypeURL.
+func (a TransferAuthorization) MsgTypeURL() string {
+	return sdk.MsgTypeURL(&MsgTransfer{})
+}
+
+// Accept implements Authorization.Accept.
+func (a TransferAuthorization) Accept(ctx sdk.Context, msg sdk.Msg) (authz.AcceptResponse, error) {
+	msgTransfer, ok := msg.(*MsgTransfer)
+	if !ok {
+		return authz.AcceptResponse{}, sdkerrors.Wrap(sdkerrors.ErrInvalidType, "type mismatch")
+	}
+
+	for index, allocation := range a.Allocations {
+		if allocation.SourceChannel == msgTransfer.SourceChannel && allocation.SourcePort == msgTransfer.SourcePort {
+			limitLeft, isNegative := allocation.SpendLimit.SafeSub(msgTransfer.Token)
+			if isNegative {
+				return authz.AcceptResponse{}, sdkerrors.Wrapf(sdkerrors.ErrInsufficientFunds, "requested amount is more than spend limit")
+			}
+
+			if !isAllowedAddress(ctx, msgTransfer.Receiver, allocation.AllowList) {
+				return authz.AcceptResponse{}, sdkerrors.Wrapf(sdkerrors.ErrInvalidAddress, "not allowed address for transfer")
+			}
+
+			if limitLeft.IsZero() {
+				a.Allocations = append(a.Allocations[:index], a.Allocations[index+1:]...)
+				if len(a.Allocations) == 0 {
+					return authz.AcceptResponse{Accept: true, Delete: true}, nil
+				}
+				return authz.AcceptResponse{Accept: true, Delete: false, Updated: &TransferAuthorization{
+					Allocations: a.Allocations,
+				}}, nil
+			}
+			a.Allocations[index] = Allocation{
+				SourcePort:    allocation.SourcePort,
+				SourceChannel: allocation.SourceChannel,
+				SpendLimit:    limitLeft,
+				AllowList:     allocation.AllowList,
+			}
+
+			return authz.AcceptResponse{Accept: true, Delete: false, Updated: &TransferAuthorization{
+				Allocations: a.Allocations,
+			}}, nil
+		}
+	}
+	return authz.AcceptResponse{}, sdkerrors.Wrapf(sdkerrors.ErrNotFound, "requested port and channel allocation does not exist")
+}
+
+// ValidateBasic implements Authorization.ValidateBasic.
+func (a TransferAuthorization) ValidateBasic() error {
+	if len(a.Allocations) == 0 {
+		return sdkerrors.Wrap(ErrInvalidAuthorization, "allocations cannot be empty")
+	}
+
+	foundChannels := make(map[string]bool, 0)
+
+	for _, allocation := range a.Allocations {
+		if _, found := foundChannels[allocation.SourceChannel]; found {
+			return sdkerrors.Wrapf(channeltypes.ErrInvalidChannel, "duplicate source channel ID: %s", allocation.SourceChannel)
+		}
+
+		foundChannels[allocation.SourceChannel] = true
+
+		if allocation.SpendLimit == nil {
+			return sdkerrors.Wrap(sdkerrors.ErrInvalidCoins, "spend limit cannot be nil")
+		}
+
+		if err := allocation.SpendLimit.Validate(); err != nil {
+			return sdkerrors.Wrapf(sdkerrors.ErrInvalidCoins, err.Error())
+		}
+
+		if err := host.PortIdentifierValidator(allocation.SourcePort); err != nil {
+			return sdkerrors.Wrap(err, "invalid source port ID")
+		}
+
+		if err := host.ChannelIdentifierValidator(allocation.SourceChannel); err != nil {
+			return sdkerrors.Wrap(err, "invalid source channel ID")
+		}
+
+		found := make(map[string]bool, 0)
+		for i := 0; i < len(allocation.AllowList); i++ {
+			if found[allocation.AllowList[i]] {
+				return sdkerrors.Wrapf(ErrInvalidAuthorization, "duplicate entry in allow list %s")
+			}
+			found[allocation.AllowList[i]] = true
+		}
+	}
+
+	return nil
+}
+
+// isAllowedAddress returns a boolean indicating if the receiver address is valid for transfer.
+// gasCostPerIteration gas is consumed for each iteration.
+func isAllowedAddress(ctx sdk.Context, receiver string, allowedAddrs []string) bool {
+	if len(allowedAddrs) == 0 {
+		return true
+	}
+
+	for _, addr := range allowedAddrs {
+		ctx.GasMeter().ConsumeGas(gasCostPerIteration, "transfer authorization")
+		if addr == receiver {
+			return true
+		}
+	}
+	return false
+}
diff --git a/modules/apps/transfer/types/transfer_authorization_test.go b/modules/apps/transfer/types/transfer_authorization_test.go
new file mode 100644
index 00000000000..f0f7f3ab0b9
--- /dev/null
+++ b/modules/apps/transfer/types/transfer_authorization_test.go
@@ -0,0 +1,282 @@
+package types_test
+
+import (
+	sdk "github.com/cosmos/cosmos-sdk/types"
+	"github.com/cosmos/cosmos-sdk/x/authz"
+
+	"github.com/cosmos/ibc-go/v7/modules/apps/transfer/types"
+	ibctesting "github.com/cosmos/ibc-go/v7/testing"
+	"github.com/cosmos/ibc-go/v7/testing/mock"
+)
+
+func (suite *TypesTestSuite) TestTransferAuthorizationAccept() {
+	var (
+		msgTransfer   types.MsgTransfer
+		transferAuthz types.TransferAuthorization
+	)
+
+	testCases := []struct {
+		name         string
+		malleate     func()
+		assertResult func(res authz.AcceptResponse, err error)
+	}{
+		{
+			"success",
+			func() {},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().NoError(err)
+
+				suite.Require().True(res.Accept)
+				suite.Require().True(res.Delete)
+				suite.Require().Nil(res.Updated)
+			},
+		},
+		{
+			"success: with spend limit updated",
+			func() {
+				msgTransfer.Token = sdk.NewCoin(sdk.DefaultBondDenom, sdk.NewInt(50))
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().NoError(err)
+
+				suite.Require().True(res.Accept)
+				suite.Require().False(res.Delete)
+
+				updatedAuthz, ok := res.Updated.(*types.TransferAuthorization)
+				suite.Require().True(ok)
+
+				isEqual := updatedAuthz.Allocations[0].SpendLimit.IsEqual(sdk.NewCoins(sdk.NewCoin(sdk.DefaultBondDenom, sdk.NewInt(50))))
+				suite.Require().True(isEqual)
+			},
+		},
+		{
+			"success: with empty allow list",
+			func() {
+				transferAuthz.Allocations[0].AllowList = []string{}
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().NoError(err)
+
+				suite.Require().True(res.Accept)
+				suite.Require().True(res.Delete)
+				suite.Require().Nil(res.Updated)
+			},
+		},
+		{
+			"success: with multiple allocations",
+			func() {
+				alloc := types.Allocation{
+					SourcePort:    ibctesting.MockPort,
+					SourceChannel: "channel-9",
+					SpendLimit:    ibctesting.TestCoins,
+				}
+
+				transferAuthz.Allocations = append(transferAuthz.Allocations, alloc)
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().NoError(err)
+
+				suite.Require().True(res.Accept)
+				suite.Require().False(res.Delete)
+
+				updatedAuthz, ok := res.Updated.(*types.TransferAuthorization)
+				suite.Require().True(ok)
+
+				// assert spent spendlimit is removed from the list
+				suite.Require().Len(updatedAuthz.Allocations, 1)
+			},
+		},
+		{
+			"no spend limit set for MsgTransfer port/channel",
+			func() {
+				msgTransfer.SourcePort = ibctesting.MockPort
+				msgTransfer.SourceChannel = "channel-9"
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().Error(err)
+			},
+		},
+		{
+			"requested transfer amount is more than the spend limit",
+			func() {
+				msgTransfer.Token = sdk.NewCoin(sdk.DefaultBondDenom, sdk.NewInt(1000))
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().Error(err)
+			},
+		},
+		{
+			"receiver address not permitted via allow list",
+			func() {
+				msgTransfer.Receiver = suite.chainB.SenderAccount.GetAddress().String()
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().Error(err)
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		suite.Run(tc.name, func() {
+			suite.SetupTest()
+
+			path := NewTransferPath(suite.chainA, suite.chainB)
+			suite.coordinator.Setup(path)
+
+			transferAuthz = types.TransferAuthorization{
+				Allocations: []types.Allocation{
+					{
+						SourcePort:    path.EndpointA.ChannelConfig.PortID,
+						SourceChannel: path.EndpointA.ChannelID,
+						SpendLimit:    ibctesting.TestCoins,
+						AllowList:     []string{ibctesting.TestAccAddress},
+					},
+				},
+			}
+
+			msgTransfer = types.MsgTransfer{
+				SourcePort:    path.EndpointA.ChannelConfig.PortID,
+				SourceChannel: path.EndpointA.ChannelID,
+				Token:         ibctesting.TestCoin,
+				Sender:        suite.chainA.SenderAccount.GetAddress().String(),
+				Receiver:      ibctesting.TestAccAddress,
+				TimeoutHeight: suite.chainB.GetTimeoutHeight(),
+			}
+
+			tc.malleate()
+
+			res, err := transferAuthz.Accept(suite.chainA.GetContext(), &msgTransfer)
+			tc.assertResult(res, err)
+		})
+	}
+}
+
+func (suite *TypesTestSuite) TestTransferAuthorizationMsgTypeURL() {
+	var transferAuthz types.TransferAuthorization
+	suite.Require().Equal(sdk.MsgTypeURL(&types.MsgTransfer{}), transferAuthz.MsgTypeURL(), "invalid type url for transfer authorization")
+}
+
+func (suite *TypesTestSuite) TestTransferAuthorizationValidateBasic() {
+	var transferAuthz types.TransferAuthorization
+
+	testCases := []struct {
+		name     string
+		malleate func()
+		expPass  bool
+	}{
+		{
+			"success",
+			func() {},
+			true,
+		},
+		{
+			"success: empty allow list",
+			func() {
+				transferAuthz.Allocations[0].AllowList = []string{}
+			},
+			true,
+		},
+		{
+			"success: with multiple allocations",
+			func() {
+				allocation := types.Allocation{
+					SourcePort:    types.PortID,
+					SourceChannel: "channel-1",
+					SpendLimit:    sdk.NewCoins(sdk.NewCoin(sdk.DefaultBondDenom, sdk.NewInt(100))),
+					AllowList:     []string{},
+				}
+
+				transferAuthz.Allocations = append(transferAuthz.Allocations, allocation)
+			},
+			true,
+		},
+		{
+			"empty allocations",
+			func() {
+				transferAuthz = types.TransferAuthorization{Allocations: []types.Allocation{}}
+			},
+			false,
+		},
+		{
+			"nil allocations",
+			func() {
+				transferAuthz = types.TransferAuthorization{}
+			},
+			false,
+		},
+		{
+			"nil spend limit coins",
+			func() {
+				transferAuthz.Allocations[0].SpendLimit = nil
+			},
+			false,
+		},
+		{
+			"invalid spend limit coins",
+			func() {
+				transferAuthz.Allocations[0].SpendLimit = sdk.Coins{sdk.Coin{Denom: ""}}
+			},
+			false,
+		},
+		{
+			"duplicate entry in allow list",
+			func() {
+				transferAuthz.Allocations[0].AllowList = []string{ibctesting.TestAccAddress, ibctesting.TestAccAddress}
+			},
+			false,
+		},
+		{
+			"invalid port identifier",
+			func() {
+				transferAuthz.Allocations[0].SourcePort = ""
+			},
+			false,
+		},
+		{
+			"invalid channel identifier",
+			func() {
+				transferAuthz.Allocations[0].SourceChannel = ""
+			},
+			false,
+		},
+		{
+			name: "duplicate channel ID",
+			malleate: func() {
+				allocation := types.Allocation{
+					SourcePort:    mock.PortID,
+					SourceChannel: transferAuthz.Allocations[0].SourceChannel,
+					SpendLimit:    sdk.NewCoins(sdk.NewCoin(sdk.DefaultBondDenom, sdk.NewInt(100))),
+					AllowList:     []string{ibctesting.TestAccAddress},
+				}
+
+				transferAuthz.Allocations = append(transferAuthz.Allocations, allocation)
+			},
+			expPass: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		suite.Run(tc.name, func() {
+			transferAuthz = types.TransferAuthorization{
+				Allocations: []types.Allocation{
+					{
+						SourcePort:    mock.PortID,
+						SourceChannel: ibctesting.FirstChannelID,
+						SpendLimit:    sdk.NewCoins(sdk.NewCoin(sdk.DefaultBondDenom, sdk.NewInt(100))),
+						AllowList:     []string{ibctesting.TestAccAddress},
+					},
+				},
+			}
+
+			tc.malleate()
+
+			err := transferAuthz.ValidateBasic()
+
+			if tc.expPass {
+				suite.Require().NoError(err)
+			} else {
+				suite.Require().Error(err)
+			}
+		})
+	}
+}
diff --git a/modules/apps/transfer/types/ack_test.go b/modules/apps/transfer/types/types_test.go
similarity index 59%
rename from modules/apps/transfer/types/ack_test.go
rename to modules/apps/transfer/types/types_test.go
index 1516f334e7e..86069b1a887 100644
--- a/modules/apps/transfer/types/ack_test.go
+++ b/modules/apps/transfer/types/types_test.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/stretchr/testify/suite"
 
+	"github.com/cosmos/ibc-go/v7/modules/apps/transfer/types"
 	ibctesting "github.com/cosmos/ibc-go/v7/testing"
 )
 
@@ -24,6 +25,16 @@ func (suite *TypesTestSuite) SetupTest() {
 	suite.chainB = suite.coordinator.GetChain(ibctesting.GetChainID(2))
 }
 
+func NewTransferPath(chainA, chainB *ibctesting.TestChain) *ibctesting.Path {
+	path := ibctesting.NewPath(chainA, chainB)
+	path.EndpointA.ChannelConfig.PortID = types.PortID
+	path.EndpointB.ChannelConfig.PortID = types.PortID
+	path.EndpointA.ChannelConfig.Version = types.Version
+	path.EndpointB.ChannelConfig.Version = types.Version
+
+	return path
+}
+
 func TestTypesTestSuite(t *testing.T) {
 	suite.Run(t, new(TypesTestSuite))
 }
diff --git a/proto/ibc/applications/transfer/v1/authz.proto b/proto/ibc/applications/transfer/v1/authz.proto
new file mode 100644
index 00000000000..8b27ac9cf7d
--- /dev/null
+++ b/proto/ibc/applications/transfer/v1/authz.proto
@@ -0,0 +1,31 @@
+syntax = "proto3";
+
+package ibc.applications.transfer.v1;
+
+option go_package = "github.com/cosmos/ibc-go/v7/modules/apps/transfer/types";
+
+import "cosmos_proto/cosmos.proto";
+import "gogoproto/gogo.proto";
+import "cosmos/base/v1beta1/coin.proto";
+
+// Allocation defines the spend limit for a particular port and channel
+message Allocation {
+  // the port on which the packet will be sent
+  string source_port = 1 [(gogoproto.moretags) = "yaml:\"source_port\""];
+  // the channel by which the packet will be sent
+  string source_channel = 2 [(gogoproto.moretags) = "yaml:\"source_channel\""];
+  // spend limitation on the channel
+  repeated cosmos.base.v1beta1.Coin spend_limit = 3
+      [(gogoproto.nullable) = false, (gogoproto.castrepeated) = "github.com/cosmos/cosmos-sdk/types.Coins"];
+  // allow list of receivers, an empty allow list permits any receiver address
+  repeated string allow_list = 4;
+}
+
+// TransferAuthorization allows the grantee to spend up to spend_limit coins from
+// the granter's account for ibc transfer on a specific channel
+message TransferAuthorization {
+  option (cosmos_proto.implements_interface) = "cosmos.authz.v1beta1.Authorization";
+
+  // port and channel amounts
+  repeated Allocation allocations = 1 [(gogoproto.nullable) = false];
+}