Zero-Touch OAuth for MCP

Posted by niyikiza 21 hours ago

Zero-Touch OAuth for MCP(blog.modelcontextprotocol.io)

237 points | 95 commentspage 2

RVuRnvbM2e 20 hours ago|

I don't quite understand the advantage of this over regular oauth. I think I need an example comparison of the authz flows.

maxwellg 19 hours ago||

In regular OAuth, end users consent to share their data with applications individually. This makes sense for consumer usecases, where the end users own their data. But it doesn't make sense for many business usecases, where the business is the entity that should control data sharing and access, not the end user. As an employee at Acme, I shouldn't decide to link my Acme Google Drive data to Claude or ChatGPT, that should be the decision of my IT Department.

Enterprise-Managed OAuth, or Cross App Access (XAA), brings this IT-Admin centrally controlled sharing model into the OAuth framework so it works with the existing ecosystem.

There's also a great UX benefit from moving data sharing consent management from employees to IT Admins - it means that employees don't need to sit through a bunch of OAuth flows to link their accounts together. Their IT Admin has already set up all the sharing controls. Everything plugs in together and should Just Work from day one. Think joining a new company on the first day and your Slack is already linked to your Zoom, your Drive, your Calendar, etc...

amluto 19 hours ago||

This is bonkers.

Sure, if I’m a business, I will make a business decision to share, or not share, some resource with ChatGPT. But, if I do decide to share something with ChatGPT, I absolutely do NOT want it shared with every single ChatGPT thread, more or less how I don’t want it shared with every single tab an employee has open in a browser.

qt31415926 19 hours ago||

Isn't that what's solved by this method? Your SSO provider (e.g. Okta) is now what gates each employee's resource access for different MCP resources.

amluto 18 hours ago||

I don't think so.

The article is all about reducing friction. Suppose I start a conversation and enter some highly third-party-prompt-injectable request, perhaps "Fork github.com/some_third_party/coolproject and submit a PR to do such-and-such." That repo injects a prompt that attempts to do a tool call to steal all my money. If I indeed have a bank MCP configured, I absolutely want to be prompted!

Now I realize it's silly for the prompt to look like "Would you like to grant [OpenAI/Anthropic/whatever] access to such-and-such account with such-and-such OAuth resources?", but having some kind of explicit opt-in, per conversation, to MCP access seems really quite important. But the article all about reducing friction and avoiding prompts.

So maybe LLM providers will do a good job, but I'm not holding my breath.

hobofan 12 hours ago|||

Just to be clear, enforcing proper access control and data seperation is the job of a client (/harness), not the job of an LLM Provider (though of course the most popular clients are the first party clients for the LLM providers).

Ensuring that an LLM doesn't have free reign over calling any MCP tool at any point in time is one of the main jobs of a client (apart from the general data persistence, etc.), and one that's very dependent on the setup (e.g. many MCP servers expose public data where tool calling is mostly not that sensitive) and the acceptable risk profile.

This MCP extension also doesn't significantly change anything about tool calling control from the perspective of the client. MCP servers were previously also authenticated once per user, and not once per conversation or once per tool call.

niyikiza 16 hours ago||||

There's some active discussions on task level authz and multi-hop delegation in the OAuth WG right now. WorkOS wrote a good overview of the open drafts [1]. (Disclosure: one of them is mine.) [1] https://workos.com/blog/oauth-multi-hop-delegation-ai-agents

amluto 16 hours ago||

I skimmed that. It seems to me:

(a) A major problem where one agent can give dangerous instructions to another.

(b) A desire for an “agent” to cleanly delegate permissions to another “agent”. I am extremely unclear as to what an “agent” is in this context. Is one’s OpenAI or Anthropic account an “agent”? How is (b) related to (a)?

ISTM:

- (a)’s root cause is a complete lack of control on the portions of a repository that are interpreted by various tools in a trusted/privileged manner.

- (b) could be addressed by a capability or proxy system.

- Most services that offer OAuth or other types of API keys have absurdly coarse-grained permissions. GitHub’s OAuth cannot obviously even restrict to a particular organization, let alone a repository, and good luck blocking commits to .github. Cloudflare can’t restrict DNS operations to a particular host. A shocking number of major services have no concept of non-human accounts. The list goes on. Delegation is of dubious value in this setting.

- Why would one ever want to give a bearer token to an “agent”?

- Wouldn’t a proxy serve this purpose more flexibly and more universally?

niyikiza 16 hours ago||

I agree with the coarse permissions point, and I wouldn't bank on those services adding finer-grained scopes.

The idea in my draft is to do the attenuation and verification before the call reaches the service, enforced at the boundary, like the proxy setup you're describing. And the token wouldn't be a bearer token per se; there's proof of possession, and the constraints narrow at each hop and travel with the token, so the boundary can verify the chain itself rather than rely on a central authority. The design is inspired by macaroons and other capability-based access control work.

Full draft's here if you want to pick it apart: https://datatracker.ietf.org/doc/draft-niyikiza-oauth-attenu...

sandeepkd 16 hours ago||||

The key here is the separation of target segment for this. Enterprise identities (you being an employee) are the target for this not the consumer identity (personal account). When you are an employee then the sensitivity and security of your account can be managed by your employer.

Other way to look it is that as an employee you will not be able to connect to any MCP server anymore unless its configured in your IDP.

iugtmkbdfil834 18 hours ago|||

<< The article is all about reducing friction.

I read the initial paragraph from the page and I had similar reaction with an additional touch of:

'There is a purpose for that friction.'

megous 18 hours ago||

Advantage is user has no control/is not needed to consent about what apps they're authorizing to share their information between each other, bacause the decision to delegate access is at the IdP policy level. User many never know which apps/services were authorized to share their information. Wait, is that an advantage? ;-)

hobofan 12 hours ago|||

For organizations it's definitely an advandtage, as it also allows for preventing data flowing to personal accounts. Right now, any employee could knowingly or unknowingly exfiltrate data, by just connecting to e.g. the personal instead of the organization's JIRA account, and there is essentially no standard way to guard against that as an organization.

That's also blind spot in normal OAuth and I was surprised to find that this was never addressed in all the years that non-MCP OAuth found adoption.

sandeepkd 16 hours ago|||

For your employee account yes its an advantage, and thats the target. Your personal account will still require consents.

yammosk 14 hours ago||

As someone who has been creating agentic workarounds at my large employer and in a lot of conversations with security as a result, this does not seem to be a huge advantage from the company side. They are very much invested in users being aware of what they permit. The company does want the final say either with shutting down a compromised user or blocking one service from agents and allowing the other, but they 100% do still want employees to be actively engaged and applying their own consent.

Removing that from the employee also removes the employee from responsibility for any breach of information IMO, and companies definitely don't want that lol. What they do want is users to stop complaining about the annoying reauth every 8-12 hours for a dozen services which this does.

The kinds of wishlists I hear are more about users managing fine-grain service permissions for various agentic roles and managing which agents have access to which role, which leans the other direction. They want to allow users are to treat agents like cloud services and have a greater responsibility for applying least privilege, justify leak risks, etc. The onus to protect this data will always be an employee responsibility in the end.

sandeepkd 13 hours ago||

I am with you on the challenges with fine grain authorization needs, to me that part is real hard. In a theoretical world the IDP would know all the roles and permissions available for the different authorization servers (downstream services). However centralizing something like this would require some adoption of how permissions are managed by different resource servers, that is a different battle.

What this gives your employer is the allow list of AI agents that you can use (the ones that can use your employer's IDP to access downstream MCP servers) and filters out all the MCP servers that do not implement this protocol. Essentially the threshold to use any AI agent or any MCP server would be a lot higher.

ashu1461 8 hours ago||

Looks like something which will be only helpful for bigger companies who have centralised auth. Good step nonetheless

mooreds 7 hours ago|

Yeah, I read this and thought "makes total sense that Okta would be one of the prime movers behind this". The more I think about it, the more this is just like an app dashboard that an employee can use to access many different apps and that the enterprise can use to control and monitor access. So it makes total sense that they solved this (very real) problem.

I like one of the author's characterizations[0].

> Now employees no longer have to connect MCP servers manually and wait for a series of OAuth and login prompts. Once you log in to Claude from Okta, all the preconfigured MCP servers are already connected! It's not every day you get to improve both usability and security!

0: https://aaronparecki.com/2026/06/18/12/claude

ericchiang 19 hours ago||

Wait this is awesome. A huge issue with Enterprise OAuth2.0 is managing all the random apps. Each with their own half-baked enterprise controls for managing scopes, token expiry, and no control over device bound sessions.

So instead, you can run centralized infra to validate a user, device, what scopes their requesting and duration, and enforce policies for all your apps?

Can we get this in other OAuth 2.0 clients?

dend 18 hours ago|

The standard itself is not MCP-specific. As long as the client and the server adopt ID-JAG, they're golden.

RFC draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-a...

hparadiz 19 hours ago||

Need this for CLI tools like gcloud, knife, npm, etc. Maybe an Okta based JWT.

dend 19 hours ago|

What's interesting about this standard is that it's not really MCP-specific. It can work just as nicely for any other workload - it just requires the authorization server/IdP to support it and the receiver to know how to handle the trust relationship.

lorecore 19 hours ago||

Auth has been a wild journey in MCP. It really is a valuable differentiator to things like Skills for enterprises though. Congrats to the team on the ship.

dend 19 hours ago|

We're always looking at making it a smoother experience - it's a top pain point for developers and IT admins alike. If you have feedback - feel free to send it my way!

joeyguerra 17 hours ago||

I have my chatbot command my chatbot.

rvz 19 hours ago||

This actually looks like a far better use-case for MCPs than the previous per-user per server MCP design which that was completely rushed and made no sense.

You can tell with this Anthropic consulted with experts first on the design and implementation of this rather than vibe coding the spec in isolation. Unless the user themselves is compromised and connects via the Enterprise-Managed Authorization, at least you can remotely revoke permissions / access to reduce that risk.

We'll see, but give credit where credit is due.

dend 18 hours ago|

FWIW, we never vibe-coded the spec to begin with, but yes - auth is a continuous learning process, and we're lucky to collaborate with some really talented folks both inside and outside the company (e.g., this launch we worked closely with Okta to see how we can best wire things up) to make this a smoother experience. Keep the feedback coming!

paulddraper 20 hours ago||

"Watson you have a blazing talent for observing the obvious" - Sherlock Homes

ai_fry_ur_brain 16 hours ago||

Why does my text autocomplete cli need an ability to sign into things?

ai_fry_ur_brain 13 hours ago|

Why do people downvote this.. If your mediocre ai agent needs to use something that requires authentication you should be abstracting away the authentication, provide it a cli with cmds that have authentication baked in.

implexa_founder 2 hours ago|

[dead]

More comments...