Introduction to OAuth and Agent Security 00:18
- The talk focuses on securing AI agents using OAuth, an increasingly important need as agents become more interconnected.
- Jared Hanson introduces himself as co-founder of Keycard and creator of Passport.js, with prior experience at Auth0 and Okta.
The Challenge of Agent Security Today 01:02
- Current practice gives agents broad access (via long-lived, broadly-scoped API keys) or restricts capabilities, leading to a trade-off between security and functionality.
- Scaling this model to many agents leads to significant security risks.
- The solution is shifting from static secrets to dynamic access using OAuth.
OAuth Fundamentals and Its Real-World Usage 01:48
- OAuth allows applications (clients) to request access to APIs (resource servers), mediated by an authorization server.
- Real-world example: services like Calendly connect to Google Calendar using OAuth flows involving user consent and the exchange of secure tokens.
- Refresh tokens enable short-lived access tokens while maintaining ongoing connections.
- OAuth authorization code flows handle scenarios with user delegation through browser interfaces.
- Although OAuth is often used for authentication ("Sign in with Google"), it's fundamentally an authorization protocol; OpenID Connect builds an identity layer on top of OAuth for standardized user information exchange.
OAuth Roles and Benefits 05:12
- OAuth's three roles are client, resource server, and authorization server.
- The authorization server issues tokens that the client presents to the resource server.
- This design minimizes the responsibilities of resource servers, centralizes policy, and simplifies ecosystem building.
Applying OAuth to MCP and AI Agents 06:14
- Moving from OAuth in standard apps to its application in MCP (Message Control Protocol) for AI agents.
- Initial MCP protocol versions lacked authorization; the first attempts at integrating OAuth were flawed by collapsing roles improperly (combining authorization and resource server).
- Security experts flocked to criticize this, triggering discussions and pull requests to revise the spec to restore proper separation of OAuth roles.
- The latest MCP draft now models OAuth roles correctly, making implementation easier and more robust for developers.
Future Directions for Secure Agents 10:39
-
To truly secure AI agent interactions, further advancements are needed beyond basic OAuth setups.
-
Agent-to-agent Communication:
- OAuth client credentials flows are necessary for agents acting independently (without user delegation).
-
Agent Identity:
- Dynamic client registration allows agents to acquire credentials at runtime, avoiding manual pre-registration, but poses trust and anonymity issues.
- For public clients, push client registration simplifies the process without persistent state, supporting lightweight agent integrations.
- For authenticated clients, using URLs and PKI allows for existing identifiers and cryptographic authentication.
-
Agent Attestation:
- Monitoring which LLMs or software environments agents communicate with is crucial, particularly on devices where the environment can't be controlled.
- Remote attestation and supply chain verification are emerging areas to address this.
-
Transactional Authorization:
- Traditional OAuth "scopes" are coarse-grained; richer controls for transactional or fine-grained authorization are needed for sensitive tasks like financial operations.
- The "Rich Authorization Requests" specification is highlighted as promising for dynamic, context-aware permissions.
-
Chain of Custody:
- Security must extend beyond agent-to-MCP to all downstream API calls, including cross-domain workflows.
- OAuth token exchange and identity assertion grants enable secure chaining and propagation of authorization across services.
-
Async Interaction & Real-Time Security:
- Agents may require permissions when users are away or flows are asynchronous; real-time prompts via SMS or push notifications are needed.
- Security for voice, video, and background agent interactions (beyond traditional browser flows) is a developing frontier.
Closing and Call to Action 18:08
- Building secure, standards-compliant identity and access solutions for agents is vital for a safe AI future.
- Keycard is working on these problems and is seeking collaborators and hires interested in agent security.
- For those interested, Keycard's website is keycard.ai, and the team is available for discussion at the conference.