-
Notifications
You must be signed in to change notification settings - Fork 7
20250702 ‐Meeting notes: July 2, 2025
Jeff Lombardo edited this page Jul 14, 2025
·
1 revision
- Housekeeping:
- Scribing (volunteers or AI)
- Welcome & Quick Intros
- Participation Agreement
- Antitrust Statement
- Code of Conduct
- How we came to exist? The unconference part of Identiverse [Jeff]
- Enterprise Authorization Profile for MCP
- IAM need for Agentic AI - Brainstorming
- Call for feedback: OIDF Authentic AI Whitepaper
- Who shall we invite to broaden this discussion (e.g., from the AI labs)?
| Name | Affiliation | Participation Agreement signed? |
|---|---|---|
| Atul Tulshibagwale | SGNL | Yes |
| Jeff Lombardo | AWS | Yes |
| Tobin South | WorkOS & Stanford | Yes |
| Mike Lescz | OIDF | |
| Vlad Shapiro | BBH | Yes |
| Hideaki Furukawa | Nomura Research Institute, Ltd | No (observer) |
| Paul Lanzi | IDenovate | Yes |
| Pavindu Lakshan | WSO2 | Yes |
| Alex Keisner | Vouched Identity | Yes |
| Gareth Narinesingh | OIDF | |
| Hob Spillane | Workday | No (observer) |
| Cleydson Andrade | Independent | No (observer) |
| Heather Flanagan | Spherical Cow Consulting | Yes |
| Stan Bounev | Blue Label Labs | Yes |
| Nick Steele | Independant | No (in progress) |
| Alex Babeanu | IndyKite | Yes |
| Mike Kiser | SailPoint | Yes |
| Ayesha Dissanayaka | WSO2 | Yes |
| Chris Phillips | Independant | Yes |
| Filip Skokan | Okta | Yes |
| Jagdeep Bains | Okta | Yes |
| Prangon Dey Swachha | Okta | Yes |
| Thilina Senarath | WSO2 | Yes |
| Janak Amarasena | WSO2 | Yes |
| Shahar Tal | Cyata | Yes |
| Pieter Kasselman | SPIRL | Yes |
| Subramanya Nagabhushanaradhya | Independent | Yes |
| Vladi Berger | PlainID | Yes |
| Kunal sinha | Okta | Yes |
| Max Crone | Independent | No |
| Lukasz Jaromin | Raidiam | No (in progress) |
| Sean O’Dell | Disney | Yes |
| George Fletcher | Practical Identity LLC | Yes |
| Mira Sharma | Okta | Yes |
| Naveen CM | Yahoo | Yes |
| Sarah Cecchetti | BeyondIdentity | Yes |
| Sunil Soprey | Independent | Yes |
| Shirish Puranik | Independent | Yes |
Note: Manual note taking (OIDF is going to require that for the moment)
- Application of https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/
- Based on the Identity and authorization chaining draft (Pieter is co-author) - https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/
- It combines the token exchange and assertion prompt flows
- Designed for cross-domain scenarios
- It enables MCP servers to leverage the ID-token to use different services, so that users are not prompted for each service
- ID-chaining might be going for WGLC in Madrid IETF in two weeks
- (Kunal) Consent has been addressed as a part of this, so that users do not have to consent for each usage, so admins can decide who has access to which MCP functionality
- (Atul) concern that every tool declares it’s own scope, which this spec insufficiently addresses the tool by tool scope issues. How can we add robust authZ within MCP servers via JAG (JWT Assertion Grant)
- (George) Fine-grained authz does come into play for specific services. If you are taking authz grant, then does it push the fine-grained authz requirement to the AS. In an enterprise this can be configured not by user choice, but by policy. The token can have that constraint, or the API can enforce it.
- (George) This bleeds into the delegated authz problem. We might not have good tools to solve it across enterprises, but we might be able to solve it within the enterprise
- (Mike) It’s diving really deep really quickly, for people who may not have had a chance to look at the proposal. There are higher order topics, so can we cover that first.
- (Alex) Because we’re talking about FGA, we should refer to existing specs like AuthZEN (add this to the reading list)
- (Stan) Let’s look at the goals of the community group, and what deliverables we need to have.
- (Tobin) What are the goals of this CG?
- MCP is moving really fast, so it’s good to have high-speed discussions
- Agents at large are moving fast - people are deploying them, and we’re going to have them everywhere
- It’s important to think about authz/authn
- We should try to form recommendations that we can publish to the world
- (Tobin) Any comments on the scope?
- (Alex) Recommendations of what problems we are trying to solve? Provide ideas for solutions
- (Jeff) MCP is a technical spec, so it is important to provide a dictionary / taxonomy and a long-term model for using agent identity
- (Lukasz) Are we talking in the enterprise context, or in general about agentic AI. It also implies what type of identities are in play. Do topics like registration of agents are relevant.
- (Tobin) A2A is definitely in scope, but it doesn’t have as much traction. It raises more questions
- (Lukasz) Registration of MCP servers in the context of enterprise is something we can discuss. We can also think about the future, about more dynamic environments where agents can talk to each other more dynamically
- (Stan) As a CG, we can identify those problems that need in depth discussion. We can have particular focus toward where we can provide specific inputs to OIDC or KYC groups
- (Kunal) If we have any standards for impersonation or delegation in OAuth? A standard would be useful
- (George) There is work in the eKYC and IDA working group defining relationships between entities, e.g. parent delegating to child.
- How do we describe relationships,
- How do we describe what is being delegated
- What are the constraints
- (George) But it is all very high-level right now. You will see the authority part in the eKYC spec page.
- (George) We have handled the delegation problem a lot, but we don’t have guidance.
- (Sarah) How are we going to address multi-user context, if multiple users are giong to use the same flow, how do agent / AI builders handle this?
- (George)100% to what Sarah said. The “entity” in the relationship can be a group of “entities”
- (Vlad) Are we just targeting AI developers? People are also involved. We rarely translate this stuff to something that everyone can understand. I will be happy to be that translator, to have this connection from the technical world to the world of actual business needs. There appears to be a huge disconnect. We know how to look at both sides of the story
Call for feedback: OIDF Authentic AI Whitepaper
- Presented by Tobin - https://docs.google.com/document/d/1AY7dJlD6mP80y7vDfdknxJT65g9nDQ68vA8Jj9I734c/edit?usp=sharing
- Any member of the community group is welcome to add paragraphs (via comment), add relevant RFC references & pointers,
- Agents are indeed Workload but they can be autonomous, highly scalable , and quick
- Technical Solutions would be out of depth in 6 months
- We need to think about the model
- (Pieter) Who are we targeting with the white paper. 3 personas:
- Technologist
- There’s a second layer of personas, is people who are trying to motivate their organizations to adopt agentic AI.
- The persona on the business side too
- (Pieter) standards are going to be a key part of it
- (Pieter) there can be some simple things such as agent identifiers, which we can address. There are a few layers below authorization that we can get to.
- (Sean) Would it make sense to have someone who has done red-teaming on agents on this group? My experience has been horrible - it’s too easy to attack these things.
- (Sean) Getting people who think how to attack it is very important
- (general agreement in the group)
- (Pieter) If someone can share their experience in this group, it would be awesome
- (Pieter) Sometimes the agent is not the problem, it’s the existing infrastructure.
- (Sean) It’s the swampy crappy data
- (Tobin) We should get more AI people here: NIST for example, Anthropic, MCP WG, etc.
- (Atul) everyone reach out to people would might be interested in this topic
- (Subramanya) Identity for MCP is something we should think about. We don’t know what tools are being invoked, etc.
- (Vlad) Social engineering - ability of people to socially engineer AI. Agentic AI is very prone to social engineering. It would be incredibly interesting for C-level folks.
- (Sean) Is the target of this going to be a mixture of C-levels who need to know the risk/reward?
- (Jeff) Yes we can have personaes oriented deliverables with multiple layer of details
- (Sean) In the enterprise world, all execs think about is to be the early one to put on their resume that “I did it”.
- (Vlad) People want to push for fast adoption and will push past robust security tools for fast go to market.
- (Shahar) I liked what Jeff said earlier and what Pieter said. No one is waiting for this group to come up with solutions. We can focus on smaller tasks that can help move things along. The taxonomy thing is interesting to bring alignment. LLM red-teaming is interesting, but is this the right forum for that?
- (Sean) Its more about having someone in this forum to give us a different viewpoint. Having them give a “lunch and learn” about what they do would be awesome.
- (Jeff) We are a CG, so we are not here to specify documents.
- (Ayesha) from comment: MCP Authorization Primitive: https://docs.google.com/document/d/1460o7LRZPMDFxoDgdYTI4gdxjgdBMKDxnN5Ic1DGhng/edit?tab=t.0#heading=h.faegcy4ur9jj
- (Tobin) maybe we should organise a series of talks
- https://openid.net/wg/authzen/
- https://openid.net/specs/openid-federation-1_0.html
- OAuth 2.0 Extension: On-Behalf-Of User Authorization for AI Agents: Draft: https://datatracker.ietf.org/doc/draft-oauth-ai-agents-on-behalf-of-user/
- George Fletcher Serie on On-Behalf-Of (OBO) from Linkedin:
- https://www.linkedin.com/pulse/components-on-behalf-of-delegation-pattern-george-fletcher-hzhbe
- https://www.linkedin.com/pulse/delegated-authorization-use-case-george-fletcher-j07he
- https://www.linkedin.com/pulse/delegated-authentication-george-fletcher-9rqke
- https://www.linkedin.com/pulse/what-might-on-behalf-of-token-look-like-george-fletcher-d9iqe
- https://www.linkedin.com/pulse/obtaining-on-behalf-of-authorization-token-george-fletcher-704hf