Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

MCP authorization without repeated OAuth prompts: what changes now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9924
Topic starter  

TL;DR: Identity Assertion JWT Authorization Grant, or ID-JAG, removes repeated per-app OAuth approvals by letting an identity provider vouch for an already authenticated user across MCP-connected tools, according to Hush Security. That solves connection friction, but it does not govern what an AI agent does after access is granted, so action-level controls still matter.

NHIMG editorial — based on content published by Hush Security: identity assertion grants and MCP authorization for Claude

Questions worth separating out

Q: How should security teams govern AI agent access without repeated OAuth approvals?

A: Use a delegated authorization pattern that lets the identity provider vouch for an already authenticated user, but keep the downstream service responsible for enforcing scope and policy.

Q: Why do MCP-connected agents create new IAM governance pressure?

A: Because one task can traverse multiple apps in a single session, each expecting proof that the caller is legitimate and bounded.

Q: What breaks when delegated access is treated as full agent trust?

A: Teams lose the ability to distinguish between permission to reach a service and permission to execute a sensitive action inside it.

Practitioner guidance

  • Separate delegated access from action approval Map which app interactions can use an IdP-issued delegation grant and which require per-action review, especially for data export, admin changes, and irreversible workflow steps.
  • Constrain agent privileges to app-specific scopes Limit each delegated token to the smallest app-scoped permission set possible, then verify that the receiving application enforces its own policy before exchanging the assertion for access.
  • Preserve identity provenance in audit logs Ensure logs retain the original authenticated user, the asserting identity provider, the target application, and the delegated scope so reviewers can reconstruct who authorised what path.

What's in the full article

Hush Security's full article covers the operational detail this post intentionally leaves for the source:

  • The exact ID-JAG claim set and token exchange sequence used to broker delegated access between the identity provider and the target app
  • The specific trust boundary conditions for enterprise SSO estates that make the flow viable across MCP-connected tools
  • The protocol-building blocks, including JWT bearer and token exchange, that explain why the mechanism is interoperable
  • The concrete examples of how the grant behaves when an agent needs access to multiple apps in one task

👉 Read Hush Security's analysis of ID-JAG and MCP authorization for AI agents →

MCP authorization without repeated OAuth prompts: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9408
 

ID-JAG solves consent friction, not delegated-action governance. The protocol makes enterprise SSO usable across multiple app calls in a single task, but it stops at grant issuance. That leaves a governance boundary many teams blur in practice: approval to connect is not approval for everything the agent may later do. Practitioners should treat the distinction as structural, not semantic.

A few things that frame the scale:

  • 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and a further 47% reporting only partial visibility, according to The State of Non-Human Identity Security.

A question worth separating out:

Q: Who should own policy when an AI agent acts across multiple tools?

A: The identity provider should own the initial assertion of user context, while each application should own its own authorization decision and the organization should own the policy for sensitive actions. This distributed model only works if audit trails preserve the delegation chain end to end. Accountability has to follow the request across systems.

👉 Read our full editorial: Identity assertion grants are changing MCP authorization for AI agents



   
ReplyQuote
Share: