I don't quite understand the advantage of this over regular oauth. I think I need an example comparison of the authz flows.
maxwellg•Jun 18, 2026
In regular OAuth, end users consent to share their data with applications individually. This makes sense for consumer usecases, where the end users own their data. But it doesn't make sense for many business usecases, where the business is the entity that should control data sharing and access, not the end user. As an employee at Acme, I shouldn't decide to link my Acme Google Drive data to Claude or ChatGPT, that should be the decision of my IT Department.
Enterprise-Managed OAuth, or Cross App Access (XAA), brings this IT-Admin centrally controlled sharing model into the OAuth framework so it works with the existing ecosystem.
There's also a great UX benefit from moving data sharing consent management from employees to IT Admins - it means that employees don't need to sit through a bunch of OAuth flows to link their accounts together. Their IT Admin has already set up all the sharing controls. Everything plugs in together and should Just Work from day one. Think joining a new company on the first day and your Slack is already linked to your Zoom, your Drive, your Calendar, etc...
amluto•Jun 18, 2026
This is bonkers.
Sure, if I’m a business, I will make a business decision to share, or not share, some resource with ChatGPT. But, if I do decide to share something with ChatGPT, I absolutely do NOT want it shared with every single ChatGPT thread, more or less how I don’t want it shared with every single tab an employee has open in a browser.
qt31415926•Jun 19, 2026
Isn't that what's solved by this method? Your SSO provider (e.g. Okta) is now what gates each employee's resource access for different MCP resources.
amluto•Jun 19, 2026
I don't think so.
The article is all about reducing friction. Suppose I start a conversation and enter some highly third-party-prompt-injectable request, perhaps "Fork github.com/some_third_party/coolproject and submit a PR to do such-and-such." That repo injects a prompt that attempts to do a tool call to steal all my money. If I indeed have a bank MCP configured, I absolutely want to be prompted!
Now I realize it's silly for the prompt to look like "Would you like to grant [OpenAI/Anthropic/whatever] access to such-and-such account with such-and-such OAuth resources?", but having some kind of explicit opt-in, per conversation, to MCP access seems really quite important. But the article all about reducing friction and avoiding prompts.
So maybe LLM providers will do a good job, but I'm not holding my breath.
iugtmkbdfil834•Jun 19, 2026
<< The article is all about reducing friction.
I read the initial paragraph from the page and I had similar reaction with an additional touch of:
'There is a purpose for that friction.'
niyikiza•Jun 19, 2026
There's some active discussions on task level authz and multi-hop delegation in the OAuth WG right now. WorkOS wrote a good overview of the open drafts [1]. (Disclosure: one of them is mine.)
[1] https://workos.com/blog/oauth-multi-hop-delegation-ai-agents
amluto•Jun 19, 2026
I skimmed that. It seems to me:
(a) A major problem where one agent can give dangerous instructions to another.
(b) A desire for an “agent” to cleanly delegate permissions to another “agent”. I am extremely unclear as to what an “agent” is in this context. Is one’s OpenAI or Anthropic account an “agent”? How is (b) related to (a)?
(c) An observation that existing OAuth + JWT can’t really do (b) and that a new spec could allow delegation.
ISTM:
- (a)’s root cause is a complete lack of control on the portions of a repository that are interpreted by various tools in a trusted/privileged manner.
- (b) could be addressed by a capability or proxy system.
- Most services that offer OAuth or other types of API keys have absurdly coarse-grained permissions. GitHub’s OAuth cannot obviously even restrict to a particular organization, let alone a repository, and good luck blocking commits to .github. Cloudflare can’t restrict DNS operations to a particular host. A shocking number of major services have no concept of non-human accounts. The list goes on. Delegation is of dubious value in this setting.
- Why would one ever want to give a bearer token to an “agent”?
- Wouldn’t a proxy serve this purpose more flexibly and more universally?
niyikiza•Jun 19, 2026
I agree with the coarse permissions point, and I wouldn't bank on those services adding finer-grained scopes.
The idea in my draft is to do the attenuation and verification before the call reaches the service, enforced at the boundary, like the proxy setup you're describing. And the token wouldn't be a bearer token per se; there's proof of possession, and the constraints narrow at each hop and travel with the token, so the boundary can verify the chain itself rather than rely on a central authority. The design is inspired by macaroons and other capability-based access control work.
The key here is the separation of target segment for this. Enterprise identities (you being an employee) are the target for this not the consumer identity (personal account). When you are an employee then the sensitivity and security of your account can be managed by your employer.
Other way to look it is that as an employee you will not be able to connect to any MCP server anymore unless its configured in your IDP.
hobofan•Jun 19, 2026
Just to be clear, enforcing proper access control and data seperation is the job of a client (/harness), not the job of an LLM Provider (though of course the most popular clients are the first party clients for the LLM providers).
Ensuring that an LLM doesn't have free reign over calling any MCP tool at any point in time is one of the main jobs of a client (apart from the general data persistence, etc.), and one that's very dependent on the setup (e.g. many MCP servers expose public data where tool calling is mostly not that sensitive) and the acceptable risk profile.
This MCP extension also doesn't significantly change anything about tool calling control from the perspective of the client. MCP servers were previously also authenticated once per user, and not once per conversation or once per tool call.
megous•Jun 19, 2026
Advantage is user has no control/is not needed to consent about what apps they're authorizing to share their information between each other, bacause the decision to delegate access is at the IdP policy level. User many never know which apps/services were authorized to share their information. Wait, is that an advantage? ;-)
sandeepkd•Jun 19, 2026
For your employee account yes its an advantage, and thats the target. Your personal account will still require consents.
yammosk•Jun 19, 2026
As someone who has been creating agentic workarounds at my large employer and in a lot of conversations with security as a result, this does not seem to be a huge advantage from the company side. They are very much invested in users being aware of what they permit. The company does want the final say either with shutting down a compromised user or blocking one service from agents and allowing the other, but they 100% do still want employees to be actively engaged and applying their own consent.
Removing that from the employee also removes the employee from responsibility for any breach of information IMO, and companies definitely don't want that lol. What they do want is users to stop complaining about the annoying reauth every 8-12 hours for a dozen services which this does.
The kinds of wishlists I hear are more about users managing fine-grain service permissions for various agentic roles and managing which agents have access to which role, which leans the other direction. They want to allow users are to treat agents like cloud services and have a greater responsibility for applying least privilege, justify leak risks, etc. The onus to protect this data will always be an employee responsibility in the end.
sandeepkd•Jun 19, 2026
I am with you on the challenges with fine grain authorization needs, to me that part is real hard. In a theoretical world the IDP would know all the roles and permissions available for the different authorization servers (downstream services). However centralizing something like this would require some adoption of how permissions are managed by different resource servers, that is a different battle.
What this gives your employer is the allow list of AI agents that you can use (the ones that can use your employer's IDP to access downstream MCP servers) and filters out all the MCP servers that do not implement this protocol. Essentially the threshold to use any AI agent or any MCP server would be a lot higher.
hobofan•Jun 19, 2026
For organizations it's definitely an advandtage, as it also allows for preventing data flowing to personal accounts. Right now, any employee could knowingly or unknowingly exfiltrate data, by just connecting to e.g. the personal instead of the organization's JIRA account, and there is essentially no standard way to guard against that as an organization.
That's also blind spot in normal OAuth and I was surprised to find that this was never addressed in all the years that non-MCP OAuth found adoption.
paulddraper•Jun 18, 2026
"Watson you have a blazing talent for observing the obvious" - Sherlock Homes
brap•Jun 18, 2026
I thought we’re over this collective delusion called MCP
isubkhankulov•Jun 18, 2026
MCP is just an API designed to be token frugal
NamlchakKhandro•Jun 18, 2026
Frugal is definitely not a word i would use in the same sentence as mcp
connor4312•Jun 19, 2026
It's as frugal as your harness makes it. It's just a bunch of tools and a description of how to use them. Most mature harnesses do some kind of tool search and/or progressive disclosure. Many harnesses have some smarts to page out overwhelming results to a file so a model can grep/jq them easily. Some harnesses expose tool schema to models so their results can be directly transformed or even chained in [code mode](https://blog.cloudflare.com/code-mode/).
mikestorrent•Jun 19, 2026
I thought we were all smarter than directly giving agents access to all of our long lived tokens
stackedinserter•Jun 19, 2026
Why is it delusion? What are better ways to make LLM talk to other services?
lorecore•Jun 18, 2026
Auth has been a wild journey in MCP. It really is a valuable differentiator to things like Skills for enterprises though. Congrats to the team on the ship.
dend•Jun 19, 2026
We're always looking at making it a smoother experience - it's a top pain point for developers and IT admins alike. If you have feedback - feel free to send it my way!
maxwellg•Jun 18, 2026
Huge congrats to the folks behind this at Okta, A\, Microsoft, Figma, Linear, etc...
For the MCP nay-sayers - don't worry there's something here for you too :)
This is powered by a new token format called an ID-JAG - https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-a... - and isn't MCP specific at all. ID-JAGs can be used for safe and secure data sharing anywhere where data is shared between applications that use the same SSO provider.
asdfsa32•Jun 19, 2026
Software and quality of life is worst because of these companies. So congrats to them indeed.
ericchiang•Jun 18, 2026
Wait this is awesome. A huge issue with Enterprise OAuth2.0 is managing all the random apps. Each with their own half-baked enterprise controls for managing scopes, token expiry, and no control over device bound sessions.
So instead, you can run centralized infra to validate a user, device, what scopes their requesting and duration, and enforce policies for all your apps?
Can we get this in other OAuth 2.0 clients?
dend•Jun 19, 2026
The standard itself is not MCP-specific. As long as the client and the server adopt ID-JAG, they're golden.
Before you get too far into the usual “MCP is dead, Skills forever” debate
The real valuable capability MCP offers over skills/CLI is isolating the auth flow outside of the agent’s context window, and potentially out of the harness completely. This is valuable from a security perspective obviously. It’s also just a much easier user experience for normies and large businesses adopting AI tools. I hear all the context bloat and tool call redundancy complaints. But this structure for handling auth has real value.
Maybe the idealized form of MCP is just an auth gateway for the API and nothing else. That’d still be a win.
brookst•Jun 19, 2026
I agree that having auth outside of context window is good.
But the real value of MCP is adding a semantic layer on top of APIs. Skills are client side and don’t know the server’s capabilities. MCP lets the server explain its API in natural language so clients who have no prior knowledge of the server, it’s API, or its domain can use it intelligently.
I used to think MCP was dumb. I’ve written to large MCP servers, one for CAD and one for music, and I am a complete convert.
Ferret7446•Jun 19, 2026
> The real valuable capability MCP offers over skills/CLI is
The real lesson is that MCP vs skills is not a binary. They are simply different tools. Each may or may not be better given different requirements.
Which is better, a knife or a saw?
fnordpiglet•Jun 19, 2026
There’s even a skills over MCP WG; and I typically deliver skills via tools in my MCPs intentionally. I find Claude and codex recall of skills via MCP tools to actually be higher than skills themselves, which I feel have an (unmeasured) less than 30% recall rate. I have to typically force skills to be loaded explicitly through / or $ depending on the flavor and skill graphs are very unreliable.
maxrev17•Jun 19, 2026
Mcp allows a fantastic audit trail also. As well as allowing segregation of responsibilities - ie authenticating 6 linear accounts across 6 clients and then deciding which one to use with deterministic audited methods
9dev•Jun 19, 2026
Aside from that, MCPs also allow connecting an external platform without a runtime environment. Every time this topic comes up, engineers act like Claude Code was the only application for AI agents, while there's tons of use cases in other verticals aside from coding. The harness is not running on a local machine, but rather an isolated and restricted container in some cloud deployment, where running arbitrary code would be a big nope. But you still want customers to be able to connect their existing tools to your agent.
MCP is the perfect answer for this - it gives an agent a connector with built-in authentication to all kinds of additional tooling. Skills just don't qualify here at all.
mooreds•Jun 19, 2026
I think that this extension points out other benefits to MCP over skills:
* centralized control
* ease of use for employees
* auditing/compliance
* deployment model
It seems the state of the art for deploying skills is "copy this file and put it in this place" or "check out this repo and add a symlink" or "run this slash command to install the skill". (I'm not aware of any solution that pushes skills out.)
These options are simple, but not as easy as this extension makes rollout of a new MCP server to an employee.
debarshri•Jun 19, 2026
All the points that you are mentioning, you can technically do with tools too. We do that at adaptive [1]. We are building privileges access stuff for agents, and it works. The usecases you are mentioning can be done with tools via our platform.
By tools, do you mean skills? Or do I misunderstand you?
Thanks for sharing your solution. I clicked around and the information on your site is sparse. The postgresql page[0] doesn't really illustrate how your system works; just says that it does.
Regardless, there's a big difference between a proprietary way to inject skills and MCP, a standardized way to control access and deploy AI compatible logic.
Apologies about the sparse information. We’re preparing for a launch. Thought this would be a great place to make the comment. It is indeed a combination of tools and skills.
Your argument is fair but yea, we are seeing adoption because tools often map to users mental model of how they want to use the agent.
mooreds•Jun 19, 2026
No worries, always appreciate the discussion. Good luck on the launch!
debarshri•Jun 19, 2026
You sound like someone who is technically well-versed with the landscape. would love to get some feedback from you.
mooreds•Jun 19, 2026
Haha, so much to learn so I wouldn't say I'm well-versed.
But let me know when you launch. My email is in my profile.
blcknight•Jun 19, 2026
There's a new standard in progress for skills over MCP
Isn’t tool drift/version also a benefit? Especially in scenarios where the use must be standardized and up to date?
c0rruptbytes•Jun 19, 2026
MCP tool search fixes the major issue imo, MCP clears skills/clis in every other way
mediaman•Jun 19, 2026
Yes, people conflated progressive disclosure as a method with skills as a particular implementation because skills became the first widely adopted use of progressive disclosure.
But progressive disclosure is just a method that you can apply to lots of things to reduce context bloat. Any time you provide some kind of limited index or search to an AI and then let it expand that based on the circumstances of the request, it's progressive disclosure.
And one of the things you can apply it to is MCPs.
lavataco•Jun 19, 2026
I’m work on a platform for restaurant reviewing with your friends, and (after a few stumbles) MCP definitely seems the way to go. Normies will not hunt down their claude directory and paste a skill file. “Connections” is something they understand, and pasting the mcp or finding it in the marketplace is easier for them.
TBD if having agent access to places and reviews is helpful, hah!
trollbridge•Jun 19, 2026
"Normies" pasting in MCP sounds like a nightmare from a security perspective.
dend•Jun 18, 2026
Hey folks - I am one of the folks at Anthropic that helped deliver this in partnership with Okta and a handful of MCP partners. We're very excited about this taking shape in Claude (in addition to the MCP spec, of course, where EMA is now a stable extension) and are looking to expand adoption to other identity providers and clients as well.
If you have any feedback, feel free to drop it in here! Always happy to hear about folks' experience and how we can make it better.
mikestorrent•Jun 19, 2026
Fantastic news. Is there any communication between you folks and the Microsoft Entra (Azure AD) team? Would love to know if we can expect this soon or if will take a while.
dend•Jun 19, 2026
We are in touch with the Microsoft Entra ID folks to see how we can better integrate EMA in their stack!
9dev•Jun 19, 2026
While you're at it, bug them a bit to finally add support for MCP servers in Copilot. I'm on an Odyssey to find a way for our customers to use our MCP within their Copilot environment…
mikestorrent•Jun 19, 2026
Fantastic, appreciated.
brianjking•Jun 19, 2026
Great work, thank you for doing this. Just so I understand, this isn't yet available yet, right? Still in SEP stage?
dend•Jun 19, 2026
It is available! The feature is available in Claude, with Okta being the first IdP to support it (hopefully more coming soon) and with a bunch of MCP partners launching with us today.
The underlying extension has been in the MCP protocol for some time and is now officially stable.
daniban•Jun 19, 2026
Anthropic is the only one with human readable tool names from the JUNE 2025 spec! So you guys are doing a great job and this is another example.
I'm just curious internally how you are seeing MCP adoption? It seems more and more connectors are created but are you seeing real adoption from users?
dend•Jun 19, 2026
You don't actually need to ask me for that - a lot of the data is very public, and we've been on a roll announcing MCP partnerships, and developer adoption keeps going up. There is always room to make the protocol better, but it certainly has a healthy foundation.
SkyPuncher•Jun 19, 2026
This is great for normal "apps". We have a really deep need for a lower touch way for our users to interact with us agentically without setting up MCP. It'd be really great to have some sort of temporary session or out-of-band token storage available.
Here's our use case: During the sales cycle, the buyer and seller need to exchange a bunch of information then analyze it (which is increasingly agentic). The problem with MCP is the initial setup friction is far greater than users login in themselves and grabbing the information they need. MCPs are great for regular, frequent interactions - but create a lot of problems for these quick one-off sessions.
We'd really love a way to do something like this:
* In Claude: "Grab documents from X, Y, Z"
* Claude hits that website, it returns (1) basic usage information (2) a login link that the user can open in their browser
* User auths in their browser (annoying, but mindless)
* That callback returns a unique, short-lived, one-time token that gets exchanged on all future requests to the site.
Now, we can quickly auth users AND maintain a session state as they do things.
mooreds•Jun 19, 2026
> The problem with MCP is the initial setup friction is far greater than users login in themselves and grabbing the information they need.
Can you tell me more about this? With just-in-time client registration (DCR or CIMD) it seems like the MCP registration would be pretty simple.
Is it the configuration of the MCP client to know about the MCP server that is the issue?
Does the website need to be able to advertise "here's the corresponding MCP server" so that the "claude hits website" step becomes "claude hits website, discovers MCP server"?
SkyPuncher•Jun 19, 2026
Yes, it’s the friction of setting up the MCP server in the first place. Especially, in environments where that is not straightforward or easy to do. When our users are looking for information, they don’t want to figure out how to setup the MCP.
I don’t think this is about advertising an MCP at all. All of this can be accomplished with plain old HTTP requests. I want to be able to tell users “tell your LLM do go to https://example.com/only-bots”.
There’s absolutely no need for an MCP, because the website will tell the LLM everything it needs to know, including other actions and endpoints available.
mooreds•Jun 19, 2026
Have you seen WebMCP[0]? Had a customer ask about this recently.
It seems like it might be something of what you are looking for, since it leverages HTML to tell agents about website functionality.
One issue I see with WebMCP is that agents basically free-ride on user identity and authentication, which is problematic in some scenarios.
Seems like the main use case is employees of companies. Is there an analogous use case/value for non-centralized users like customers or freemium users?
I'm struggling to think of one, but wonder what I'm missing.
Long time no see! It's been a while since I've looked at MCP, but I think this does a really good job at making MCP more secure for organizations and addressing some of the weaknesses of dynamic client registration. Now that clients and approved redirect URIs can be setup directly by the IdP and organization, a lot of the attacks that were possible with DCR (confused deputy, phishing attacks, etc.) can be mitigated more broadly. It also makes it so servers don't have to implement as much authorization logic as they did before if the IdP or organization didn't support DCR, which is a pretty big advantage (especially if they combine MCP auth with existing API auth).
One major downside is consumer usage seems to still need DCR with this. I think this could potentially be addressed by existing consumer OAuth providers (Sign in with GitHub, GitLab, Google, etc.) adding support for registering static MCP clients/servers, clients shipping their static client IDs inside them, clients allowing users to sign in with GitHub/GitLab/whatever IdP, and letting the user self-manage connections on the IdP's site.
Overall, XAA/EMA seems vastly superior to DCR from a security perspective (and also usability too, since users don't have to configure as much!). The concerns I have are also much easier to address and have way less security impact than with DCR, since attackers don't get to register their own clients anymore and there are less pitfalls for MCP server developers.
hparadiz•Jun 19, 2026
Need this for CLI tools like gcloud, knife, npm, etc. Maybe an Okta based JWT.
dend•Jun 19, 2026
What's interesting about this standard is that it's not really MCP-specific. It can work just as nicely for any other workload - it just requires the authorization server/IdP to support it and the receiver to know how to handle the trust relationship.
flashgordon•Jun 19, 2026
This is fantastic. Ive been so fortunate to work with the mcp folks last few months on a couple of the SEPs (and my own experimental sdk in go). I used to be a naysayer. "Its just apis" I used to say. "Sheesh the invented another abstraction" I used to say.
What folks dont realize is it is the "P" in MCP that throws people off. When you build a traditional app you have to build forms, ui, req/response handling, bidirectional channels, long running tasks, auth and so on.
With mcp 80% of this common layer is taken care for you. So mcp is really an "app framework" than a protocol (well there is that too).
Unified auth is a huuuge boost. Can't wait to see more cool things!
russell_h•Jun 19, 2026
MCP auth has been a huge pain point for us at C1 - both for our own internal MCP use and in our in-product MCP Gateway - so very glad to see this landing.
We launched support today for C1 to act as an EMA identity provider (we mint the short-lived scoped tokens), so I'm excited to hook this up for Linear and some of the other MCPs we use, and get out of the business of constant OAuth flows. Claude has been doing this magically for some of their built-in connectors (at least Slack I think) and the experience is pretty great.
Love more adoption of EMA and, of course, better infra for MCP developers. Thanks for such a quick turnaround on this feature work!
rvz•Jun 19, 2026
This actually looks like a far better use-case for MCPs than the previous per-user per server MCP design which that was completely rushed and made no sense.
You can tell with this Anthropic consulted with experts first on the design and implementation of this rather than vibe coding the spec in isolation. Unless the user themselves is compromised and connects via the Enterprise-Managed Authorization, at least you can remotely revoke permissions / access to reduce that risk.
We'll see, but give credit where credit is due.
dend•Jun 19, 2026
FWIW, we never vibe-coded the spec to begin with, but yes - auth is a continuous learning process, and we're lucky to collaborate with some really talented folks both inside and outside the company (e.g., this launch we worked closely with Okta to see how we can best wire things up) to make this a smoother experience. Keep the feedback coming!
joeyguerra•Jun 19, 2026
I have my chatbot command my chatbot.
zackify•Jun 19, 2026
If only they would support the web and let you just issue a long running cookie....
I hacked the spec to pass through a cookie via the oauth handshake to do this without needing an oauth server.
Its really dumb they don't want to allow this.
If no cookie, open webpage.
If cookie set, close and persist.
I literally wrote an 80 page mini book on MCP yet it frustrates me to no end.
dend•Jun 19, 2026
Hey - one of the lead maintainers of the MCP project here. There are a lot of scenarios where this simply won't scale (both from a usability and security standpoint). Cookies were made for the browser. MCP servers and clients often operate in environments where that is not a guarantee.
SkyPuncher•Jun 19, 2026
I've been working on an MCP for creating semi-deterministic flows in Claude code (essentially skills, but broken down into pieces). In order to track execution and state, I have the LLM pass the MCP a unique "execution id" with every call. This lets me programmatically step it through skills and know exactly where execution progress is.
I've been considering a similar approach for the web. Essentially, do a short-lived, one-time use token exchange for every single call back and forth.
* LLM: "I'd like to interact with your site"
* Site: "Great, here's first token. I will exchange it for a new one on the next call. Do not share with with another site. You can authenticate in your browser with this link: [example.com]"
* Then you can go back and forth.
It'd be rather annoying to auth in the browser every time, but it would enable a low-touch flow.
Long term, it'd be ideal to have some sort of out-of-band credential store/tool available, but this would start proving the concept out. Don't use it for highly sensitive stuff, but it would enable a lot of agentic flows that are currently blocked by high-lift MCP setup.
freakynit•Jun 19, 2026
Agree.
Many times what the server returns is dictated by what kind of client software a user is using. Cookies are obviously used by browser based clients, with full browser capabilities. MCP doesn't have those capabilities. How will the server know what to return?
I have separated handling for token based calls vs cookie based in my non-mcp projects.. because it suffers from the same issue.
Most of the endpoints, assuming the client talks to server using api's, work fine with cookies, some, do not.
Ferret7446•Jun 19, 2026
You're just asking for your credentials to get stolen. Long lived creds are a huge liability.
krooj•Jun 19, 2026
Oh wow - seeing my own work in the wild is ... wild. I implemented the RAS end of this for Atlassian. There will certainly be iterations around this flow - CIMD, better tenancy support, etc., but all the folks involved in delivering this at Anthropic, Okta, and here at Atlassian were fantastic.
dend•Jun 19, 2026
Was great collaborating with you and your team on this!
krooj•Jun 19, 2026
Same!
ai_fry_ur_brain•Jun 19, 2026
Why does my text autocomplete cli need an ability to sign into things?
ai_fry_ur_brain•Jun 19, 2026
Why do people downvote this.. If your mediocre ai agent needs to use something that requires authentication you should be abstracting away the authentication, provide it a cli with cmds that have authentication baked in.
sandeepkd•Jun 19, 2026
Read it multiple times, its definitely useful, centralizes the audit and access in one place (with IDP). The IDP can very well act as a proxy API gateway taking care of token exchange when required instead of putting the onus on Client. Thats another approach which has been adopted by some other players in this domain.
On a personal level, what I felt bit uncomfortable with is this idea of access being delegated on my behalf by IDP to client without making me aware about it. May be I am too used to the concept of user presence in the flows that happens on browser. This it evolving more towards centralizing the access for the machines.
Given in the enterprise environment the identity really belongs to the company instead of individual, its probably acceptable.
How its gets incorporated in customer identity is altogether a different challenge. Its probably not possible to have this kind of trust between IDP, client and the resource authorization server.
dend•Jun 19, 2026
There's theoretically nothing really stopping this integration from working in the consumer space - you just need to establish a trust relationship (e.g., if I am logged in with GitHub, also log me in to Sentry automatically). There is more work ahead here, but as you said - the most obvious _current_ use-case is enterprises, where admins do not want individual employees clicking around picking random credentials they have.
sandeepkd•Jun 19, 2026
At the end of the day its wiring the flows to serve a purpose and can be wired in multiple ways. Some combination of client, IDP and resource server can come together to form a band and may provide this for consumer identity.
Reasons why this is a bad idea for consumer identity -
1. In Enterprise, the IDP is the single owner for the identity, so it essentially can do represent the user uniquely and sort of pretty much do anything it wishes for (includes deleting the identity)
2. In enterprise the IDP is the single authentication factor used by the downstream resource server (application), in other words the application just trusts the assertion
3. For consumer identity, the resource server owns the identity/user explicitly. Github may be one of the authentication factors that the user can use, but it may not be the only one.
4. For consumer identity, Github cannot delete the user account in downstream application.
Regardless, this protocol is going to create friction in adoption of new AI agents and MCP servers, to sell to enterprise they have to implement this and integrate with existing IDP's and resource servers. Using any new MCP server would require full evaluation lifecycle from security perspective. Its a good thing but its going to hurt the new players pretty bad in terms of adoption and discovery.
programmancer•Jun 19, 2026
I am currently trying to use Microsoft Entra ID auth for an MCP server I'm implementing, and I genuinely feel like I must be an idiot.
- I can use the `WWW-Authenticate` header to indicate a resource metadata URL for the client.
- I can use this to indicate an authorization server (Microsoft Entra) and a scope (for the app registration that handle which app roles each user is given to differentiate different capabilities for different users).
- I can NOT indicate a client_id, because that's just something that each client (agent) makes up on its own?
- To initiate a login on the .../authorize URL in Microsoft Entra, you need to pass a known client_id that matches an app registration in Microsoft Entra. Whatever the client makes up will surely not match anything in Microsoft Entra.
- I COULD in theory support dynamic client registration, but of course Microsoft Entra doesn't.
Is it even possible to make this work out of the box? The only way forward I can see is implementing my own dynamic client registration shim in front of Microsoft Entra that just returns the same static client_id to everyone, which matches an actual client_id in Microsoft Entra.
But surely this protocol actually works today for real Enterprises without workarounds? It feels like I must be missing something obvious.
hobofan•Jun 19, 2026
I don't think you are missing anything obvious. Entra ID doesn't support DCR, and the state of the ecosystem here is suboptimal.
The typical way to do MCP OAuth is with traditional up-front registered clients. However, in practice a lot of MCP clients work with an assumption that DCR works, and as you point out don't offer an option to specify a client ID.
However, some clients do support that (ad: our tool Erato does[0]), and the typical solutions deployed in enterprises do, where MCP access is usually centralized via a web UI like ours. One alternative that also exists is are MCP gateways, which do pre-registred oauth between the gateway and service, and allow for DCR between the gateway and clients.
We had the same issue with the client_id and for security reason we weren't willing to enable DCR.
What we ended up doing, was the app proxying the OAuth flow, to inject a hardcoded client_id. So we lie to the MCP client telling it we support DCR while behind the hood we use a standalone client_id as usual for the MCP.
Yeah, I recently documented how to use pre-registered clients with FusionAuth[0] (my employer). DCR's newer, better sibling CIMD is on our radar and under active discussion[1], but not currently available.
An alternative to the proxy you suggest is to generate a new Entra client id (with PKCE enabled) for every MCP client in a developer portal or similar, then have the user configure their client with that client id. Here's the CLI command I found to do this[2], but I bet there's an API too. Here are config instructions for Claude Code[3] and ChatGPT[4].
Client pre-registration is acceptable, but not optimal, for developers, and is a first class citizen in the spec[5]. If your main audience is internal and you can expect them to follow configuration instructions to get access to the MCP server, this approach can work.
But it's definitely not acceptable for widespread, public integrations if your audience is not developers. That is where a lot of the power and opportunity for MCP lies.
Then I build an authbroker application using openid to handle client registration and build the jwt. End result is something that can determine tool availability and permission using an employees department, or other criteria.
So yeah the dynamic client registration is needed.
ashu1461•Jun 19, 2026
Looks like something which will be only helpful for bigger companies who have centralised auth. Good step nonetheless
mooreds•Jun 19, 2026
Yeah, I read this and thought "makes total sense that Okta would be one of the prime movers behind this". The more I think about it, the more this is just like an app dashboard that an employee can use to access many different apps and that the enterprise can use to control and monitor access. So it makes total sense that they solved this (very real) problem.
I like one of the author's characterizations[0].
> Now employees no longer have to connect MCP servers manually and wait for a series of OAuth and login prompts. Once you log in to Claude from Okta, all the preconfigured MCP servers are already connected! It's not every day you get to improve both usability and security!
20 Comments
Enterprise-Managed OAuth, or Cross App Access (XAA), brings this IT-Admin centrally controlled sharing model into the OAuth framework so it works with the existing ecosystem.
There's also a great UX benefit from moving data sharing consent management from employees to IT Admins - it means that employees don't need to sit through a bunch of OAuth flows to link their accounts together. Their IT Admin has already set up all the sharing controls. Everything plugs in together and should Just Work from day one. Think joining a new company on the first day and your Slack is already linked to your Zoom, your Drive, your Calendar, etc...
Sure, if I’m a business, I will make a business decision to share, or not share, some resource with ChatGPT. But, if I do decide to share something with ChatGPT, I absolutely do NOT want it shared with every single ChatGPT thread, more or less how I don’t want it shared with every single tab an employee has open in a browser.
The article is all about reducing friction. Suppose I start a conversation and enter some highly third-party-prompt-injectable request, perhaps "Fork github.com/some_third_party/coolproject and submit a PR to do such-and-such." That repo injects a prompt that attempts to do a tool call to steal all my money. If I indeed have a bank MCP configured, I absolutely want to be prompted!
Now I realize it's silly for the prompt to look like "Would you like to grant [OpenAI/Anthropic/whatever] access to such-and-such account with such-and-such OAuth resources?", but having some kind of explicit opt-in, per conversation, to MCP access seems really quite important. But the article all about reducing friction and avoiding prompts.
So maybe LLM providers will do a good job, but I'm not holding my breath.
I read the initial paragraph from the page and I had similar reaction with an additional touch of:
'There is a purpose for that friction.'
(a) A major problem where one agent can give dangerous instructions to another.
(b) A desire for an “agent” to cleanly delegate permissions to another “agent”. I am extremely unclear as to what an “agent” is in this context. Is one’s OpenAI or Anthropic account an “agent”? How is (b) related to (a)?
(c) An observation that existing OAuth + JWT can’t really do (b) and that a new spec could allow delegation.
ISTM:
- (a)’s root cause is a complete lack of control on the portions of a repository that are interpreted by various tools in a trusted/privileged manner.
- (b) could be addressed by a capability or proxy system.
- Most services that offer OAuth or other types of API keys have absurdly coarse-grained permissions. GitHub’s OAuth cannot obviously even restrict to a particular organization, let alone a repository, and good luck blocking commits to .github. Cloudflare can’t restrict DNS operations to a particular host. A shocking number of major services have no concept of non-human accounts. The list goes on. Delegation is of dubious value in this setting.
- Why would one ever want to give a bearer token to an “agent”?
- Wouldn’t a proxy serve this purpose more flexibly and more universally?
The idea in my draft is to do the attenuation and verification before the call reaches the service, enforced at the boundary, like the proxy setup you're describing. And the token wouldn't be a bearer token per se; there's proof of possession, and the constraints narrow at each hop and travel with the token, so the boundary can verify the chain itself rather than rely on a central authority. The design is inspired by macaroons and other capability-based access control work.
Full draft's here if you want to pick it apart: https://datatracker.ietf.org/doc/draft-niyikiza-oauth-attenu...
Other way to look it is that as an employee you will not be able to connect to any MCP server anymore unless its configured in your IDP.
Ensuring that an LLM doesn't have free reign over calling any MCP tool at any point in time is one of the main jobs of a client (apart from the general data persistence, etc.), and one that's very dependent on the setup (e.g. many MCP servers expose public data where tool calling is mostly not that sensitive) and the acceptable risk profile.
This MCP extension also doesn't significantly change anything about tool calling control from the perspective of the client. MCP servers were previously also authenticated once per user, and not once per conversation or once per tool call.
Removing that from the employee also removes the employee from responsibility for any breach of information IMO, and companies definitely don't want that lol. What they do want is users to stop complaining about the annoying reauth every 8-12 hours for a dozen services which this does.
The kinds of wishlists I hear are more about users managing fine-grain service permissions for various agentic roles and managing which agents have access to which role, which leans the other direction. They want to allow users are to treat agents like cloud services and have a greater responsibility for applying least privilege, justify leak risks, etc. The onus to protect this data will always be an employee responsibility in the end.
What this gives your employer is the allow list of AI agents that you can use (the ones that can use your employer's IDP to access downstream MCP servers) and filters out all the MCP servers that do not implement this protocol. Essentially the threshold to use any AI agent or any MCP server would be a lot higher.
That's also blind spot in normal OAuth and I was surprised to find that this was never addressed in all the years that non-MCP OAuth found adoption.
For the MCP nay-sayers - don't worry there's something here for you too :)
This is powered by a new token format called an ID-JAG - https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-a... - and isn't MCP specific at all. ID-JAGs can be used for safe and secure data sharing anywhere where data is shared between applications that use the same SSO provider.
So instead, you can run centralized infra to validate a user, device, what scopes their requesting and duration, and enforce policies for all your apps?
Can we get this in other OAuth 2.0 clients?
RFC draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-a...
The real valuable capability MCP offers over skills/CLI is isolating the auth flow outside of the agent’s context window, and potentially out of the harness completely. This is valuable from a security perspective obviously. It’s also just a much easier user experience for normies and large businesses adopting AI tools. I hear all the context bloat and tool call redundancy complaints. But this structure for handling auth has real value.
Maybe the idealized form of MCP is just an auth gateway for the API and nothing else. That’d still be a win.
But the real value of MCP is adding a semantic layer on top of APIs. Skills are client side and don’t know the server’s capabilities. MCP lets the server explain its API in natural language so clients who have no prior knowledge of the server, it’s API, or its domain can use it intelligently.
I used to think MCP was dumb. I’ve written to large MCP servers, one for CAD and one for music, and I am a complete convert.
The real lesson is that MCP vs skills is not a binary. They are simply different tools. Each may or may not be better given different requirements.
Which is better, a knife or a saw?
MCP is the perfect answer for this - it gives an agent a connector with built-in authentication to all kinds of additional tooling. Skills just don't qualify here at all.
These options are simple, but not as easy as this extension makes rollout of a new MCP server to an employee.
[1] https://adaptive.live
By tools, do you mean skills? Or do I misunderstand you?
Thanks for sharing your solution. I clicked around and the information on your site is sparse. The postgresql page[0] doesn't really illustrate how your system works; just says that it does.
Regardless, there's a big difference between a proprietary way to inject skills and MCP, a standardized way to control access and deploy AI compatible logic.
0: https://adaptive.live/integrations/postgresql
Your argument is fair but yea, we are seeing adoption because tools often map to users mental model of how they want to use the agent.
But let me know when you launch. My email is in my profile.
https://modelcontextprotocol.io/community/working-groups/ski...
But progressive disclosure is just a method that you can apply to lots of things to reduce context bloat. Any time you provide some kind of limited index or search to an AI and then let it expand that based on the circumstances of the request, it's progressive disclosure.
And one of the things you can apply it to is MCPs.
TBD if having agent access to places and reviews is helpful, hah!
If you have any feedback, feel free to drop it in here! Always happy to hear about folks' experience and how we can make it better.
The underlying extension has been in the MCP protocol for some time and is now officially stable.
I'm just curious internally how you are seeing MCP adoption? It seems more and more connectors are created but are you seeing real adoption from users?
Here's our use case: During the sales cycle, the buyer and seller need to exchange a bunch of information then analyze it (which is increasingly agentic). The problem with MCP is the initial setup friction is far greater than users login in themselves and grabbing the information they need. MCPs are great for regular, frequent interactions - but create a lot of problems for these quick one-off sessions.
We'd really love a way to do something like this:
* In Claude: "Grab documents from X, Y, Z"
* Claude hits that website, it returns (1) basic usage information (2) a login link that the user can open in their browser
* User auths in their browser (annoying, but mindless)
* That callback returns a unique, short-lived, one-time token that gets exchanged on all future requests to the site.
Now, we can quickly auth users AND maintain a session state as they do things.
Can you tell me more about this? With just-in-time client registration (DCR or CIMD) it seems like the MCP registration would be pretty simple.
Is it the configuration of the MCP client to know about the MCP server that is the issue?
Does the website need to be able to advertise "here's the corresponding MCP server" so that the "claude hits website" step becomes "claude hits website, discovers MCP server"?
I don’t think this is about advertising an MCP at all. All of this can be accomplished with plain old HTTP requests. I want to be able to tell users “tell your LLM do go to https://example.com/only-bots”.
There’s absolutely no need for an MCP, because the website will tell the LLM everything it needs to know, including other actions and endpoints available.
It seems like it might be something of what you are looking for, since it leverages HTML to tell agents about website functionality.
One issue I see with WebMCP is that agents basically free-ride on user identity and authentication, which is problematic in some scenarios.
0: https://developer.chrome.com/docs/ai/webmcp
Seems like the main use case is employees of companies. Is there an analogous use case/value for non-centralized users like customers or freemium users?
I'm struggling to think of one, but wonder what I'm missing.
Edit: I see you addressed this here: https://news.ycombinator.com/item?id=48594381
One major downside is consumer usage seems to still need DCR with this. I think this could potentially be addressed by existing consumer OAuth providers (Sign in with GitHub, GitLab, Google, etc.) adding support for registering static MCP clients/servers, clients shipping their static client IDs inside them, clients allowing users to sign in with GitHub/GitLab/whatever IdP, and letting the user self-manage connections on the IdP's site.
Overall, XAA/EMA seems vastly superior to DCR from a security perspective (and also usability too, since users don't have to configure as much!). The concerns I have are also much easier to address and have way less security impact than with DCR, since attackers don't get to register their own clients anymore and there are less pitfalls for MCP server developers.
What folks dont realize is it is the "P" in MCP that throws people off. When you build a traditional app you have to build forms, ui, req/response handling, bidirectional channels, long running tasks, auth and so on.
With mcp 80% of this common layer is taken care for you. So mcp is really an "app framework" than a protocol (well there is that too).
Unified auth is a huuuge boost. Can't wait to see more cool things!
We launched support today for C1 to act as an EMA identity provider (we mint the short-lived scoped tokens), so I'm excited to hook this up for Linear and some of the other MCPs we use, and get out of the business of constant OAuth flows. Claude has been doing this magically for some of their built-in connectors (at least Slack I think) and the experience is pretty great.
Disclosure: VPE at C1. We wrote up how we’re approaching it here if anyone’s in the weeds on this: https://www.c1.ai/docs/product/admin/enterprise-managed-auth...
You can tell with this Anthropic consulted with experts first on the design and implementation of this rather than vibe coding the spec in isolation. Unless the user themselves is compromised and connects via the Enterprise-Managed Authorization, at least you can remotely revoke permissions / access to reduce that risk.
We'll see, but give credit where credit is due.
I hacked the spec to pass through a cookie via the oauth handshake to do this without needing an oauth server.
Its really dumb they don't want to allow this.
If no cookie, open webpage.
If cookie set, close and persist.
I literally wrote an 80 page mini book on MCP yet it frustrates me to no end.
I've been considering a similar approach for the web. Essentially, do a short-lived, one-time use token exchange for every single call back and forth.
* LLM: "I'd like to interact with your site"
* Site: "Great, here's first token. I will exchange it for a new one on the next call. Do not share with with another site. You can authenticate in your browser with this link: [example.com]"
* Then you can go back and forth.
It'd be rather annoying to auth in the browser every time, but it would enable a low-touch flow.
Long term, it'd be ideal to have some sort of out-of-band credential store/tool available, but this would start proving the concept out. Don't use it for highly sensitive stuff, but it would enable a lot of agentic flows that are currently blocked by high-lift MCP setup.
Many times what the server returns is dictated by what kind of client software a user is using. Cookies are obviously used by browser based clients, with full browser capabilities. MCP doesn't have those capabilities. How will the server know what to return?
I have separated handling for token based calls vs cookie based in my non-mcp projects.. because it suffers from the same issue.
Most of the endpoints, assuming the client talks to server using api's, work fine with cookies, some, do not.
On a personal level, what I felt bit uncomfortable with is this idea of access being delegated on my behalf by IDP to client without making me aware about it. May be I am too used to the concept of user presence in the flows that happens on browser. This it evolving more towards centralizing the access for the machines.
Given in the enterprise environment the identity really belongs to the company instead of individual, its probably acceptable.
How its gets incorporated in customer identity is altogether a different challenge. Its probably not possible to have this kind of trust between IDP, client and the resource authorization server.
Reasons why this is a bad idea for consumer identity -
1. In Enterprise, the IDP is the single owner for the identity, so it essentially can do represent the user uniquely and sort of pretty much do anything it wishes for (includes deleting the identity)
2. In enterprise the IDP is the single authentication factor used by the downstream resource server (application), in other words the application just trusts the assertion
3. For consumer identity, the resource server owns the identity/user explicitly. Github may be one of the authentication factors that the user can use, but it may not be the only one.
4. For consumer identity, Github cannot delete the user account in downstream application.
Regardless, this protocol is going to create friction in adoption of new AI agents and MCP servers, to sell to enterprise they have to implement this and integrate with existing IDP's and resource servers. Using any new MCP server would require full evaluation lifecycle from security perspective. Its a good thing but its going to hurt the new players pretty bad in terms of adoption and discovery.
- I can use the `WWW-Authenticate` header to indicate a resource metadata URL for the client.
- I can use this to indicate an authorization server (Microsoft Entra) and a scope (for the app registration that handle which app roles each user is given to differentiate different capabilities for different users).
- I can NOT indicate a client_id, because that's just something that each client (agent) makes up on its own?
- To initiate a login on the .../authorize URL in Microsoft Entra, you need to pass a known client_id that matches an app registration in Microsoft Entra. Whatever the client makes up will surely not match anything in Microsoft Entra.
- I COULD in theory support dynamic client registration, but of course Microsoft Entra doesn't.
Is it even possible to make this work out of the box? The only way forward I can see is implementing my own dynamic client registration shim in front of Microsoft Entra that just returns the same static client_id to everyone, which matches an actual client_id in Microsoft Entra.
But surely this protocol actually works today for real Enterprises without workarounds? It feels like I must be missing something obvious.
The typical way to do MCP OAuth is with traditional up-front registered clients. However, in practice a lot of MCP clients work with an assumption that DCR works, and as you point out don't offer an option to specify a client ID.
However, some clients do support that (ad: our tool Erato does[0]), and the typical solutions deployed in enterprises do, where MCP access is usually centralized via a web UI like ours. One alternative that also exists is are MCP gateways, which do pre-registred oauth between the gateway and service, and allow for DCR between the gateway and clients.
[0]: https://erato.chat/docs
What we ended up doing, was the app proxying the OAuth flow, to inject a hardcoded client_id. So we lie to the MCP client telling it we support DCR while behind the hood we use a standalone client_id as usual for the MCP.
If you want to take example at it https://gist.github.com/erebe/a5de36d42214721b2466fb0e66f61c...
I wrote about it: https://den.dev/blog/mcp-confused-deputy-api-management/
An alternative to the proxy you suggest is to generate a new Entra client id (with PKCE enabled) for every MCP client in a developer portal or similar, then have the user configure their client with that client id. Here's the CLI command I found to do this[2], but I bet there's an API too. Here are config instructions for Claude Code[3] and ChatGPT[4].
Client pre-registration is acceptable, but not optimal, for developers, and is a first class citizen in the spec[5]. If your main audience is internal and you can expect them to follow configuration instructions to get access to the MCP server, this approach can work.
But it's definitely not acceptable for widespread, public integrations if your audience is not developers. That is where a lot of the power and opportunity for MCP lies.
0: https://fusionauth.io/docs/extend/examples/controlling-acces...
1: https://github.com/FusionAuth/fusionauth-issues/issues/3230
2: https://learn.microsoft.com/en-us/cli/azure/ad/app?view=azur...
3: https://code.claude.com/docs/en/mcp
4: https://developers.openai.com/api/docs/guides/developer-mode
5: https://modelcontextprotocol.io/specification/2025-11-25/bas...
Then I build an authbroker application using openid to handle client registration and build the jwt. End result is something that can determine tool availability and permission using an employees department, or other criteria.
So yeah the dynamic client registration is needed.
I like one of the author's characterizations[0].
> Now employees no longer have to connect MCP servers manually and wait for a series of OAuth and login prompts. Once you log in to Claude from Okta, all the preconfigured MCP servers are already connected! It's not every day you get to improve both usability and security!
0: https://aaronparecki.com/2026/06/18/12/claude
> look inside
> there's a touch