Understanding MCP Authorization, Step by Step, Part Two
In this post (part two of three), we’ll dig into the June 2025 MCP Authorization specification more closely. See Part One for setting up the MCP Server using HTTP Transport.
Christian Posta
Global Field CTO at solo.io, author 'Istio in Action', 'AI Gateways in the Enterprise' and other books. He is known for being an architect, speaker, blogger and contributor to AI and infrastructure open-source projects.
LinkedIn Twitter Github StackoverflowMost Recent Posts (last 15) See all of them
Understanding MCP Authorization, Step by Step, Part One
Creating MCP Servers to connect functionality to LLM applications / AI agents is fairly straight forward. Most of the examples you see, however, are the simple stdio-transport MCP servers. If you wish to build MC...
Agent Identity and Access Management - Can SPIFFE Work?
I’ve been writing a lot recently about Agent identity, how crucial it is in Agentic systems for not only security but monitoring, auditing and causality/attribution as well. But we cannot talk about Agent identit...
Will AI Agents Force Us to Finally Do Auth Right?
At first glance, AI agents seem very similar to microservices when it comes to security and identity. You need to secure the channel and authorize who is calling whom. Communication happens over the network throu...
AI Agent Delegation - You Can’t Delegate What You Don’t Control
I’ve been digging into Agent Identity, authentication/authorization patterns, and how it fits in with existing technology patterns (OAuth 2.0, OIDC, SPIFFE, etc) and where it may need new solutions. Someone made ...
Bridging Agent Autonomy and Human Oversight with OIDC CIBA
In earlier posts exploring AI agent and agent identity, Do We Even Need Agent Identity? and Agent Identity: Impersonation or Delegation?, I dug into the identity tradeoffs surrounding AI agents in the enterprise....
Agent Identity - Impersonation or Delegation?
In a recent blog post, I discussed whether AI agents need their own identity. I ended with “yes, they do”, but how do we end up doing that? In this blog, we’ll look at a very important concept when it comes to ag...
APIs and AI Agents Follow the Same Layered Pattern
As API adoption matured in enterprise organizations, a natural pattern emerged and we are seeing something similar in AI agent architectures: using layers to contain complexity. Dealing with team boundaries, busi...
Do AI Agents Need Their Own Identity?
In our recent engineering face-to-face, one of our engineers raised what seemed like a simple question: “Why can’t we just pass the user’s OIDC token through to the agent? Why complicate things with separate agen...
AI Reliability Engineering (AIRE) - Creating Dependable Humans
It’s a little after 5p, and I’m about to wrap up for the day. As I’m starting to shut things down, I get a message from my boss:
Prevent MCP Tool Poisoning With a Registration Workflow
As organizations start to deploy AI agents in earnest, we are discovering just how easy it is to attack these kind of systems. I went into quite some detail about how “natural language” introduces new attack vect...
Deep Dive MCP and A2A Attack Vectors for AI Agents
The Model Context Protocol (MCP) and Agent 2 Agent (A2A) specification are similar RPC style protocols that specify interaction between Agents and Tools (MCP) and Agents and other Agents (A2A). They both focus on...
Exposing OpenAPI as MCP Tools - Semantics Matter
I was recently chatting with Matt McLarty and Mike Amundsen on their podcast about a recent blog I wrote about describing APIs in terms of capabilities. One thing that came up was the idea of describing APIs with...
From APIs to Capabilities to Support AI Agents
Enterprise application architecture is once again on the verge of transformation. We’ve moved from mainframes to client-server, and recently from monoliths to microservices. Each evolution has been driven by the ...
The MCP Authorization Spec Is... a Mess for Enterprise
The Model Context Protocol has created quite the buzz in the AI ecosystem at the moment, but as enterprise organizations look to adopt it, they are confronted with a hard truth: it lacks important security functi...
Popular Posts
The Hardest Part About Microservices: Your Data
Continuing on with my series about microservices implementations (see “Why Microservices Should Be Event Driven”, “Three things to make your microservices more resilient”, “Carving the Java EE Monolith: Prefer Ve...
Netflix OSS, Spring Cloud, or Kubernetes? How About All of Them!
Some of this I cover in my book “Microservices for Java Developers” O’Reilly June 2016 (launching soon!), but I want to give a more specific treatment of it here. I get questions from folks about NetflixOSS (it’s...
3 Easy Things to Do to Make Your Microservices More Resilient
One of the advantages of building distributed systems as microservices is the ability of the system as a whole to withstand faults and unexpected failures of components, networks, compute resources, etc. These s...
4-day Docker and Kubernetes Training
I just delivered a 4-day deep-dive training course on Docker and Kubernetes to a customer in Atlanta. In true open-source spirit, I’d like to publish the source/slides and allow other people to benefit from it an...
Blue-green Deployments, A/B Testing, and Canary Releases
A lot of teams I talk to recently are very interested in “DevOps” (whatever that means… seems to mean different things to different people?) and when we sit down and talk about what that really means, the directi...