[Openid-aiim] Call notes
Atul Tulshibagwale
atul at sgnl.ai
Thu Jul 3 17:53:29 UTC 2025
Hi all,
Thanks everyone for your enthusiastic participation in today's call. The
call notes are copied below, and they are also stored here
<https://docs.google.com/document/d/129FypOR8PzSj9Ki9Nx3aE1TyqXNdgI5BZr_e71i_dOw/edit?usp=sharing>
.
Atul
--
Atul Tulshibagwale
CTO
<https://www.linkedin.com/in/tulshi/> <atul at sgnl.ai>
---
Agenda
-
Housekeeping:
- [image: checked]
Scribing (volunteers or AI)
- [image: checked]
Welcome & Quick Intros
- [image: checked]
Participation Agreement
- [image: checked]
Antitrust Statement
- [image: checked]
Code of Conduct
- [image: checked]
How we came to exist? The unconference part of Identiverse [Jeff]
- [image: unchecked]
Enterprise Authorization Profile for MCP
<https://github.com/modelcontextprotocol/modelcontextprotocol/pull/646>
- [image: unchecked]
IAM need for Agentic AI - Brainstorming
<https://docs.google.com/document/d/1PhWC4KRO00kOPUW113ldG06Vii5dZjW3ljiV1tA0GCc/edit?tab=t.0>
- [image: unchecked]
Call for feedback: OIDF Authentic AI Whitepaper
<https://docs.google.com/document/d/1AY7dJlD6mP80y7vDfdknxJT65g9nDQ68vA8Jj9I734c/edit?usp=sharing>
- [image: unchecked]
Who shall we invite to broaden this discussion (e.g., from the AI labs)?
Attendees
Name
Affiliation
Participation Agreement signed?
Atul Tulshibagwale
SGNL
Yes
Jeff Lombardo
AWS
Yes
Tobin South
WorkOS & Stanford
Yes
Mike Lescz
OIDF
Vlad Shapiro
BBH
Yes
Hideaki Furukawa
Nomura Research Institute, Ltd
No (observer)
Paul Lanzi
IDenovate
Yes
Pavindu Lakshan
WSO2
Yes
Alex Keisner
Vouched Identity
Yes
Gareth Narinesingh
OIDF
Hob Spillane
Workday
No (observer)
Cleydson Andrade
Independent
No (observer)
Heather Flanagan
Spherical Cow Consulting
Yes
Stan Bounev
Independent
Yes
Nick Steele
Independant
No (in progress)
Alex Babeanu
IndyKite
Yes
Mike Kiser
SailPoint
Yes
Ayesha Dissanayaka
WSO2
Yes
Chris Phillips
Independant
Yes
Filip Skokan
Okta
Yes
Jagdeep Bains
Okta
Yes
Prangon Dey Swachha
Okta
Yes
Thilina Senarath
WSO2
Yes
Janak Amarasena
WSO2
Yes
Shahar Tal
Cyata
Yes
Pieter Kasselman
SPIRL
Yes
Subramanya Nagabhushanaradhya
Independent
Yes
Vladi Berger
PlainID
Yes
Kunal sinha
Okta
Yes
Max Crone
Independent
No
Lukasz Jaromin
Raidiam
No (in progress)
Sean O’Dell
Disney
Yes
George Fletcher
Practical Identity LLC
Yes
Mira Sharma
Okta
Yes
Naveen CM
Yahoo
Yes
Sarah Cecchetti
BeyondIdentity
Yes
Sunil Soprey
Independent
Yes
Shirish Puranik
Independent
Yes
Notes
-
Manual note taking (OIDF is going to require that)
-
introduction
-
How we came to exist? The unconference part of Identiverse [Jeff]
-
Enterprise Authorization Profile for MCP
<https://github.com/modelcontextprotocol/modelcontextprotocol/pull/646>
-
Application of
https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/
-
Based on the Identity and authorization chaining draft (Pieter is
co-author) -
https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/
-
It combines the token exchange and assertion prompt flows
-
Designed for cross-domain scenarios
-
It enables MCP servers to leverage the ID-token to use different
services, so that users are not prompted for each service
-
ID-chaining might be going for WGLC in Madrid IETF in two weeks
-
(Kunal) Consent has been addressed as a part of this, so that users
do not have to consent for each usage, so admins can decide who
has access
to which MCP functionality
-
(Atul) concern that every tool declares it’s own scope, which this
spec insufficiently addresses the tool by tool scope issues. How
can we add
robust authZ within MCP servers via JAG (JWT Assertion Grant)
-
(George) Fine-grained authz does come into play for specific
services. If you are taking authz grant, then does it push the
fine-grained
authz requirement to the AS. In an enterprise this can be
configured not by
user choice, but by policy. The token can have that constraint,
or the API
can enforce it.
-
(George) This bleeds into the delegated authz problem. We might not
have good tools to solve it across enterprises, but we might be able to
solve it within the enterprise
-
(Mike) It’s diving really deep really quickly, for people who may not
have had a chance to look at the proposal. There are higher order topics,
so can we cover that first.
-
(Alex) Because we’re talking about FGA, we should refer to existing
specs like AuthZEN (add this to the reading list)
-
(Stan) Let’s look at the goals of the community group, and what
deliverables we need to have.
-
(Tobin) What are the goals of this CG?
-
MCP is moving really fast, so it’s good to have high-speed discussions
-
Agents at large are moving fast - people are deploying them, and
we’re going to have them everywhere
-
It’s important to think about authz/authn
-
We should try to form recommendations that we can publish to the world
-
(Tobin) Any comments on the scope?
-
(Alex) Recommendations of what problems we are trying to solve?
Provide ideas for solutions
-
(Jeff) MCP is a technical spec, so it is important to provide a
dictionary / taxonomy and a long-term model for using agent identity
-
(Lukasz) Are we talking in the enterprise context, or in general
about agentic AI. It also implies what type of identities are in play. Do
topics like registration of agents are relevant.
-
(Tobin) A2A is definitely in scope, but it doesn’t have as much
traction. It raises more questions
-
(Lukasz) Registration of MCP servers in the context of enterprise is
something we can discuss. We can also think about the future, about more
dynamic environments where agents can talk to each other more dynamically
-
(Stan) As a CG, we can identify those problems that need indepth
discussion. We can have particular focus toward where we can provide
specific inputs to OIDC or KYC groups
-
(Kunal) If we have any standards for impersonation or delegation in
OAuth? A standard would be useful
-
(George) There is work in the eKYC and IDA working group defining
relationships between entities, e.g. parent delegating to child.
-
How do we describe relationships,
-
How do we describe what is being delegated
-
What are the constraints
-
(George) But it is all very high-level right now. You will see the
authority part in the eKYC spec page
<https://openid.net/wg/ekyc-ida/specifications/>.
-
(George) We have handled the delegation problem a lot, but we don’t
have guidance.
-
(Sarah) How are we going to address multi-user context, if multiple
users are giong to use the same flow, how do agent / AI builders handle
this?
-
(George)100% to what Sarah said. The “entity” in the relationship
can be a group of “entities”
-
(Vlad) Are we just targeting AI developers? People are also involved.
We rarely translate this stuff to something that everyone can
understand. I
will be happy to be that translator, to have this connection from the
technical world to the world of actual business needs. There
appears to be
a huge disconnect. We know how to look at both sides of the story
-
What is the scope of what we’re trying to address here?
-
Call for feedback: OIDF Authentic AI Whitepaper
<https://docs.google.com/document/d/1AY7dJlD6mP80y7vDfdknxJT65g9nDQ68vA8Jj9I734c/edit?usp=sharing>
-
Presented by Tobin -
https://docs.google.com/document/d/1AY7dJlD6mP80y7vDfdknxJT65g9nDQ68vA8Jj9I734c/edit?usp=sharing
-
Any member of the community group is welcome to add paragraphs (via
comment), add relevant RFC references & pointers,
-
Agents are indeed Workload but they can be autonomous, highly
scalable , and quick
-
Technical Solutions would be out of depth in 6 months
-
We need to think about the model
-
(Pieter) Who are we targeting with the white paper. 3 personas:
-
Technologist
-
There’s a second layer of personas, is people who are trying to
motivate their organizations to adopt agentic AI.
-
The persona on the business side too
-
(Pieter) standards are going to be a key part of it
-
(Pieter) there can be some simple things such as agent identifiers,
which we can address. There are a few layers below authorization that we
can get to.
-
Who shall we invite to broaden this discussion (e.g., from the AI
labs)? (Sean)
Would it make sense to have someone who has done red-teaming on agents on
this group? My experience has been horrible - it’s too easy to attack these
things.
-
(Sean) Getting people who think how to attack it is very important
-
(general agreement in the group)
-
(Pieter) If someone can share their experience in this group, it
would be awesome
-
(Pieter) Sometimes the agent is not the problem, it’s the existing
infrastructure.
-
(Sean) It’s the swampy crappy data
-
(Tobin) We should get more AI people here: NIST for example,
Anthropic, MCP WG, etc.
-
(Atul) everyone reach out to people would might be interested in this
topic
-
(Subramanya) Identity for MCP is something we should think about. We
don’t know what tools are being invoked, etc.
-
(Vlad) Social engineering - ability of people to socially engineer AI.
Agentic AI is very prone to social engineering. It would be incredibly
interesting for C-level folks.
-
(Sean) Is the target of this going to be a mixture of C-levels who need
to know the risk/reward?
-
(Jeff) Yes we can have personaes oriented deliverables with multiple
layer of details
-
(Sean) In the enterprise world, all execs think about is to be the
early one to put on their resume that “I did it”.
-
(Vlad) People want to push for fast adoption and will push past
robust security tools for fast go to market.
-
(Shahar) I liked what Jeff said earlier and what Pieter said. No one is
waiting for this group to come up with solutions. We can focus on smaller
tasks that can help move things along. The taxonomy thing is interesting to
bring alignment. LLM red-teaming is interesting, but is this the right
forum for that?
-
(Sean) Its more about having someone in this forum to give us a
different viewpoint. Having them give a “lunch and learn” about what they
do would be awesome.
-
(Jeff) We are a CG, so we are not here to specify documents.
-
(Ayesha) from comment: MCP Authorization Primitive:
https://docs.google.com/document/d/1460o7LRZPMDFxoDgdYTI4gdxjgdBMKDxnN5Ic1DGhng/edit?tab=t.0#heading=h.faegcy4ur9jj
-
(Tobin) maybe we should organise a series of talks
-
IAM need for Agentic AI - Brainstorming
<https://docs.google.com/document/d/1PhWC4KRO00kOPUW113ldG06Vii5dZjW3ljiV1tA0GCc/edit?tab=t.0>
-
Who shall we invite to broaden this discussion (e.g., from the AI labs)?
-
Reading List:
-
https://openid.net/wg/authzen/
-
https://openid.net/specs/openid-federation-1_0.html
-
OAuth 2.0 Extension: On-Behalf-Of User Authorization for AI Agents:
Draft:
https://datatracker.ietf.org/doc/draft-oauth-ai-agents-on-behalf-of-user/
-
George Fletcher Serie on On-Behalf-Of (OBO) from Linkedin:
-
https://www.linkedin.com/pulse/components-on-behalf-of-delegation-pattern-george-fletcher-hzhbe
-
https://www.linkedin.com/pulse/delegated-authorization-use-case-george-fletcher-j07he
-
https://www.linkedin.com/pulse/delegated-authentication-george-fletcher-9rqke
-
https://www.linkedin.com/pulse/what-might-on-behalf-of-token-look-like-george-fletcher-d9iqe
-
https://www.linkedin.com/pulse/obtaining-on-behalf-of-authorization-token-george-fletcher-704hf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 421 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 421 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 421 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 421 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 421 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0014.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 421 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0015.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 269 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0016.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 269 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0017.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 269 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0018.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 269 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-aiim/attachments/20250703/34185fbe/attachment-0019.png>
More information about the Openid-aiim
mailing list