Back to all videos

Securing Agents with Open Standards — Bobby Tiernay and Kam Sween, Auth0

By AI Engineer

AITechnologyFinance
Share:

Key Concepts

  • AI Agents & Security Challenges: Risks associated with agents performing actions on behalf of users, including excessive agency, secrets in prompts, broad scopes, and troubleshooting difficulties.
  • Identity & Access Control (IAC): Managing and controlling access to resources based on user identity, especially in the context of AI agents.
  • OATH 2.1 & RAR (Rich Authorization Requests): Standard protocols for authentication and authorization, used to anchor agent behavior to real users.
  • Token Exchange: A mechanism for exchanging one type of security token for another, enabling short-lived, scoped tokens for agents.
  • Client Initiated Backchannel Authentication (SIBA): A flow where the agent requests authorization from the user via a trusted device (e.g., push notification) without a browser.
  • MCP (Model Control Plane) Servers: Servers that manage and control the execution of models, requiring robust security and identity guarantees.
  • RAG (Retrieval-Augmented Generation): Enhancing LLMs with external knowledge retrieval, requiring fine-grained authorization to control data access.
  • Token Vault: A secure storage mechanism for tokens, preventing embedding secrets directly in code.
  • Confused Deputy Problem: An agent with certain permissions being tricked into misusing those permissions, often due to a lack of clear user context.

Security Challenges of Smarter Agents

  • Cracks in Real-World Applications: As agents move beyond chat and perform real-world actions, security vulnerabilities become apparent.
  • Secrets in Prompts: Sensitive information inadvertently included in prompts, leading to exposure.
  • Broad Scopes: Agents granted overly permissive access, increasing the risk of unintended actions.
  • Troubleshooting Difficulties: Lack of visibility into agent actions makes it hard to diagnose and resolve issues.
  • Excessive Agency (OASP): Granting agents too much access without proper guardrails.
  • Unscoped Access: Agents calling APIs, pulling data, and using credentials without proper scoping, monitoring, or user association.
  • Sensitive Data Exposure: Agents accessing data they shouldn't, often due to inadequate access controls.
  • Shared Static Keys: Agents using shared keys from environment variables, leading to difficulty in tracking actions and rotating secrets.
  • User Context: Agents need to operate under the correct user context, not just the application's context.

Identity as the Foundation

  • Identity is Crucial: Without proper identity, token scoping and rotation are insufficient for real control.
  • Connecting Actions to Users: Identity enables understanding, tracing, and controlling agent actions.
  • Avoiding Service Accounts: Agents should not run as service accounts to prevent the confused deputy problem.
  • Anchoring to Real Users: Using OATH 2.1 and token exchange to tie agent behavior to specific users.
  • Token Exchange Implementation: Backend fetches credentials from a vault and mints short-lived tokens for specific users and APIs.
  • Adherence to Standards: Aligning with OASH standards to avoid reinventing identity solutions.

Fine-Grained Authorization for RAG

  • Data Access Control: Controlling what data an agent can access in RAG systems based on user authorization.
  • Enforcement at Retrieval Layer: Enforcing policy at the retrieval layer to prevent sensitive data leaks.
  • Client Initiated Backchannel Authentication (SIBA): Controlling when and how access is provisioned.
  • SIBA Flow: Agent requests authorization, server notifies user on a trusted device, user approves or denies.
  • Use Case: Suitable for background agents or scenarios without a direct user interface.

MCP Server Security

  • Evolution of MCP: Moving from local standard IO to remote distributed systems.
  • Security as a Priority: Security must be a core consideration for networked MCP servers.
  • OATH 2.1 Flow: User signs in through the browser, MCP server handles token minting, agent gets scoped access.
  • Importance of Guarantees: Ensuring solid guarantees about who is making requests and what they are doing on shared servers.

Demo: AI Trading Assistant with SIBA

  • Scenario: Local AI trading assistant making tool calls to a broker service to buy stock.
  • Key Components:
    • User identification and context.
    • Token vault for secure credential management.
    • SIBA for user consent before sensitive actions.
  • TypeScript CLI Application: Exposes a command-line interface with a stock trading tool.
  • Mature Trading Environment Simulation: User specifies stock and threshold, system polls for real-time value, and dispatches a SIBO request before execution.
  • Agent Configuration:
    • generateMessages method: Handles communication between LLM and user.
    • main method: Defines context and binds it to a thread for user identification.
  • Tool Call Definition: Wrapped in higher-order components (useDeviceFlow, useSIBA).
    • useDeviceFlow: Bootstraps OIDC for access token usage.
    • useSIBA: Intercepts tool calls requiring user approval, provides configuration to identity provider.
  • Token Vault Usage: Prevents embedding client secrets directly in code.
  • SIBA Flow in Demo (Ideal):
    1. User initiates trade.
    2. Application prompts user to log in.
    3. Agent obtains tokens on behalf of the user.
    4. SIBA dispatches a notification to the user's device.
    5. User approves or denies the trade.
    6. Subsequent trades only require SIBO approval.
  • Benefits Highlighted:
    • Agent identifies and acts on behalf of a specific user.
    • Credentials stored and accessed securely.
    • Explicit user approval for high-risk actions without a browser.

Conclusion

The presentation emphasizes the critical need for robust identity and access control in AI agent applications. It highlights the security risks associated with unchecked agent access and advocates for using established standards like OATH 2.1, OIDC, and SIBA to mitigate these risks. The demo illustrates how these standards can be applied in practice to create a secure AI trading assistant that requires explicit user consent for sensitive actions. The key takeaway is that security should be a primary consideration from the outset of AI agent development, not an afterthought.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Securing Agents with Open Standards — Bobby Tiernay and Kam Sween, Auth0". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video