Observe ZDNET: Add us as a most popular supply on Google.
ZDNET’s key takeaways
- IT managers have restricted visibility into when customers give exterior apps entry to firm information.
- When these exterior apps are AI brokers, the safety dangers multiply by orders of magnitude.
- Okta has proposed a normal to provide organizations extra visibility and management over these permissions.
By the tip of 2026, many people may have not less than one AI-powered agent doing one thing behind the scenes on our behalf. Inside 5 years, it could possibly be tens or tons of of brokers. They won’t solely make choices about what to do (based mostly on their autonomous observations), however they are going to hook up with a number of sources of knowledge (in addition to one another) with a view to optimize these choices and different outcomes.
This future ought to terrify most organizations that already go to nice lengths to guard their digital assets from unauthorized entry. As workers are pressured to do extra with the assistance of AI, they’re going to look to launch these brokers and grant them entry to no matter company assets are obligatory.
Right this moment’s credential for such user-provisioned application-to-application entry — often called an OAuth token — could also be woefully unsuited to the duty.
Additionally: Weaponized AI threat is ‘excessive,’ warns OpenAI – here is the plan to cease it
A number of years in the past, nicely earlier than agentic AI was on the horizon, when organizational customers granted sure purposes, comparable to Slack, entry to their work information, the parents at identification administration supplier Okta acknowledged a basic flaw in how that entry was permitted and granted.
Id and entry administration (IAM) methods, comparable to Okta’s Id Platform and Microsoft’s Entra, function central management planes for managing which people have entry to which company assets. Nevertheless, those self same methods are steadily out of the loop with regards to how different purposes had been granted related useful resource entry on behalf of these customers. As a substitute, these choices had been (and in lots of circumstances, proceed to be) left to finish customers in a approach that resulted in IAM blind spots and avoidable safety dangers. Since then, Okta has been working with the Web Engineering Activity Power (IETF) on a draft open normal designed to shut the loophole.
Proposing a brand new normal
Behind closed doorways and in its promotional supplies, Okta refers back to the specification as “Cross-App Entry” or XAA. Nevertheless, the specification is thought by a distinct identify as a part of the IETF’s open requirements dialog: Id Assertion Authorization Grant (IAAG). In comparison with proprietary applied sciences and in some circumstances de facto requirements, an open normal is a know-how that is made obtainable to the business on a totally unencumbered foundation. Corporations and builders, together with Okta’s iAM rivals comparable to Microsoft and Ping Id, are free to construct their very own implementations of the know-how with out the necessity to pay royalties to its inventor(s).
Additionally: Gartner urges companies to ‘block all AI browsers’ – what’s behind the dire warning
HTTP — the core know-how that makes it attainable for any net browser to entry any web site — is an open normal. The 2 main applied sciences that mix to make passkeys work the best way the do — the World Large Net Consortium’s WebAuthn and the FIDO Alliance’s Consumer to Authenticator Protocol (CTAP) — are open requirements.
Whereas any firm can invent a know-how and contribute it to the world for consideration as an open normal, the true measure of whether or not that know-how is admittedly an open normal is sure to the speed at which it will get adopted by different firms. Based on Okta, Google, Amazon, Salesforce, Field, and Zoom are amongst IAAG’s early adopters.
Throughout an interview about Microsoft’s plans to assist organizations tame the sprawl of agentic AI, Microsoft company vp of AI Improvements Alex Simons advised ZDNET that Microsoft plans to help the brand new IAAG normal in Entra (the corporate’s cloud-based IAM answer). Whereas Aaron Parecki, Okta’s director of identification requirements, initially appeared because the specification’s writer, Ping Id distinguished engineer Brian Campbell now seems as a co-author on the most recent draft, which is a fairly good indicator that Ping is on board as nicely. (I reached out to Campbell by way of e-mail however haven’t but heard again.)
Additionally: How passkeys work: The whole information to your inevitable passwordless future
The timing of the proposed normal could not be extra serendipitous. Based on Parecki, when Okta first began engaged on the issue, agentic AI wasn’t even on the radar. However now that the class of sensible, scalable, and generally absolutely autonomous software program is poised for explosive development — particularly behind the firewalls of many organizations — the brand new normal is in place to provide IT managers the management and visibility they should securely tame each purposes and brokers as if they’re on a degree enjoying subject with people.
Behind the scenes of delegated entry
Though I am leaving out some gory particulars, here is what sometimes occurs behind the scenes: When one software is given direct entry to a different software on behalf of an finish consumer (a sort of entry often called “delegated entry”), the operator of the second software (the “useful resource server”) is requested to situation a particular login credential that the primary software (the “shopper software”) subsequently makes use of to authenticate with the useful resource server as if it is pretending to be the tip consumer herself.
On this step of a typical OAuth workflow, the Google account useful resource server is notifying the tip consumer that it has obtained a request from Slack as a shopper software wanting particular entry rights (enumerated within the displayed listing) to the consumer’s Google account. If the consumer signifies their approval by clicking the “Enable” button, Google will situation an OAuth entry token to Slack that is particular to the tip consumer, their Google account, and the listed entry rights.
Screenshot by David Berlind/ZDNET
In a situation like this, the tip consumer — thought of by the OAuth normal to be the “useful resource proprietor” — is claimed to be delegating some or all of their useful resource server entry rights to the shopper software. This particular credential is named an OAuth token. Earlier than the useful resource server points such a token to the shopper software, the tip consumer is usually consulted via a dialog field (see screenshot above) for his or her permission to proceed with the delegation. If the tip consumer consents, the useful resource server (sometimes a specialised “authorization server” appearing on behalf of the useful resource server) points the OAuth token to the shopper software, which is then answerable for storing it securely. In spite of everything, it is basically the equal of the tip consumer’s consumer ID and password.
Additionally: Battered by cyberattacks, Salesforce faces a belief drawback – and a possible class motion lawsuit
Earlier this yr, when over a billion buyer information had been criminally and avoidably exfiltrated from the Salesforce cases of a number of the world’s largest and most recognizable manufacturers, the risk actors relied on stolen OAuth tokens to perpetrate their crime.
As soon as the tip consumer consents to OAuth token issuance and the shopper software takes receipt of that token, it goes on to make use of that token as a login credential to the useful resource server, a lot the identical approach people current their consumer IDs and passwords at login time. Every of those OAuth tokens is restricted to the consumer (once more, the “useful resource proprietor”) that granted it, the particular entry rights that had been delegated on the time of the grant (these could possibly be a subset of the consumer’s total rights), and the useful resource server that issued it.
An OAuth token that was issued by Google (the useful resource server) to Slack (the shopper software) on my behalf is, subsequently, particular to Google and mapped to my Slack identification. Slack can not current that very same token to a different software like Zoom, nor can it current that token to Google on behalf of one other consumer. Whereas some tokens final ceaselessly, others expire after a sure time period. Token issuers also can invalidate tokens (often called revoking a token) at will. It is much like disabling a password or altering the lock in your entrance door.
As soon as OAuth got here alongside
Though there are a number of token varieties for quite a lot of use circumstances, the concept of an Open Authorization or OAuth token got here at a time when, within the aforementioned situation, a consumer would merely enter their Google consumer ID and password into Slack. And it is laborious to imagine that many people customers gladly equipped these credentials with out contemplating the potential for critical hurt. From a cybersecurity perspective, the observe raised some deal-breaking and largely rhetorical questions. To whom had been we actually giving that consumer ID and password? Is it a official enterprise or a malware app cleverly disguised as an extremely useful gizmo? Even when the app is legit, how and the place is it securely storing the key credentials that we simply shared with it? What if the shopper software solely wanted a subset of the tip consumer’s total entry rights?
Additionally: Find out how to show you are not a deepfake on Zoom: LinkedIn’s ‘verified’ badge is now free for all platforms
Additionally, not like with OAuth, there was no express step throughout which the consumer issued their consent. “The consent was implied within the [sharing of the] credential,” stated Parecki throughout an interview with ZDNET. “So you’d give your password to an software, the applying would take the password to a service, and current it as if it had been you. And that is form of this implied consent, proper? As a result of the truth that it has the password signifies that it needed to have obtained it legitimately, proper? Which, clearly, we all know is just not sample to imagine.”
As soon as OAuth got here alongside, it eradicated the necessity for customers to share their secret credentials with a view to allow cross-application entry on their behalf. That scheme has labored fairly nicely on the web for the final couple of many years. However then got here the query of who the useful resource proprietor really is. As talked about above, it is the tip consumer who’s thought of to be the useful resource proprietor, and subsequently, it is the tip consumer who finally ends up consenting to the issuance of the OAuth token. However is the tip consumer actually the useful resource proprietor? Or is it the group? And if it is the group — which it’s — should not the group be social gathering to the OAuth workflow?
The way in which Okta sees it, in shopper eventualities the place the tip consumer desires a shopper software like an AI agent to take motion on their private Gmail account, it is completely nice for the tip consumer to be the useful resource proprietor who consents to the issuance of an OAuth entry token. However in organizational eventualities the place the assets really belong to the group, and entry to these assets is managed via a central management aircraft, the last word consent ought to come from that central management aircraft — the IAM system — as a substitute.
Why does this make sense? Nicely, finish customers have already got a fairly rotten observe file once they’re the final line of protection between risk actors and a corporation’s software infrastructure. For instance, analysis has proven that even after receiving cybersecurity coaching, 98% of customers nonetheless let their guard down and succumb to preventable phishing assaults. Underneath the IAAG normal, the tip consumer nonetheless will get the selection of opting right into a connection between a shopper software like Slack and a useful resource just like the group’s set up of Zoom. Nevertheless it’s the group’s IAM system that finally approves that connection request and the next issuance of the required OAuth entry token.
Additionally: Roaming authenticators provide what different passkey options cannot – however there are trade-offs
Just like the best way useful resource entry is granted to people, Parecki says, this type of consent is configured upfront by the system administrator. “For all customers on the firm, we wish to enable Slack to have the ability to get entry tokens for our customers’ Dropbox accounts,” Parecki provided for instance. “And that is a coverage that lives within the IdP [Identity Provider, an acronym sometimes used interchangeably with IAM]. So now, [for each user, Slack] can go and get an entry token as a result of the coverage is configured within the IdP.”
When AI brokers go wild
The strategy additionally is sensible in a world that is about to be overwhelmed by AI brokers — particularly ones that, given the chance (and very similar to people), may autonomously participate in OAuth workflows unbeknownst to anybody within the group. In that AI-agents-gone-wild situation, it is not laborious to think about how rapidly the central IAM system may fall out of lockstep with all the permissions being granted, on whose behalf, and for what assets. At scale, a single leaky or malicious agent may do loads of injury in very brief order.
“Even when it is really an agent, it is nonetheless a chunk of software program, and it is nonetheless represented by its shopper ID,” stated Parecki. “For example you desire a new agent to have the ability to index all your content material throughout 20 enterprise apps. The agent desires extra information, and it is attempting to entry extra issues [than in the typical OAuth client application scenario]. You don’t need each consumer on the firm to must click on via a consent immediate 20 occasions simply to begin utilizing your new AI device.”
Additionally: 3 methods AI brokers will make your job unrecognizable within the subsequent few years
To facilitate that improved consumer expertise and the safety to go along with it, the proposed normal entails extra than simply an OAuth workflow adjustment to verify with the precise proprietor of the useful resource (the group) as a substitute of the tip consumer who makes use of the useful resource. The token’s construction wanted enchancment, too. For instance, whereas a normal OAuth workflow entails the consumer’s ID as reported by the useful resource supplier, this enhanced OAuth workflow entails the consumer’s ID as reported by the group’s IAM system. A file of the IAM system can be included within the enhanced workflow.
Not solely do these extra fields of knowledge allow the insertion of the organizational IAM system into the center of the OAuth grant course of, however additionally they facilitate the next diploma of central visibility and management that was beforehand unavailable to IT managers. For instance, think about these eventualities:
- An worker has 25 AI brokers engaged on his behalf, appearing on a variety of the group’s useful resource servers. When he decides to depart the corporate, the IT division must deprovision these brokers. Underneath this new OAuth scheme, an IT supervisor can question the organizational IAM system to not solely view all of the tokens issued for a specific consumer throughout all useful resource servers, but in addition extra simply revoke some or all of them as a part of a focused deprovisioning train.
- The group discovers that an AI agent, initially permitted to be used by all workers, is leaking confidential data to the underlying massive language mannequin. To cease the bleeding, the CISO decides that the complete agentic AI answer supplier have to be instantly deprovisioned from the group’s software infrastructure. With a single question to the IAM system, an IT supervisor ought to be capable to extra simply uncover the related tokens and deprovision them.
Additionally: Your programming profession is not over – AI simply upgraded your toolbox
Like many new requirements, it could take a while in the beginning falls into place in a approach that offers IT managers centralized management over the sprawl of agentic AI (to not point out the usual application-to-application connections that had been already being established behind IT’s again). Not solely should the draft normal undergo its remaining rounds of approval on the IETF, however help for the brand new normal has to indicate up within the numerous authorization servers utilized by all of the SaaS suppliers that help OAuth-based connections from shopper purposes.
