Comment by mehdibl

From the blog post:

"The Auth problem At this point, the auth issues with MCP are well known. OAuth2.1 is great, but we are basically trying to re-invent auth for agents that act on behalf of the user. This is a good long term goal, but we are quickly realizing that LLM sessions with no distinguishable credentials of their own are difficult to authorize and will require a complete re-imagining of our authorization systems. Data leakage in multi-tenant apps that have MCP servers is just not a solved problem yet.

I think a very strong case for MCP is to limit the amount of damage the model can do and the amount of data it will ever have access to. The nice thing about client side APIs in multi-tenant apps is they are hopefully already scoped to the user. If we just give the model access to that, there's not much damage they can do.

It's also worth mentioning that OAuth2.1 is basically incompatible with internal Auth at Amazon (where I work). I won't go to much into this, but the implications of this reach beyond Amazon internal."

1. Oauth is not working in Amazon ==> need solution.

2. Oauth are difficult to authorize

3. limit the amount of damage the model can do WHILE "ulti-tenant apps is they are hopefully already scoped to the user".

I feel from a security side there is an issue here in this logic.

Oauth for apps can be far more tuned than current web user permission as usually, user have modification permission, that you may not want to provide.

Oauth not implemented in Amazon, is not really an issue.

Also this means you backdoor the App with another APP you establish trust with it. ==> This is a major no go for security as all actions on MCP app will be logged in the same scope as USER access.

You might just copy your session ID/ Cookie and do the same with an MCP.

I may be wrong the idea seem intersting but from a security side, I feel it's a bypass that will have a lot of issues with compliance.