Episode 150 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Agentic Access: OAuth Gets You In, Zero Trust Keeps You Safe

Host: Mike Schwartz, Founder/CEO Gluu
Guest: Nick Taylor, Developer Advocate Pomerium

Channels

Description

AI agents are no longer speculative—they’re querying APIs, rewriting records, and chaining tools via protocols like MCP (Model Context Protocol). The latest MCP spec requires OAuth 2.1 and Resource Indicators (RFC 8707), strengthening identity security while leaving authorization up to the implementer. But OAuth alone can’t enforce what an agent does after login—or whether it should act at all.

Homework

Takeaways

⚡ Pomerium in Roman times was the core of the city, the safest place. Pomerium is emulating this as a combined Web-MCP proxy which defines a kind of internal safe place.
⚡ Pomerium can be used as an internal SSO service--i.e. it is "identity aware". Although it relies on external OpenID Providers for identity (like Google or Entra), it keeps a local Pomerium session. You should register the Pomerium front channel logout URI with your upstream IDP to get SLO to the Pomerium protected websites.
⚡ The Pomerium proxy uses OPA for authz. There are some basic policy authoring tools, but for more complex policies, you dive into Rego.
⚡ The proxy is an important place to enforce policy--a proxy shouldn't forward a obviously unauthorized request. But isn't the true spirit of Zero Trust that the proxy shouldn't be trusted? For example, what about a service that is two hops downstream from the proxy in a microservice deployment? But as "inconceivable" has different meanings in the Princess Bride, "Zero Trust" is not exactly fixed either.

Livestream Audio Archive

here

basically we can talk about zero trust in general, and I can talk about how we're securing mcp, and we can also touch on native ssh access with zero trust baked in (no client)