TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

86% Positive

Analyzed from 1267 words in the discussion.

Trending Topics

#mcp#oauth#auth#folks#server#data#user#don#share#access

Discussion (34 Comments)Read Original on HackerNews

zackify11 minutes ago
If only they would support the web and let you just issue a long running cookie....

I hacked the spec to pass through a cookie via the oauth handshake to do this without needing an oauth server.

Its really dumb they don't want to allow this.

If no cookie, open webpage.

If cookie set, close and persist.

I literally wrote an 80 page mini book on MCP yet it frustrates me to no end.

maxwellgabout 2 hours ago
Huge congrats to the folks behind this at Okta, A\, Microsoft, Figma, Linear, etc...

For the MCP nay-sayers - don't worry there's something here for you too :)

This is powered by a new token format called an ID-JAG - https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-a... - and isn't MCP specific at all. ID-JAGs can be used for safe and secure data sharing anywhere where data is shared between applications that use the same SSO provider.

flashgordonabout 2 hours ago
This is fantastic. Ive been so fortunate to work with the mcp folks last few months on a couple of the SEPs (and my own experimental sdk in go). I used to be a naysayer. "Its just apis" I used to say. "Sheesh the invented another abstraction" I used to say.

What folks dont realize is it is the "P" in MCP that throws people off. When you build a traditional app you have to build forms, ui, req/response handling, bidirectional channels, long running tasks, auth and so on.

With mcp 80% of this common layer is taken care for you. So mcp is really an "app framework" than a protocol (well there is that too).

Unified auth is a huuuge boost. Can't wait to see more cool things!

sean_lynchabout 2 hours ago
Before you get too far into the usual “MCP is dead, Skills forever” debate

The real valuable capability MCP offers over skills/CLI is isolating the auth flow outside of the agent’s context window, and potentially out of the harness completely. This is valuable from a security perspective obviously. It’s also just a much easier user experience for normies and large businesses adopting AI tools. I hear all the context bloat and tool call redundancy complaints. But this structure for handling auth has real value.

Maybe the idealized form of MCP is just an auth gateway for the API and nothing else. That’d still be a win.

brookstabout 2 hours ago
I agree that having auth outside of context window is good.

But the real value of MCP is adding a semantic layer on top of APIs. Skills are client side and don’t know the server’s capabilities. MCP lets the server explain its API in natural language so clients who have no prior knowledge of the server, it’s API, or its domain can use it intelligently.

I used to think MCP was dumb. I’ve written to large MCP servers, one for CAD and one for music, and I am a complete convert.

dendabout 2 hours ago
Hey folks - I am one of the folks at Anthropic that helped deliver this in partnership with Okta and a handful of MCP partners. We're very excited about this taking shape in Claude (in addition to the MCP spec, of course, where EMA is now a stable extension) and are looking to expand adoption to other identity providers and clients as well.

If you have any feedback, feel free to drop it in here! Always happy to hear about folks' experience and how we can make it better.

daniban12 minutes ago
Anthropic is the only one with human readable tool names from the JUNE 2025 spec! So you guys are doing a great job and this is another example.

I'm just curious internally how you are seeing MCP adoption? It seems more and more connectors are created but are you seeing real adoption from users?

brianjking17 minutes ago
Great work, thank you for doing this. Just so I understand, this isn't yet available yet, right? Still in SEP stage?
mikestorrent30 minutes ago
Fantastic news. Is there any communication between you folks and the Microsoft Entra (Azure AD) team? Would love to know if we can expect this soon or if will take a while.
russell_habout 2 hours ago
MCP auth has been a huge pain point for us at C1 - both for our own internal MCP use and in our in-product MCP Gateway - so very glad to see this landing.

We launched support today for C1 to act as an EMA identity provider (we mint the short-lived scoped tokens), so I'm excited to hook this up for Linear and some of the other MCPs we use, and get out of the business of constant OAuth flows. Claude has been doing this magically for some of their built-in connectors (at least Slack I think) and the experience is pretty great.

Disclosure: VPE at C1. We wrote up how we’re approaching it here if anyone’s in the weeds on this: https://www.c1.ai/docs/product/admin/enterprise-managed-auth...

dendabout 1 hour ago
Love more adoption of EMA and, of course, better infra for MCP developers. Thanks for such a quick turnaround on this feature work!
joeyguerra17 minutes ago
I have my chatbot command my chatbot.
ericchiangabout 2 hours ago
Wait this is awesome. A huge issue with Enterprise OAuth2.0 is managing all the random apps. Each with their own half-baked enterprise controls for managing scopes, token expiry, and no control over device bound sessions.

So instead, you can run centralized infra to validate a user, device, what scopes their requesting and duration, and enforce policies for all your apps?

Can we get this in other OAuth 2.0 clients?

dendabout 1 hour ago
The standard itself is not MCP-specific. As long as the client and the server adopt ID-JAG, they're golden.

RFC draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-a...

RVuRnvbM2eabout 3 hours ago
I don't quite understand the advantage of this over regular oauth. I think I need an example comparison of the authz flows.
maxwellgabout 2 hours ago
In regular OAuth, end users consent to share their data with applications individually. This makes sense for consumer usecases, where the end users own their data. But it doesn't make sense for many business usecases, where the business is the entity that should control data sharing and access, not the end user. As an employee at Acme, I shouldn't decide to link my Acme Google Drive data to Claude or ChatGPT, that should be the decision of my IT Department.

Enterprise-Managed OAuth, or Cross App Access (XAA), brings this IT-Admin centrally controlled sharing model into the OAuth framework so it works with the existing ecosystem.

There's also a great UX benefit from moving data sharing consent management from employees to IT Admins - it means that employees don't need to sit through a bunch of OAuth flows to link their accounts together. Their IT Admin has already set up all the sharing controls. Everything plugs in together and should Just Work from day one. Think joining a new company on the first day and your Slack is already linked to your Zoom, your Drive, your Calendar, etc...

amlutoabout 2 hours ago
This is bonkers.

Sure, if I’m a business, I will make a business decision to share, or not share, some resource with ChatGPT. But, if I do decide to share something with ChatGPT, I absolutely do NOT want it shared with every single ChatGPT thread, more or less how I don’t want it shared with every single tab an employee has open in a browser.

qt31415926about 2 hours ago
Isn't that what's solved by this method? Your SSO provider (e.g. Okta) is now what gates each employee's resource access for different MCP resources.
megous37 minutes ago
Advantage is user has no control/is not needed to consent about what apps they're authorizing to share their information between each other, bacause the decision to delegate access is at the IdP policy level. User many never know which apps/services were authorized to share their information. Wait, is that an advantage? ;-)
hparadizabout 2 hours ago
Need this for CLI tools like gcloud, knife, npm, etc. Maybe an Okta based JWT.
dendabout 2 hours ago
What's interesting about this standard is that it's not really MCP-specific. It can work just as nicely for any other workload - it just requires the authorization server/IdP to support it and the receiver to know how to handle the trust relationship.
lorecoreabout 2 hours ago
Auth has been a wild journey in MCP. It really is a valuable differentiator to things like Skills for enterprises though. Congrats to the team on the ship.
dendabout 2 hours ago
We're always looking at making it a smoother experience - it's a top pain point for developers and IT admins alike. If you have feedback - feel free to send it my way!
Advertisement
rvzabout 1 hour ago
This actually looks like a far better use-case for MCPs than the previous per-user per server MCP design which that was completely rushed and made no sense.

You can tell with this Anthropic consulted with experts first on the design and implementation of this rather than vibe coding the spec in isolation. Unless the user themselves is compromised and connects via the Enterprise-Managed Authorization, at least you can remotely revoke permissions / access to reduce that risk.

We'll see, but give credit where credit is due.

dendabout 1 hour ago
FWIW, we never vibe-coded the spec to begin with, but yes - auth is a continuous learning process, and we're lucky to collaborate with some really talented folks both inside and outside the company (e.g., this launch we worked closely with Okta to see how we can best wire things up) to make this a smoother experience. Keep the feedback coming!
paulddraperabout 2 hours ago
"Watson you have a blazing talent for observing the obvious" - Sherlock Homes
brapabout 2 hours ago
I thought we’re over this collective delusion called MCP
mikestorrent29 minutes ago
I thought we were all smarter than directly giving agents access to all of our long lived tokens
isubkhankulovabout 2 hours ago
MCP is just an API designed to be token frugal
NamlchakKhandroabout 2 hours ago
Frugal is definitely not a word i would use in the same sentence as mcp