Using Authorization Server Metadata according to RFC8414 is RECOMMENDED, but authorization servers MAY instead provide a deployment-specific way to ensure or determine PKCE support.¶ An attacker might attempt to inject a request to the redirection URI of the legitimate client on the victim’s device, e.g., to cause the client to access resources under the attacker’s control. The attacker also cannot inject a leaked ID Token matching the stolen access token, as the nonce claim in the leaked ID Token will contain (with a very high probability) a different value than the one expected in the authorization response.¶ Since the response includes the state value generated by the client for this particular transaction, the client does not treat the response as a CSRF attack and uses the access token injected by the attacker.¶ Instead, an attacker can directly call the token endpoint with the stolen authorization code.¶
If compromised, they can provide attackers with persistent access that is difficult to detect than activity originating from standard user accounts. Service principals are non-human identities used by applications, scripts, and automation tools to access SaaS services. This reduces the effectiveness of security controls that rely on IP reputation or geographic location to identify suspicious logins. The growing use of AI assistants and automated workflows is accelerating this trend as business applications exchange data and employees connect third-party services to corporate SaaS environments.
Strong client authentication protocols, including multi-factor authentication (MFA), improve security by verifying both user identity and request authenticity. In this type of attack, the threat actor sends a device authorization request to a service provider and receives a code, which is sent to the victim under various pretexts. At this point, the attacker has effective control of the victim’s Microsoft account, but without ever needing to phish a password, or pass an MFA check. Essentially, the attacker tricks the victim into logging into Azure CLI, by generating an OAuth authorization code — visible in a localhost URL — and then pasting that URL (including the code) into an attacker-controlled page. If you’re already logged into the app in your browser, you don’t even need to supply creds, or pass an MFA check — meaning it effectively circumvents phishing-resistant auth like passkeys too. The Model Context Protocol defines a standard way for AI clients to invoke external tools and read resources; its auth layer determines whether that access is controlled or chaotic.
Session Tokens
RFC 9700 explicitly requires exact matching to prevent this vulnerability class. Attackers registered redirect URIs with wildcards or pattern matching, then crafted malicious authorization requests that passed validation but redirected to attacker infrastructure. Access tokens https://repaircanada.net/internet stored in browser localStorage become accessible to any JavaScript code, turning XSS vulnerabilities into token theft opportunities. The ConsentFix attack pattern exploits these pre-authorized apps in Microsoft Entra environments, capturing authorization codes within their 10-minute validity window. The protocol treats security features as optional enhancements rather than baseline requirements.
Types of Tokens Attackers Target
Keep reading at our Intro to IAM page to explore more topics around Identity and Access Management. OAuth 2.0 is an authorization protocol and NOT an authentication protocol. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization. OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. Since in-browser communication flows only apply a different communication technique (i.e., postMessage instead of HTTP redirect), all measures protecting the authorization response listed in Section 2.1 MUST be applied equally.¶
What are the security risks of lax redirect URI validation?
Microsoft introduced this policy condition specifically in response to the abuse pattern documented beginning in 2025 . Third, review all active Entra ID Conditional Access policies to confirm whether device code flow is currently restricted, and if not, identify a path to enabling that restriction. Organizations should prioritize the following within 72 hours of reading this note, to limit ongoing exposure from active campaigns. The vulnerability lies in the device code protocol itself, which allows an attacker to initiate a flow and collect the resulting token after the user authenticates. Device code phishing does not bypass MFA in a technical sense; it causes the victim to complete MFA authentically on the attacker’s behalf. A separate cluster designated UTA0352, https://www.absinthejailbreak.org/category/gadgets/ tracked by Volexity from March 2025, exploited the Microsoft Visual Studio Code OAuth flow rather than the standard device code endpoint, using the insiders.vscode.dev redirect URI to make token requests appear to originate from a development tooling integration .
Understanding the Need for Robust AI Agent Security Tools
Automated integration that runs at 2 AM daily suddenly active at 3 PM suggests token theft and manual attacker activity. An integration with read-only permissions appears safe in inventory. Most organizations maintain partial OAuth app inventories through manual spreadsheets or point-in-time audits. Data access patterns deviating from baseline identify exploitation in progress. Detection required identifying the malicious OAuth apps themselves, not just the compromised user accounts.
Key Vulnerabilities in AI Agent Deployments
In such an attack, an attacker embeds the authorization endpoint user interface in an innocuous context. Where this cannot be avoided, authorization servers MUST provide other means for the resource server to distinguish between the two types of access tokens.¶ For example, if a client is able to choose its own client_id during registration with the authorization server, a malicious client may set it to a value identifying a resource owner (e.g., a sub value if OpenID Connect is used).
You can think of this as a browser-native ClickFix attack that phishes an OAuth token on a target app by getting the victim to copy and paste a URL containing OAuth key material into a phishing page. Lawrence’s area of expertise includes Windows, malware removal, and computer forensics. “As you’ve probably already heard, Klue.com has been impacted by us recently. A number of other companies’ Salesforce instances, which were partners to Klue, were exfiltrated,” reads the Icarus post. Huntress later disclosed that its own Salesforce environment was affected by the Klue breach and that the stolen data included business contacts, sales communications, pricing information, and other records. “All available evidence suggests that Recorded Future was not specifically targeted and was instead an incidental victim by virtue of utilizing the compromised integration between Salesforce and Klue,” Recorded Future said. The attacker authenticated to victims’ Klue integration service accounts, generated OAuth tokens and ran automated Python scripts that queried the Salesforce REST API for about 24 hours, ReliaQuest said in its threat analysis.
- AI agents now operate with extensive system access—reading files, executing commands, and accessing production systems through MCP tools.
- The growing use of AI assistants and automated workflows is accelerating this trend as business applications exchange data and employees connect third-party services to corporate SaaS environments.
- However, practice has shown that many OAuth clients do not use or check state properly.¶
- The most reliable way to identify OAuth authentication is to proxy your traffic through Burp and check the corresponding HTTP messages when you use this login option.
- RFC 9700 explicitly requires exact matching to prevent this vulnerability class.
State-sponsored actors in earlier campaign waves used domain https://www.nmb-group.com/maximizing-efficiency-and-security-a-comprehensive-guide-to-employee-monitoring-software.html infrastructure including sen-comms.com, afpi-sec.com, chromeelevationservice.com, and comms-net.com for UTA0304, and connect-71q.pages.dev and rosejob.com for UTA0307 . The breadth of sector targeting reflects the indiscriminate, opportunistic nature of PhaaS operations, which prioritize volume over selectivity. Token revocation requires an explicit call to the revokeSignInSessions API or an equivalent administrative action in Microsoft Entra ID . At this moment the attacker’s polling loop against the /token endpoint succeeds, and Microsoft returns a valid access_token and refresh_token to the attacker’s system.
External file sharing creates persistent data exposure
- For engineering managers and CTOs, adopting this standard means reduced technical debt and a more resilient security architecture.
- Other protocols can perform this function as well, although OAuth is one of the most widely used ones.
- OAuth authorization servers regularly redirect users to other websites (the clients), but they must do so safely.¶
- RFC 9700 suggests that developers should constantly review the latest security research, update their OAuth implementation regularly, and be aware of emerging risks.
- In this section, we’ll teach you how to identify and exploit some of the key vulnerabilities found in OAuth 2.0 authentication mechanisms.
PKCE prevents authorization code interception attacks but doesn’t address token theft after issuance, over-scoped grants, or prompt injection. There’s no official MCP security certification today (though the spec continues to evolve), but based on the OAuth 2.0 security BCP (RFC 9700) and OWASP guidance, here’s a concrete checklist. That said, many enterprises have existing SAML infrastructure, and most modern authorization servers can accept a SAML assertion as input and issue OAuth tokens against it. It’s not standard practice yet, but it’s the direction the MCP security community is moving. Model Context Protocol (MCP) is an open standard, published by Anthropic in November 2024, that defines how AI clients (like Claude, a custom agent, or an IDE plugin) communicate with external tool servers.
However, this document does not supplant the security advice given in RFC6749, RFC6750, and RFC6819, but complements those documents.¶ This document provides updated security recommendations to address these challenges. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Copyright (c) 2025 IETF Trust and the persons identified as the document authors.