The identity layer for agentic systems has now been operationalized twice in eleven days, by the same parent company, at two different layers of the same stack. On April 30, Okta shipped the IdP-side primitive — the control-plane answer to which agent, on whose behalf. On May 6, Auth0 shipped the wire-level primitive — the protocol-layer answer to how the MCP server knows, how it scopes, how it propagates identity across server hops. The structural geography that The Identity Layer mapped is now substantially populated. What this dispatch reads is what the wire-level GA actually puts on the floor, and what continues to require architectural enforcement above it.
The Auth for MCP announcement reduces to four primitives operating at a single layer — the request envelope between an agent and a server, and between servers calling each other on a user’s behalf. Each primitive is precise. Each does what it says. None reaches further than the request envelope, and nothing in the GA changes the corpus position that identity is the floor, not the ceiling. What changes is that the floor at the protocol layer is now actually present rather than assumed.
What the Four Primitives Actually Do
Reading Auth0’s GA announcement closely, the four primitives reduce to this:
Authentication. The human behind the agent logs in through any method the tenant already supports — username and password, social, enterprise SSO. The MCP server now knows which user the agent is acting on behalf of. Before this primitive, the server did not.
Scoped authorization. Auth0 mediates which internal APIs the MCP server is permitted to call, and checks the user’s permissions before each downstream call. This is OAuth 2.0 scopes applied to the MCP control surface. It binds the agent’s effective capability to the user’s stated entitlements.
CIMD client registration. Replaces Dynamic Client Registration. Each MCP client — Claude, ChatGPT, Cursor, VSCode — is identified by a hosted JSON metadata document at a verifiable HTTPS URL. The authorization server fetches the document, validates that the requested redirect_uri matches the list inside it, and caches. This proves which client implementation is talking to the server, and the redirect-URI check defeats a real class of phishing attack against the registration endpoint. As a structural enforcement of a previously probabilistic problem, it is one of the more elegant moves in the specification.
On-Behalf-Of token exchange. When MCP server A needs to call downstream API B on the user’s behalf, the user’s token is exchanged for a new token scoped to API B, with the user identity preserved in the chain. No service accounts, no shared secrets, full audit trail. This directly addresses what Linear History Authorization called delegation collapse — the failure mode where a service account or shared secret erases the chain of who originally authorized an action.
That is the entire perimeter of what shipped. The two-step Okta-to-Auth0 arc is now visible in product form: the IdP-side primitive controls who the agent is and what the agent’s user is entitled to do; the protocol-side primitive enforces those controls at the wire. Both are necessary. Neither, individually or together, is sufficient.
The Structural Diagnosis, One Layer Down
The Identity Layer argued that Okta’s IdP-side primitive sharpened rather than resolved the structural questions above and below it. The same reading applies to Auth0 GA at the protocol layer, with one specification: the primitive is now closer to where the agentic action actually occurs. That proximity matters, because it brings the identity boundary into direct adjacency with the surfaces where agentic failures live — which makes the geography sharper, not softer.
Read against the Luminity structural-versus-probabilistic frame, Auth0’s protocol-layer primitives enforce a single variable deterministically: who is calling, and through what client. The corpus thesis — argued across Series 1, Series 3, and Series 4 — is that agentic failures are dominantly about what is being done and why the agent decided to do it. Those are not OAuth-layer questions, and they are not Okta-layer questions either. They are questions at the architectural enforcement tier above identity, and they require different machinery to answer.
Auth for MCP enforces who is calling, with the same axis Okta’s IdP primitive enforces — now applied at the protocol layer. The corpus position is that agentic failures are dominantly about what is being done and why. These remain orthogonal axes. An action can be fully authenticated through Okta, properly scoped through Auth0, propagated faithfully via OBO, and policy-violating at every layer that matters.
Six Attack Surfaces the Identity Layer Does Not Reach
The corpus contains direct evidence for six classes of attack that are not addressed by either the Okta IdP-side primitive or the Auth0 protocol-side primitive. None of these is a criticism of either product; each is a description of where the identity boundary stops and where the architectural enforcement work continues.
Indirect prompt injection. OBO token exchange tells the downstream API the request is on behalf of the user. It does not — and cannot — tell the API whether the user asked for the action or whether a malicious document the agent was summarizing instructed the agent to ask for it. The agent legitimately holds the user’s token. The agent uses it correctly per protocol. The action is malicious. Authentication is fully satisfied while the attack succeeds. This is the entire premise of Greshake et al. and the line of work that followed it — the confused-deputy attack where the authenticated agent is the deputy.
Tool poisoning and rug-pull patterns. CIMD verifies that the client (Claude, ChatGPT, the agent runtime) is who it says it is. It does nothing to verify that the server’s tool definitions are what the user consented to. A legitimately registered MCP server can change its tool descriptions after consent, embed instructions in tool metadata that the model reads as guidance, or shadow legitimate tool names. The Invariant Labs findings on MCP tool poisoning live entirely outside the identity boundary. CIMD authenticates the wrong end of the connection for this class of risk.
Sandbox escape under compute scaling. Once the agent has an authenticated session and is executing inside whatever sandbox the MCP server provides, the identity layer cannot help. Marchand et al. (SandboxEscapeBench) documents log-linear scaling of escape success with available compute. The token is valid. The session is legitimate. The escape happens inside the trust boundary the identity layer has just established.
Formal-policy enforcement. VeriGuard (Miculicich et al., Google Cloud AI, October 2025) operates at a layer fundamentally different from OAuth scopes. The architectural-enforcement tier asks whether the agent’s planned action violates a formal policy specification regardless of who authorized it. OAuth asks whether the caller is permitted to invoke the endpoint. These are orthogonal. An action can be fully authorized and still policy-violating; the corpus position is that production agentic systems require both, and the second requires machinery the identity layer does not provide.
Coarse scope versus composed action space. An agent with calendar:write scope, acting on behalf of an authenticated user, can be socially engineered into writing a calendar event whose description exfiltrates data to an attacker-controlled URL. The scope check passes — at both the IdP layer and the protocol layer. The action is in-policy at the OAuth layer and out-of-policy at every layer that matters. This is the confused-deputy problem at the policy boundary — scopes are coarse compared to the action space agents can compose.
State propagation across the agent loop. OBO solves identity propagation across calls. It does not solve state propagation. The agent’s evolving belief state, scratchpad memory, accumulated tool outputs, and inter-step planning context — the actual surface where reasoning corruption compounds across a multi-step trajectory — are not in any token. Linear History Authorization argued that auth without state lineage is fragile. OBO is auth without state lineage. Better than what came before, still incomplete.
The Honest Accounting
Three observations close this dispatch.
The two-step Okta-to-Auth0 arc is the right kind of progress. Eleven days separate the IdP-side product from the protocol-side spec implementation. That is the cadence enterprise architects should welcome — a parent company that owns the upstream control plane shipping a downstream protocol primitive that operationalizes the same axis. The CIMD redirect-URI check is a clean structural defeat of client impersonation, OBO operationalizes what Linear History Authorization framed as missing, and the four primitives together raise the floor of any production MCP deployment that adopts them. Standards bodies — AIUC-1, the OWASP Agentic Security Initiative, the IETF OAuth working group — have been converging on identity primitives as necessary substrate; this two-step release is evidence of that convergence working.
Auth0 names its own structural caveat — the SSRF risk introduced by CIMD. In their own CIMD analysis, Auth0 flags that the authorization server now has to fetch a URL from a stranger, and that a malicious app can supply a URL pointing at an internal service like an instance metadata endpoint. The recommended hardening — block internal and loopback IP ranges, aggressive timeouts, response-size limits — is real protocol-level structural risk introduced by the cure. This is exactly the Fault Lines pattern the corpus has documented at multiple layers of the agentic stack: the structural fix at one layer becomes the structural risk at another. Auth0 has done the analytical work in public, which is the right register.
The corpus position has not changed, and it should not change. Identity is the floor, not the ceiling — at the IdP layer when Okta shipped it ten days ago, at the protocol layer when Auth0 shipped it today, and at every layer the standards bodies will surface in the next eleven days. Indirect prompt injection, tool poisoning, sandbox escape under compute scaling, formal-policy enforcement, scope-versus-composition gaps, and state propagation across the agent loop continue to require architectural enforcement above the identity layer. The two-step release is not the end of the conversation. It is the substrate on which the rest of the conversation now rests.
