Skip navigation
Product & Engineering

From protocol to practice: Secure the AI agent ecosystem with Duo

Colin Medfisch headshot
Colin Medfisch
4 minute read

In our last post, OAuth 2.0’s Next Chapter: Enabling the AI Security Revolution, we explored how OAuth is evolving from a background standard into an essential guardrail for the tidal wave of AI Agents that is already among us. We established that without strong, identity-bound, and time-limited delegation, the interoperability promised by frameworks like the Model Context Protocol (MCP) could introduce uncontrolled risk.

Today, we’re taking the next step: moving from the why to the how. How do we practically secure an ecosystem where AI agents need to coordinate tasks, access data, and operate on behalf of users across different application and organization boundaries?

This is precisely the challenge MCP was designed to solve, and it’s why it relies on OAuth as its backbone.

Duo and Model Context Protocol

Making MCP enterprise-ready

MCP provides a common language for applications and AI Agents, enabling them to coordinate complex, multi-step tasks. With strong interoperability comes the need for an equally strong identity security model. An agent accessing multiple systems must be strictly governed by the principle of least privilege.

This is where Duo’s security-first IAM strategy comes into play. To help organizations safely adopt this new framework, we are releasing a new, dedicated “Model Context Protocol (MCP)” integration in Duo, now available in Beta!

This integration aligns with the MCP specification, simplifying the process of securing Agentic AI actions. It builds on the same securely segmented authorization server model that we discussed in the previous post, ensuring that each integration is in an isolated security boundary, preventing unauthorized movement.

New capabilities for a new architecture

The AI security landscape is evolving rapidly, and staying ahead requires agility. With the release of the latest MCP specification on November 25, the standard is further refining how agents and servers establish trust.

The new spec recommends specific OAuth capabilities to ensure both security and interoperability. To align with these latest standards and provide a robust platform for modern applications, we’ve added support for two much needed RFCs to both our new Model Context Protocol (MCP) integration and our OAuth 2.1/OIDC integration (also in Beta). Furthermore, we are already preparing support for Client ID Metadata Documents.

Dynamic Client Registration (RFC 7591)

  • The Challenge: In dynamic ecosystems, like one where tens of thousands of AI Agent actions occur, agents and applications may be created, deployed, and destroyed on the fly, often per MCP tool call. Manually registering every new agent as an OAuth client in Duo is a non-starter. It simply doesn’t scale.

  • The Solution: DCR allows these agents to register themselves with Duo securely and automatically. This enables a scalable “self-service” model for new applications and agents to join your Duo ecosystem without sacrificing administrative control. You retain full control over the access level of dynamically registered clients compared to those that are manually registered.

Resource Indicators (RFC 8707)

  • The Challenge: A standard OAuth token confirms who a user is, but it’s often vague about what they are trying to access. An AI agent might get a token valid for your internal API, but should that token also work for your Snowflake or Sailpoint MCP servers?

  • The Solution: Resource Indicators allow the agent (the client) to explicitly state the specific resource (the “audience”) it intends to access during the authorization request. This allows Duo to issue a token that is only valid for that specific resource. This is a massive step forward for enforcing least-privilege, ensuring a token intended for one service cannot be replayed or accepted by another.

Looking ahead: Client ID Metadata Documents

A major highlight of the new MCP specification is the shift toward Client ID Metadata Documents (CIMD).

  • What it is: CIMD allows an agent to use a secure HTTPS URL as its client_id. This URL points to a verified JSON document hosting the agent's metadata (like its name and redirect URIs).

  • Why it matters: This capability removes the friction of registration entirely for trusted agents, allowing servers and clients to establish trust without a prior relationship.

  • Our approach: While Dynamic Client Registration is the standard today, CIMD is the future. We are actively building support for Client ID Metadata Documents to ensure that as the MCP spec matures, Duo remains the most secure and compatible platform for your agentic workforce.

We need your feedback

These new integrations are in Beta now! You can find them in the Duo Admin Panel by searching for “Model Context Protocol (MCP)” or “OAuth 2.1”. Your insights are crucial as we continue to build the secure foundation for the next generation of applications and AI Agents.

Help us shape the future of security-first identity for the agentic era!

Ready to test our new MCP integration and advanced OAuth 2.1 capabilities? Let us know if you have any feedback or want to connect!