OAuth、代理和安全性：探索訪問控制的新領域

探索 OAuth、AI 代理和安全性不斷發展的前景。了解人工智能時代穩健訪問控制的風險、挑戰和創新解決方案。

The world of authorization is changing fast, especially with Large Language Model (LLM) agents becoming more prevalent. While OAuth has been a broadly accepted standard for access delegation, it's quickly becoming clear that it's no longer sufficient for the complex needs of AI agents. Here’s the lowdown on why OAuth falls short and what we need to do about it.

授權世界正在快速變化，尤其是隨著大型語言模型 (LLM) 代理變得越來越普遍。雖然 OAuth 已成為廣泛接受的訪問委託標準，但很快我們就發現它已不足以滿足 AI 代理的複雜需求。以下是 OAuth 不足的原因以及我們需要採取的措施。

The Risks of Relying on OAuth for LLM Data Access

依賴 OAuth 進行 LLM 數據訪問的風險

Getting authorization wrong can lead to serious trouble. Think about it: Breaches are a prime example of what happens when authorization goes awry. Back in August 2025, attackers compromised OAuth tokens held by Drift, a chatbot used by other companies, gaining access to Salesforce instances and exfiltrating data. The agentic risk isn’t limited to attackers compromising tokens and breaching systems. There’s also misuse: interacting with an LLM frontend as a normal user, but getting illicit information accidentally or with prompt jailbreaking. Only limiting the LLM’s access at an authorization enforcement layer will address this.

授權錯誤可能會導致嚴重的麻煩。想一想：違規是授權出錯時發生的一個典型例子。早在 2025 年 8 月，攻擊者就破壞了其他公司使用的聊天機器人 Drift 持有的 OAuth 令牌，獲得了對 Salesforce 實例的訪問權限並竊取了數據。代理風險不僅限於攻擊者破壞代幣和破壞系統。還有濫用的情況：以普通用戶身份與 LLM 前端進行交互，但意外或迅速越獄時獲取非法信息。只有在授權執行層限制法學碩士的訪問才能解決這個問題。

Why OAuth Isn't Enough

為什麼 OAuth 還不夠

OAuth is great for access delegation, but it stumbles when it comes to agents. The model of passing embedding permissions on a token that is then reused numerous times has several limitations:

OAuth 對於訪問委派來說非常有用，但在代理方面卻遇到了麻煩。在令牌上傳遞嵌入權限然後多次重複使用的模型有幾個限制：

• OAuth Can’t Handle Advanced Policy Modeling: OAuth struggles with fine-grained permissions at a resource level. For LLM agents, you need to scope permissions at a resource or even field level.
• Static Tokens Are Limiting and Risky: Tokens are static, reflecting permissions at a specific time. Making dynamic changes to authorization is difficult. Plus, tokens can leak, leading to breaches.
• OAuth Can’t Record Agentic Actions: You often want to maintain records of all agent data access and actions. OAuth doesn't offer a way to record this.

A New Approach to Agentic Authorization

代理授權的新方法

So, what's the solution? Implementing better authorization in the underlying resources that agents access. We need something with a different structure from the token-based OAuth method: A real-time policy engine, consulted with every action that logs everything agents are attempting to do (including with on-behalf-of tracing), and that will fire alerts and support human-in-the-loop least privilege enforcement for if/when agents act incorrectly.

那麼，解決辦法是什麼呢？在代理訪問的底層資源中實現更好的授權。我們需要與基於令牌的 OAuth 方法具有不同結構的東西：一個實時策略引擎，諮詢記錄代理嘗試執行的所有操作（包括代表跟踪）的每個操作，並且如果/當代理行為不正確時，它將發出警報並支持人機循環最小權限執行。

Separate from better authorization in the data sources and tools that agents use, agent authorization can be addressed at the tool access layer (e.g., MCP servers, agent frameworks). Any security-minded organization should be recording agent actions, running anomaly detection to catch misbehavior, dynamically reducing permissions or quarantining rogue agents, and maintaining an audit trail. The goal is automating the principle of least privilege: agents should be able to access only the tools they need for the task at hand.

與代理使用的數據源和工具中更好的授權分開，代理授權可以在工具訪問層（例如，MCP 服務器、代理框架）解決。任何具有安全意識的組織都應該記錄代理操作，運行異常檢測以捕獲不當行為，動態減少權限或隔離流氓代理，並維護審計跟踪。目標是自動化最小特權原則：代理應該能夠僅訪問他們手頭任務所需的工具。

Emerging Attack Vectors and How to Defend Against Them

新興的攻擊媒介以及如何防禦它們

Attackers are always finding new ways to breach systems, and identity-based attacks are on the rise. Here are a few techniques to watch out for, based on Wiz telemetry:

攻擊者總是在尋找新的方法來破壞系統，並且基於身份的攻擊正在增加。以下是基於 Wiz 遙測技術的一些需要注意的技術：

• Device Code Phishing: Attackers lure victims into entering a device code, granting the attacker a token. Less than 50% of customers enforce Conditional Access policies that block device code authentication.
• Resource Owner Password Credentials (ROPC): A legacy OAuth mechanism that exchanges a username and password directly for a token, skipping modern safeguards. Fewer than 45% of customers enforce Conditional Access policies that block ROPC authentication.
• Device Registration for Persistence: Attackers register a device to bypass Conditional Access restrictions, obtaining a Primary Refresh Token (PRT) for continued access.

Wiz’s Role in Enhancing Security

Wiz 在增強安全方面的作用

Wiz Defend provides deep visibility into identity-based attack activity in Entra ID, with real-time detections built to identify the techniques used in device-code phishing, ROPC abuse, and Conditional Access evasion. Wiz Defend includes dedicated detection rules that alert on these behaviors:

Wiz Defend 可深入了解 Entra ID 中基於身份的攻擊活動，並通過實時檢測來識別設備代碼網絡釣魚、ROPC 濫用和條件訪問規避中使用的技術。 Wiz Defend 包括針對以下行為發出警報的專用檢測規則：

• Unusual Device Code Flow Detected
• Sign-in by Entra ID User using ROPC protocol to unusual application and resource
• Suspicious ROPC authentication for conditional access policy bypass
• Suspicious device registration attempt

The Broader Impact: Tokenization and Real-World Assets

更廣泛的影響：代幣化和現實世界資產

Beyond security, tokenization is revolutionizing how assets are managed. Nomura Holdings launched a security token offering, tokenizing an 8 billion yen venture capital fund. This signals a shift in how institutional capital is raised and managed, leveraging blockchain’s power for efficiency. The benefits include increased liquidity, fractional ownership, and automated compliance.

除了安全性之外，代幣化正在徹底改變資產的管理方式。野村控股推出了證券型代幣發行，將 80 億日元的風險投資基金代幣化。這標誌著機構資本籌集和管理方式的轉變，利用區塊鏈的力量提高效率。好處包括增加流動性、部分所有權和自動化合規性。

Wrapping Up

總結

Without a new approach to agentic authorization, we should expect to see more disasters as agents proliferate. If we can get ahead of the authorization problem, we can realize the promise of AI agents without the risks. So, let’s keep our eyes peeled, stay informed, and ensure we're not just keeping up with the times, but staying a step ahead. After all, in the world of OAuth, agents, and security, being proactive is the name of the game. Cheers to a safer, smarter future!

如果沒有新的代理授權方法，隨著代理的激增，我們應該會看到更多的災難。如果我們能夠解決授權問題，我們就可以在沒有風險的情況下實現人工智能代理的承諾。因此，讓我們保持警惕，隨時了解情況，確保我們不僅跟上時代的步伐，而且保持領先一步。畢竟，在 OAuth、代理和安全領域，積極主動才是關鍵。為更安全、更智能的未來乾杯！