OAuth、代理和安全性：探索访问控制的新领域

探索 OAuth、AI 代理和安全性不断发展的前景。了解人工智能时代稳健访问控制的风险、挑战和创新解决方案。

The world of authorization is changing fast, especially with Large Language Model (LLM) agents becoming more prevalent. While OAuth has been a broadly accepted standard for access delegation, it's quickly becoming clear that it's no longer sufficient for the complex needs of AI agents. Here’s the lowdown on why OAuth falls short and what we need to do about it.

授权世界正在快速变化，尤其是随着大型语言模型 (LLM) 代理变得越来越普遍。虽然 OAuth 已成为广泛接受的访问委托标准，但很快我们就发现它已不足以满足 AI 代理的复杂需求。以下是 OAuth 不足的原因以及我们需要采取的措施。

The Risks of Relying on OAuth for LLM Data Access

依赖 OAuth 进行 LLM 数据访问的风险

Getting authorization wrong can lead to serious trouble. Think about it: Breaches are a prime example of what happens when authorization goes awry. Back in August 2025, attackers compromised OAuth tokens held by Drift, a chatbot used by other companies, gaining access to Salesforce instances and exfiltrating data. The agentic risk isn’t limited to attackers compromising tokens and breaching systems. There’s also misuse: interacting with an LLM frontend as a normal user, but getting illicit information accidentally or with prompt jailbreaking. Only limiting the LLM’s access at an authorization enforcement layer will address this.

授权错误可能会导致严重的麻烦。想一想：违规是授权出错时发生的一个典型例子。早在 2025 年 8 月，攻击者就破坏了其他公司使用的聊天机器人 Drift 持有的 OAuth 令牌，获得了对 Salesforce 实例的访问权限并窃取了数据。代理风险不仅限于攻击者破坏代币和破坏系统。还有滥用的情况：以普通用户身份与 LLM 前端进行交互，但意外或迅速越狱时获取非法信息。只有在授权执行层限制法学硕士的访问才能解决这个问题。

Why OAuth Isn't Enough

为什么 OAuth 还不够

OAuth is great for access delegation, but it stumbles when it comes to agents. The model of passing embedding permissions on a token that is then reused numerous times has several limitations:

OAuth 对于访问委派来说非常有用，但在代理方面却遇到了麻烦。在令牌上传递嵌入权限然后多次重复使用的模型有几个限制：

• OAuth Can’t Handle Advanced Policy Modeling: OAuth struggles with fine-grained permissions at a resource level. For LLM agents, you need to scope permissions at a resource or even field level.
• Static Tokens Are Limiting and Risky: Tokens are static, reflecting permissions at a specific time. Making dynamic changes to authorization is difficult. Plus, tokens can leak, leading to breaches.
• OAuth Can’t Record Agentic Actions: You often want to maintain records of all agent data access and actions. OAuth doesn't offer a way to record this.

A New Approach to Agentic Authorization

代理授权的新方法

So, what's the solution? Implementing better authorization in the underlying resources that agents access. We need something with a different structure from the token-based OAuth method: A real-time policy engine, consulted with every action that logs everything agents are attempting to do (including with on-behalf-of tracing), and that will fire alerts and support human-in-the-loop least privilege enforcement for if/when agents act incorrectly.

那么，解决办法是什么呢？在代理访问的底层资源中实现更好的授权。我们需要与基于令牌的 OAuth 方法具有不同结构的东西：一个实时策略引擎，咨询记录代理尝试执行的所有操作（包括代表跟踪）的每个操作，并且如果/当代理行为不正确时，它将发出警报并支持人机循环最小权限执行。

Separate from better authorization in the data sources and tools that agents use, agent authorization can be addressed at the tool access layer (e.g., MCP servers, agent frameworks). Any security-minded organization should be recording agent actions, running anomaly detection to catch misbehavior, dynamically reducing permissions or quarantining rogue agents, and maintaining an audit trail. The goal is automating the principle of least privilege: agents should be able to access only the tools they need for the task at hand.

与代理使用的数据源和工具中更好的授权分开，代理授权可以在工具访问层（例如，MCP 服务器、代理框架）解决。任何具有安全意识的组织都应该记录代理操作，运行异常检测以捕获不当行为，动态减少权限或隔离恶意代理，并维护审计跟踪。目标是自动化最小特权原则：代理应该能够仅访问他们手头任务所需的工具。

Emerging Attack Vectors and How to Defend Against Them

新兴的攻击媒介以及如何防御它们

Attackers are always finding new ways to breach systems, and identity-based attacks are on the rise. Here are a few techniques to watch out for, based on Wiz telemetry:

攻击者总是在寻找新的方法来破坏系统，并且基于身份的攻击正在增加。以下是基于 Wiz 遥测技术的一些需要注意的技术：

• Device Code Phishing: Attackers lure victims into entering a device code, granting the attacker a token. Less than 50% of customers enforce Conditional Access policies that block device code authentication.
• Resource Owner Password Credentials (ROPC): A legacy OAuth mechanism that exchanges a username and password directly for a token, skipping modern safeguards. Fewer than 45% of customers enforce Conditional Access policies that block ROPC authentication.
• Device Registration for Persistence: Attackers register a device to bypass Conditional Access restrictions, obtaining a Primary Refresh Token (PRT) for continued access.

Wiz’s Role in Enhancing Security

Wiz 在增强安全方面的作用

Wiz Defend provides deep visibility into identity-based attack activity in Entra ID, with real-time detections built to identify the techniques used in device-code phishing, ROPC abuse, and Conditional Access evasion. Wiz Defend includes dedicated detection rules that alert on these behaviors:

Wiz Defend 可深入了解 Entra ID 中基于身份的攻击活动，并通过实时检测来识别设备代码网络钓鱼、ROPC 滥用和条件访问规避中使用的技术。 Wiz Defend 包括针对以下行为发出警报的专用检测规则：

• Unusual Device Code Flow Detected
• Sign-in by Entra ID User using ROPC protocol to unusual application and resource
• Suspicious ROPC authentication for conditional access policy bypass
• Suspicious device registration attempt

The Broader Impact: Tokenization and Real-World Assets

更广泛的影响：代币化和现实世界资产

Beyond security, tokenization is revolutionizing how assets are managed. Nomura Holdings launched a security token offering, tokenizing an 8 billion yen venture capital fund. This signals a shift in how institutional capital is raised and managed, leveraging blockchain’s power for efficiency. The benefits include increased liquidity, fractional ownership, and automated compliance.

除了安全性之外，代币化正在彻底改变资产的管理方式。野村控股推出了证券型代币发行，将 80 亿日元的风险投资基金代币化。这标志着机构资本筹集和管理方式的转变，利用区块链的力量提高效率。好处包括增加流动性、部分所有权和自动化合规性。

Wrapping Up

总结

Without a new approach to agentic authorization, we should expect to see more disasters as agents proliferate. If we can get ahead of the authorization problem, we can realize the promise of AI agents without the risks. So, let’s keep our eyes peeled, stay informed, and ensure we're not just keeping up with the times, but staying a step ahead. After all, in the world of OAuth, agents, and security, being proactive is the name of the game. Cheers to a safer, smarter future!

如果没有新的代理授权方法，随着代理的激增，我们应该会看到更多的灾难。如果我们能够解决授权问题，我们就可以在没有风险的情况下实现人工智能代理的承诺。因此，让我们保持警惕，随时了解情况，确保我们不仅跟上时代的步伐，而且保持领先一步。毕竟，在 OAuth、代理和安全领域，积极主动才是关键。为更安全、更智能的未来干杯！