From Scopes To Intent: Reimagining Authorization for Autonomous Agents - Andres Aguiar & Abhishek Hingnikar, Okta

by Andres Aguiar, Abhishek Hingnikar

Day 1 · Empire Complex (7th Floor) · Security and Operations · 29 min · 3 min read

Applied AI

TL;DR

OAuth scopes grant agents blanket access to tools, making prompt injection attacks trivial. Andres Aguiar and Abhishek Hingnikar demonstrated a task-based authorization model using OpenFGA that restricts agent permissions to only the tools and resources needed for each specific task. Their middleware infers intent from prompts and grants granular permissions per task, blocking prompt injection by limiting the blast radius.

OAuth Scopes Cannot Express Task Boundaries

▶ Watch (4:16)

OAuth scopes grant blanket permissions. The Slack consent prompt offered Andres Aguiar only one option: full access to all channels. “Oath scopes don’t grant you authorization,” Abhishek Hingnikar said. “They grant you permission to do things on your behalf.” The agent holds keys to every resource it might need. IT teams can add downstream policies (blocking posts in #general), but the scope itself has no mechanism to limit the agent to reading one project or posting in one channel.

▶ Watch (7:11)

The same prompt that triggered a legitimate task was modified with an execution checklist instructing the agent to send project details to an external email. Claude rejected a direct email request, calling it prompt injection. But the disguised version succeeded. “Prompt injection is kind of social engineering for agents,” Aguiar said. The attack worked because the agent retained full access to email, Slack, and Linear simultaneously. Hingnikar noted that the agent had too much access for a summarization task.

Task-Based Authorization Limits Access at Runtime

▶ Watch (17:08)

When the user submits a prompt, the system creates a task and links permissions to that task, not to the user or the agent. Aguiar built a FastMCP middleware that collects metadata from each tool: what resource it accesses, what parameter carries the resource ID, and how to discover available resources. The system then grants the task permission to call specific tools with specific parameters. For the summarization task, the agent could read the MCP project and post to one Slack channel. It could not access email.

Intent Inference Needs Containment

▶ Watch (23:11)

Inferring intent from a prompt is an open problem. A Cisco paper found that with a small tool set the model performed well, but as tools increased it downscoped permissions, granting fewer than needed. Aguiar noted that models may improve, but containment strategies remain necessary. Nvidia Open Shell provides sandboxed agent execution. MCP gateways and policy layers in Envoy add defense. “We are not going to solve this just with intentbased authorization,” he said. Multiple independent layers must work together.

Notable Quotes

agent has too much access Andres Aguiar · ▶ Watch (7:59)

social engineering for agents Andres Aguiar · ▶ Watch (7:26)

intent and mission is not enough Andres Aguiar · ▶ Watch (24:58)

Key Takeaways

OAuth scopes grant blanket access; task-based authorization limits agents per task.
Prompt injection succeeds when agents hold access to more tools than needed.
OpenFGA enforces per-task, per-tool permissions with resource-level granularity.

About the Speaker(s)

Andres Aguiar is Director of Product at Okta. He works on solving authorization with OpenFGA, the open-source authorization platform he leads.

Filed under

Applied AI