This article was originally published on Medium.
The advent of Agentic AI platforms marks a significant leap in enterprise automation and intelligence. These platforms leverage AI Agents - software systems that use Artificial Intelligence (AI) to pursue goals and complete actions on behalf of users. At their core, these agents utilize large language models (LLMs) as reasoning engines. The ability of AI Agents to dynamically access and execute external tools and resources is facilitated thanks to the Model Context Protocol (MCP), an open protocol that enables AI Agents to interact with and access external tools and resources. While incredibly powerful, this capability also introduces new and complex security risks.
At TwoGenIdentity, our journey began with an interactive AI Agent scenario - an exploration of how agents can act on behalf of users in enterprise environments. We then introduced our broader vision: the Agentic AI Platform, combining identity, security, and open standards.
Now, we bring it all together to showcase how our Agentic AI Identity Access Plus Platform, powered by the Oryon Agent, enables real-world implementations that follow open standards, enforce robust security, and elevate the user experience. This isn’t just theory -it’s a fully operational solution designed to address the growing complexity of enterprise Identity and Access Management (IAM).
In this scenario, the AI agent is integrated with our Keycloak MCP Server, enabling it to take secure actions within the IAM platform. This is made possible by our MCP server’s support for open standards and fine-grained authorization policies. With this integration, you can govern your IAM platform simply by chatting with the agent. We’ll cover more details about the Keycloak MCP Server in a separate article.
What makes our approach innovative is the agent’s ability to orchestrate IAM processes, enforce dynamic authorization policies in real time, and control the authentication flow - what we call the OAuth Ceremony to strengthen security during critical operations. By integrating native passkey support and step-up authentication, we create a seamless and secure experience for users, all while maintaining full alignment with enterprise IAM standards and open protocols.
In my view, we often overcomplicate things by introducing too many new concepts and complex standards - ones that may work well in theory but are difficult to implement in practice. That said, such standards can be valuable in complex scenarios, as long as we clearly define those scenarios. My approach is to keep things as simple as possible when the context allows. In this article, we shift from theory to practice in an enterprise context. We’ll demonstrate how open standards can be effectively used to build a secure Agentic AI architecture.
While we use our own platform in the demonstration, the core concepts are transferable and can be applied to your own AI framework as well.
Table of contents
Open Table of contents
- Beyond Vision: What We Want to Enhance
- Understanding the Agentic AI Ecosystem in the MCP scenario (The Theory)
- Our IAM Enterprise Scenario: Interactive AI Agent in a Single-Trust Domain
- Agentic AI Identity Access Plus Platform: Elevating Enterprise Security Through Innovation
- Simplified Agentic AI Flow
- Deep Dive: Distributed Access Control Across in Agentic AI Components
- Showcasing the Agentic AI Identity Access Plus Platform
- Wrapping Up: From Vision to Execution
- References
Beyond Vision: What We Want to Enhance
Building an AI-driven platform for enterprise use is not just about having a powerful agent or just talking about MCP - it’s about doing it right: securely, scalably, and in alignment with existing enterprise policies and standards. To provide a complete picture, we implement all the AI components, ensuring we have the tools to apply access control at every step of the AI journey.
Our implementation focuses on:
- Adhering to open standards such as OAuth 2.0 and OpenID Connect.
- Enabling dynamic, real-time authorization.
- Following OpenID AuthZen Guidelines for decoupling authorization and policy as code.
- Enforcing fine-grained policies based Relationship-Based Access Control (ReBAC).
Innovations introduced through TwoGenIdentity AI and IAM components include:
- Oryon, our AI agent, operates within an agentic framework to orchestrate authentication and dynamic authorization flows, delivering enhanced security and user experience through native authentication with passkeys. This approach leverages API-based authentication based on OAuth 2.0 for First-Party Applications, where the application controls the login experience and dynamically requests higher levels of assurance using information from the Identity Provider.
- Implement and enforce security at multiple stages of the AI journey using multiple Policy Enforcement Points (PEPs) across different layers of the AI ecosystem. Adopt a Zero-Trust-Ready Architecture that supports identity-centric Zero Trust principles, including continuous verification, least-privilege access, and adaptive security.
Some of the topics - such as decoupling authorization and policy as code, Fine-Grained Authorization (FGA), and native authentication with passkeys - are subjects I’ve covered in conferences and written about. If you’d like to learn more, you’ll find references at the end of this article.
Understanding the Agentic AI Ecosystem in the MCP scenario (The Theory)
To securely expose your Agentic AI ecosystem, it’s essential to have a clear understanding of all the components involved. In an Agentic Platform focused on implementing MCP, you typically have the following elements - I’m not going into the details, as there is already a lot of information available on this topic:
- The end user who interacts with the Agentic AI Platform (MCP Host) and the AI Agent.
- MCP Host: The local execution environment where the AI Agent operates and interacts with the AI model and the MCP server.
- AI Agent: The software agent that orchestrates actions, decides when to use tools, and manages conversations or workflows based on context.
- AI Model: the language model instance used for generating responses or processing user input.
- MCP Client (Remote): A module within the MCP Host that connects to a remote MCP Server. It fetches tools, resources, and prompts defined remotely for dynamic use.
- LLM Service: An external service providing access to large language models (LLMs). The AI Model communicates with this service to generate text-based responses.
- MCP Server: The remote service that stores and manages tools, resources, and prompts used by the AI Agent.It acts as a backend to extend the agent’s capabilities.
- MCP: is an open protocol that standardizes how applications provide context to LLMs.
- API: The interface used by the MCP Server to access data sources and resources - such as databases, knowledge graphs, or RESTful services.
Before jumping into our scenario, it’s worth noting that the MCP Base Protocol now includes an Authorization section that recommends using OAuth 2.1. This provides a solid foundation to build upon. As a result, you’ll encounter several technical concepts related to the OAuth 2.1 standard.
Here is a great article by Aaron Parecki that clarifies the roles of the OAuth 2.0 Authorization Server and Resource Server in the MCP scenario, which will be used as a pillar here. So, check it out if those roles aren’t clear to you.
Just to provide a bit of context before we continue, OAuth is an access delegation standard that enables an application (such as a service or agent, in our case) to securely obtain temporary permission to access a user’s resources without the user needing to share their actual credentials. After successful authentication, the Identity Provider issues a temporary access token to the application, allowing it to act on the user’s behalf securely and within a limited scope.
Our IAM Enterprise Scenario: Interactive AI Agent in a Single-Trust Domain
In the broad landscape of AI agents, many different scenarios exist. We specifically focus on one critical enterprise scenario: the interactive AI agent acting on behalf of the user to execute operations using enterprise tools, all within a single-trust domain in a first-party context. This means the enterprise retains full control over all AI components.
This particular scenario addresses key enterprise requirements and concerns:
- No Dependency on third-party MCP Hosts or AI Agents: In some cases Enterprises do not want to rely on third-party MCP Hosts such as Claude, Cursor, or VS Code Copilot, especially those using fixed bearer tokens or static authorization. Instead, they want to deploy and manage their own Agents and MCP servers within their enterprise environment or private cloud.
- Integration with Enterprise Identity Providers (IdPs): MCP servers and AI agents must integrate seamlessly with the enterprise’s existing Identity Provider (e.g., Keycloak, Azure AD, Okta) using open standards like OAuth 2.0 or OIDC. This ensures that authentication and authorization flows are consistent with corporate security policies.
- Full Control Over Agents and LLMs: Enterprises demand complete control over which AI agents and LLM models are deployed, updated, and used.
- Add Layers of Fine-Grained Authorization (FGA) and dynamic authorization policies at multiple points.
To provide further clarity for this case, we will outline some key premises relevant to this specific scenario. While many scenarios exist, these premises are crucial for real-world implementation, as we will guide you on a case-by-case basis. We will also introduce some technical aspects, which we will explain in more detail later
a) First-Party Scenario within a Single Trust Domain: The enterprise controls and owns the MCP Host, Agent, MCPs, and Identity Provider. This classification approach was introduced by George Fletcher, along with other members, during discussions of AI topics in the context of IDPro. If you want to know more about the delegation scenario, you MUST follow him, as he often publishes interesting articles about it.
b) Single Agent, Single MCP Server: To simplify this case we have a single Agent that initializes the MCP Client, which communicates with one MCP Server, all operating within the same trust domain.
c) Interactive AI Agent acting on behalf of a User: The interactive AI Agent acts on behalf of a user. In an access delegation scenario, OAuth 2.0 will be instrumental, as its fundamental purpose is to facilitate access delegation, and we can leverage scopes for granular access control. The MCP Base Protocol now includes an Authorization section that specifically recommends OAuth 2.1, thereby providing a robust foundation for this.
f) AI Agent manages the authentication ceremony (OAuth 2.0 flow) in coordination with the Agentic AI Portal, to handle dynamic authorization. Identity Propagation via digital tokens is crucial for a secure and efficient interaction. It ensures that once you’ve successfully authenticated and authorized your access, your identity and granted permissions seamlessly follow your requests across the system. This not only verifies who you are to the MCP Server but also enforces exactly what you’re allowed to do.
What we leave behind:
- This is explicitly not an agent-to-agent (A2A) scenario; we are dealing with a single Agent and a single MCP Server within one trust domain.
- There is only one Identity Provider (IdP) involved; we avoid multi-IdP complexity.
- We aim to avoid unnecessary architectural complexity and minimize the number of calls within the AI flow - no 100+ round trips! The goal is to keep things as simple and efficient as possible.
Once we’ve explained the basics of this case, we can use the same framework to extend it to other scenarios as well.
Agentic AI Identity Access Plus Platform: Elevating Enterprise Security Through Innovation
Our Agentic AI Identity Access Plus Platform directly addresses these pain points by offering a unified, intelligent, and highly secure environment for your enterprise applications and AI agents. We demonstrate a real-world implementation of how we securely approach this, focusing on an interactive AI Agent in a single-domain first-party scenario where the enterprise maintains full control over all AI components.
Here’s how we transform the current scenario:
Agentic AI Identity Access Plus Platform
The Agentic AI Identity Access Plus Platform is an enterprise-grade solution built on a robust foundation, offering complete control over AI agents. This unified platform addresses all your identity needs - streamlining operations, maximizing revenue, and enhancing security with AI-powered agents. It delivers advanced Identity Governance and Administration (IGA) capabilities through our intelligent AI Agent.
AI Agent (Oryon)
At the heart of our platform is our proprietary Oryon AI Agent, which intelligently orchestrates security policies and understands the security policies. Oryon is fully integrated with the Keycloak MCP Server, enabling natural language interaction with Keycloak through secure protocols like OAuth 2.0 and the Model Context Protocol (MCP). This proactive intelligence is crucial for maintaining a strong security posture in dynamic enterprise environments.
As shown below, Oryon is able to detect interactive OAuth error responses from the MCP server to trigger additional actions -such as step-up authentication or just-in-time authorization step - to enforce dynamic authorization.
IAM Keycloak MCP Server Integration
In our scenario, we use the TwoGenIdentity** Keycloak MCP Server **as a reference implementation, but the approach can be extended to other MCP servers as well. Keycloak is an open-source identity and access management solution, and thanks to the MCP standard, we are exposing the tools for managing and monitoring the platform to the Agent.
The MCP Server enforces access control rules for features such as step-up authentication and supports integration with OpenFGA to enable fine-grained authorization (FGA) and enhance security through Relationship-Based Access Control (ReBAC) policies.
It also includes support for approximately 31 Keycloak tools, spanning key areas like User, Client, Authentication Flows, Roles, Groups, Organizations, Events, and Cache Management, and we continue to evolve it. We thank to Nicolas Osorio for participating in the evolution of this component.
Keycloak Authentication / Authorization Extensions
At TwoGenIdentity, we developed and maintained custom extensions (SPI ) to extend capabilities to the Keycloak platform to enhance both security and user experience (UX) by adopting the latest open standards, including Native Authentication with Passkeys. We also provide the OpenFGA Event Publisher Keycloak extension, which synchronizes authorization-relevant data between Keycloak and OpenFGA models -enabling seamless integration for the Fine-Grained Authorization (FGA) step.
Simplified Agentic AI Flow
- User Authentication (User → Agentic AI Portal): The user logs in to the Agentic AI Portal (MCP Host) via OpenID Connect (OIDC).
- During this process, the user gives consent for certain tools or capabilities to be accessed on their behalf by an Agent [AC1].
- User to Agentic AI Portal (Agentic AI Portal → Agent API): Opens an AI Agent and requests an action based on the available tools.
- The Agentic AI Portal communicates with an Agent using an OAuth 2.0 access token, treating the Agent API as a OAuth 2.0 Resource Server.
- In this step we are applying access control based scoped and filtering the tools more the details in the next steps [AC2].
- Oryon Agent to MCP Server (MCP Client → MCP Server): The Agent initializes the MCP Client with an access token to call the MCP Server.
- The MCP Server acts as an OAuth 2.0 Resource Server that exposes the tools the Agent needs.
- Access token validation includes checking the required scope or identity claim for the tool to be executed [AC3].
- In this case, we can apply step-up or just-in-time authentication for executing critical tools if an interactive OAuth response is present [AC4]. See the diagrams below.
- [A] User: Human prompt related to tools execution
- [B] Agent: LLM prompt resolution and tool (MCP) selection
- [C] Agent (MCP client): Sends an MCP request for the specified tool
- [D] MCP Server: Returns an OAuth step-up response when the required authentication level is not met.
- [E] Agent: Detects when an interactive OAuth response is present and triggers an interruption to request step-up authentication.
- [F] Agentic AI Portal: The OAuth ceremony is initiated by the Agentic AI Portal (MCP Host) thanks to the information of the AI Agent. This is why we are able to secure the process while at the same time enhancing the user experience with native authentication.
- The resulting tokens are then propagated across the AI components (Agents and MCPs). These new tokens meet the security requirements of the MCP server.
- MCP to FGA (MCP → FGA): The MCP can perform authorization checks based on a ReBAC policy in the context of the authenticated user, verifying whether the user has a direct or implied relationship with a specific tool. For example, to simplify our scenario, we used a roles model that links business roles to technical roles associated with the tools used by the client representing the MCP server.
Deep Dive: Distributed Access Control Across in Agentic AI Components
In this section, we combine the core concepts of securing access to the Agentic AI components, the distributed enforcement of access control levels (PEPs), and concrete use cases demonstrating these mechanisms in action. By doing so, we present a cohesive and practical framework for implementing layered security in the Agentic AI platform.
Access Control Architecture Overview
Our implementation follows a multi-layered approach, where Policy Enforcement Points (PEPs) are deployed across different AI components. These components include the Agentic AI Portal, the AI Agent (Oryon), and the MCP Server. This architecture allows fine-grained and dynamic authorization enforcement tailored to each context.
We adopt the AuthZEN Working Group P*P architecture model:
- Authentication Server (AS): Keycloak acts as the OAuth 2.1 Authorization Server.
- Policy Decision Point (PDP): OpenFGA evaluates authorization decisions based on ReBAC / ABAC policies.
- Policy Enforcement Points (PEP): Distributed in the Agent, MCP, and portal.
Simplified OAuth 2.1 role mappings:
- Enterprise Identity Provider → OAuth 2.0 Authorization Server.
- MCP Host (Agentic AI Portal) → OAuth 2.0 Client.
- AI Agent → Trusted component.
- AI Agent API and MCP Server → OAuth 2.0 Resource Servers.
Each component applies access control as follows:
Access Delegation
- [AD-AC1] User: gives consent to the agent based scopes. [AD-AC2] Agent: Policy Enforcement Point (PEP) is used for tool filtering.
- [AD-AC3] MCP Server: Enforces PEP-based scopes or claims for each tool.
Dynamic Authorization
- [DA-AC4] MCP Server: Makes real-time access decisions based on identity claims (such as acr and amr), triggering an OAuth 2.0 step-up error response. The OAuth 2.0 flow is orchestrated by the AI agent. Step-up authentication is performed using OIDC and OAuth 2.0 for First-Party Apps (FiPA), implemented by the Agentic AI Portal to ensure a secure and seamless user experience.
Fine-Grained Authorization (FGA)
- [AD-AC3] MCP Server: FGA based ReBAC (Relationship-Based Access Control) policies acting as Policy Decision Point (PDP) integrated with OpenFGA, following the principles of decoupled authorization as defined by the AuthZEN Working Group.
Diagram Walkthrough: Applying Access Controls in Practice
Case 1: Agentic AI → View IAM User Details
Here, the user logs into the Agentic AI Portal and chats with the Oryon AI Agent to list IGA users.
Case 2: Agentic AI → Delete IAM User
The user initiates a chat with the Oryon AI Agent to delete the IGA user Peter Michael. The MCP Server identifies insufficient assurance and responds with an OAuth step-up challenge. The Oryon Agent triggers a native biometric login (passkey), required for this critical operation.
Agentic AI Platform: Built on Open Standards
The standards we build upon any secure Agentic AI implementation should follow:
- OAuth 2.0 / OAuth 2.1 (RFC 6749).
- OpenID Connect (OIDC).
- Bearer Token Usage (RFC 6750).
- Step-Up Authentication Challenge Protocol (RFC 9470).
- Authentication Method Reference (RFC 8176).
- OpenID AuthZEN specs.
- FGA with ReBAC based Zanzibar approach.
What we leave behind for this case:
- There is no need for Dynamic Client Registration, as this is a first-party scenario, and the enterprise controls all OAuth 2.0 components, allowing clients to be pre-registered.
- No need for Token Exchange (RFC 8693), as all components operate within a single trust domain, meaning the AI Agent does not require its own OAuth client or token translation.
- No need for OAuth 2.0 Rich Authorization (RAR) → No need more complex things in the scenario we use FGA with ReBAC and ABAC features.
- No need for OAuth 2.0 Protected Resource Metadata (RFC 9728), as the MCP servers and their capabilities are known and managed internally.
- No need for Identity Assertion Authorization Grant or cross-IdP SSO, as we are not dealing with multiple Identity Providers or trust domains; a single IdP is used in this case.
Just to clarify, for the purposes of this scenario, we are not using these standards. In future articles, as we explore additional AI scenarios, we’ll introduce them within our Agentic AI Framework where appropriate.
Showcasing the Agentic AI Identity Access Plus Platform
As described earlier, access will be granted through our Agentic AI Identity Access Platform. In this showcase, you’ll see the Oryon AI Agent in action, performing real-world IAM tasks:
🔐 Integration with our Keycloak MCP Server to manage the platform 🤖 Oryon AI-driven execution of: a) 🧑💻 Listing all Keycloak users b) 🧑💻 Retrieving Keycloak user details c) 🧑💻 Deleting a Keycloak user (biometric login required)
In step c), things get more interesting: Oryon detects the need for step-up authentication or just-in-time authorization step, which is triggered by the MCP Server. It automatically initiates a native passkey flow within our Agentic AI Identity Access Plus platform. No redirects. No pop-ups. Just a secure, seamless user experience. This is a preview of what an AI Agent done right looks like - secure by design, user-friendly by default.
Wrapping Up: From Vision to Execution
What began as a theoretical vision for a secure, agent-driven enterprise platform has now become a reality. Through our Agentic AI Identity Access Plus Platform, we demonstrated how enterprises can implement secure, standards-based access control across every layer of the AI agent flow - without compromising user experience.
By leveraging open protocols such as OAuth 2.1 and the AuthZEN guidelines, we’ve implemented distributed access control through dynamic Policy Enforcement Points (PEPs) and integrated fine-grained authorization using Relationship-Based Access Control (ReBAC).
Our innovation, Oryon, enables dynamic authorization at every step of the AI agent flow, enhancing security in line with Zero Trust principles.
Agentic AI platforms are more than just hype - they represent a real opportunity. With the right identity and access strategy, they can unlock new levels of productivity, transparency, and control. As always, the key is not just building intelligent agents, but ensuring those agents act securely, transparently
We’re excited to be part of this next chapter in identity innovation - and we’d love to hear from you. Whether you’re exploring agentic AI platforms, modern access control, or just beginning your journey, TwoGenIdentity is here to help. Let’s stay connected: follow us for insights, reach out with questions, or collaborate on building secure, user-centric identity solutions that scale with your needs. If you’re working on your own implementation, we hope this article provides a strong starting point - and we’re always open to connecting.
Last but not least, if you are in the IAM space, we recommend joining IDPro, where you’ll have the opportunity to advance your skills alongside experts in the field.
References
Articles
- TwoGenIdentity Blog Featuring Articles and Papers by Martin Besozzi: https://twogenidentity.com/blog/
- Deep Dive into Enhancing User Experience with Native Authentication (OAuth 2.0 for First-Party Apps) and Passkeys in Keycloak: https://medium.com/@embesozzi/deep-dive-into-enhancing-user-experience-with-native-authentication-and-passkeys-in-keycloak-86fb72c64278
- Mastering Access Control: Low-Code Authorization with ReBAC, Decoupling Patterns and Policy as Code: https://medium.com/@embesozzi/mastering-access-control-implementing-low-code-authorization-based-on-rebac-and-decoupling-pattern-f6f54f70115e
- Keycloak integration with OpenFGA (based on Zanzibar) for Fine-Grained Authorization at Scale (ReBAC): https://medium.com/@embesozzi/keycloak-integration-with-openfga-based-on-zanzibar-for-fine-grained-authorization-at-scale-d3376de00f9a
Conferences
- Enhancing User Experience with Native Authentication and Passkeys: https://www.youtube.com/watch?v=fY1sJ8AX1fg&t=32s