Descriptions:
Matthew Xu, CTO of Agent Fabric, delivered a technical deep dive at AI Dev 26 in San Francisco on what he calls the four-legged identity challenge — the fundamental problem of preserving user identity across multi-hop agentic systems where traditional OAuth assumptions break down. As AI agents chain through MCP servers and downstream APIs, the clean delegation model OAuth was designed for no longer holds, and user identity is routinely lost mid-chain.
Xu walks through the evolution from three-legged OAuth (user, app, identity provider) to the four-legged agentic model (user, agent, MCP server, API), explaining precisely why audience-bound tokens fail when passed through dynamic multi-hop systems. He then introduces the four RFC protocols MCP is standardizing around: RFC 9728 (authorization server discovery), RFC 8414 (authorization server metadata), RFC 7591 (dynamic client registration), and RFC 8693 (token exchange with scoped delegation).
Real-world compatibility gaps are addressed directly: Keycloak supports token exchange well, Microsoft Entra has incomplete support, and Okta offers only partial implementation through claims. Xu argues that as agentic deployments grow into identity graphs rather than simple delegation chains — with multiple agents calling agents, multiple MCP servers, and different identity providers per service — the industry needs purpose-built infrastructure that goes beyond what current OAuth providers ship by default.
📺 Source: DeepLearningAI · Published May 21, 2026
🏷️ Format: Deep Dive
