Challenging assumptions of Identity within WebMCP

[EmLauber]

I suggest that WebMCP should not assume that the agent uses the user's identity to perform actions. Instead WebMCP should leverage OAuth, like MCP itself is doing. The idea is that the clients (webpages with WebMCP tools on it) are authenticated and authorized to be called by the agent.

I would argue that the agent should have it's own identity as a client to be calling the javascript tools. The conversations around when and how to prompt the user for consent to call tools should be made by the authorization server that is managing access to the data which the WebMCP tool is taking the action on. Identity providers already have mechanisms for managing scopes, controls and consent for softwares to act on behalf of the user to access or chage data.

This issue is created just to start the conversation while at TPAC meeting.

[khushalsagar]

Summarizing a hallway conversation from TPAC here.

The concern is what identity should be used by actions initiated directly by the user vs by an Agent on behalf of the user when retrieving authorization from identity providers. WebMCP by design makes this an internal detail of the site since all interaction between the Agent and any services provided by the site is being mediated by the site itself. So it's up to the web author whether an Agent initiated action uses a separate identity or takes the user's identity.

That said, the API needs to ensure that authors can use separate identities for these cases. That has the following considerations:

• The site author needs to distinguish whether an action was taken by the Agent or the user. If the trigger for an action is a function associated with a WebMCP tool, it implicitly tells the author that it was an Agent.

• What kind of agent identity is required by the author? There can be 2 classes: an opaque identifier (unguessable token) is provided to the site while the true agent identity (in-browser agent vs foo.com's agent) is only known to the browser. Or the origin associated agent identifier is passed through to the site.
  Since we're planning to limit the first iteration of WebMCP to browser Agents, the details here can likely be deferred. But we need a plan to ensure the API can be extended to support this use-case.

@EmLauber you mentioned there's ongoing standardization for agent identifiers that we should be building upon. Can you drop a link? Also please correct/add if I missed anything. @sushraja-msft @leotlee FYI.

[victorhuangwq]

@khushalsagar my guess regarding the ongoing agent identifier standardization that @EmLauber is talking about is: https://datatracker.ietf.org/wg/webbotauth/about/