Tag Archives: AI

Unknown's avatar Pete 5:20 pm on November 26, 2025
Tags: AI, Altman   

The Trillion-Dollar Lie: Ilya’s Testimony and the Altman Conundrum

Let’s be clear: we’ve always known that the builders of our world-class, society-altering infrastructure were flawed. The railroad barons, the telecom giants, the oil magnates—their ambitions were often matched only by their ruthlessness.

But in the age of AI, the stakes are different. We’re not just laying track or stringing cable; we’re building the potential substrate of all future human thought and society. The person steering that ship, we hope, would be held to a higher standard.

The recent testimony from Ilya Sutskever in the Elon Musk vs. OpenAI lawsuit shatters that hope, and reveals a problem that is both mundane and existentially terrifying: the man at the helm of this transformation, Sam Altman, allegedly has a huge lying problem.

And what’s most alarming isn’t just the accusation, but the collective shrug from his defenders.

The Testimony: Not a Misunderstanding, but a Pattern

The legal documents are dry, but the content is explosive. Ilya Sutskever, OpenAI’s former Chief Scientist and a board member at the time, stated under oath that the board’s decision to fire Altman in November 2023 was due to a “breakdown in the trust and communications between the board and Mr. Altman.”

He didn’t say “a disagreement over strategy.” He didn’t cite “differing visions for AGI safety.” He cited a breakdown in trust. Specifically, the board could no longer trust Altman to be consistently honest with them.

This wasn’t about one lie. It was about a pattern—a “multiplicity of examples,” as one report put it—where Altman was allegedly not candid, making it impossible for the board to govern effectively. The very body tasked with ensuring OpenAI’s mission-aligned governance felt it had to launch a corporate coup to perform its duty, all because it couldn’t believe what its CEO was saying.

The Stakes: This Isn’t a Normal Startup

We need to pause and absorb the dissonance here.

On one hand, you have Sam Altman, the global ambassador for AI, courting trillions of dollars in investment and infrastructure spending from governments and corporations. He is shaping global policy, testifying before Congress, and making promises about building a future that is safe and beneficial for all of humanity. The fabric of our future society is, in part, being woven on his loom.

On the other hand, you have his own board—comprised of aligned experts like Ilya and Helen Toner—concluding he is so fundamentally untrustworthy that he must be removed immediately for the good of the mission.

This isn’t a typical “move fast and break things” startup culture clash. This is the equivalent of the head of the International Atomic Energy Agency being fired by his own scientists for being loose with the facts about safety protocols. The potential consequences are not a failed app; they are, in the most extreme but not-unthinkable scenarios, catastrophic.

The Defense: “I Don’t Care, He Gets Shit Done”

Perhaps the most telling part of this whole saga is the nature of the defense for Sam Altman. As one observer aptly noted, you don’t see many people jumping to say, “He doesn’t have a huge lying problem.”

Instead, the defense maps almost perfectly to: “I don’t care, he gets shit done.”

The employee revolt that reinstated Altman, the support from major investors—it all signaled that the perceived ability to execute and create value (or, let’s be frank, monetary value) was more important than a deficit of trust at the very top. The mission of “ensuring that artificial general intelligence benefits all of humanity” was, in a moment of crisis, subordinated to the cult of execution.

This is a devil’s bargain that Silicon Valley has made before, but never with a technology of this magnitude. We’ve accepted the “brilliant jerk” genius to give us our next social network or smartphone. Are we really willing to accept it for the technology that could redefine consciousness itself?

The Precedent We’re Setting

The message this sends is chilling. It tells future leaders in the AI space that transparency and consistent honesty are secondary to velocity and fundraising. It tells boards that if they try to hold a charismatic, high-value CEO accountable for a “pattern of lying,” they may be the ones who are ousted.

We are institutionalizing a dangerous precedent at the worst possible time.

The Ilya testimony isn’t just a juicy piece of corporate drama. It’s a stark warning. It suggests that the architect of our AI future operates in a cloud of alleged deception, and that a large portion of the ecosystem building that future is perfectly willing to look the other way.

The question is no longer if Sam Altman has a lying problem. The question, posed by his own chief scientist under oath, is whether we should care. And in our collective answer, we are deciding what kind of future we are truly building.

Unknown's avatar Pete 5:54 am on July 3, 2025
Tags: AI, auth, , oauth   

Part 1: Contextual, Attested, and Decentralized Authentication (CADA) for AI MCP Agents

Look, the old ways of auth weren’t built for what’s coming. AI agents don’t live in static sessions or predictable flows—they’re ephemeral, reactive, scattered across clouds, and making decisions faster than your token TTL. So why are we still handing them bearer tokens like it’s 2012? Nothing should be permanent. Context matters. What the agent is doing right now should influence what it’s allowed to do right now. That means proof tied to the moment, not to some long-lived credential you forgot to revoke. It should be rooted in hardware—attested, unforgeable, impossible to rip out and reuse. And above all, it should be decentralized. No single gatekeeper. No single failure point. Trust should move with the agent, like a shadow—provable, portable, disposable. Authentication needs to evolve, or it’ll just be another thing the agents bypass.

As AI MCP agents evolve into autonomous, multi-tenant actors operating across data planes, trust boundaries, and compute contexts, traditional token-based frameworks like OAuth 2.0 fail to provide the necessary granularity, context-awareness, and runtime verification. CADA introduces a new model for zero-standing privilege, context-aware identity, and attestation-driven trust, leveraging confidential computing and decentralized identity primitives.

Core Pillars

  1. Decentralized Identity Anchors (DID-A)
    • Each MCP agent is assigned a Decentralized Identifier (DID) backed by a verifiable credential (VC).
    • The identity is not centrally registered but anchored in a distributed ledger or verifiable key infrastructure (e.g., SIDetree, Sovrin, or ION).
    • DIDs resolve to metadata including key rotation history, policies, and agent type (exploratory, monitoring, remediation, etc.).
  2. Context-Bound Proof-of-Presence Tokens (CB-PoP)
    • Instead of bearer tokens, agents use signed ephemeral tokens with embedded context:
      • Temporal window (e.g., within the last 30s)
      • Location constraints (verified via confidential enclave attestation)
      • Input/output scope (model state hashes, data fingerprinting)
    • These are validated by services with confidential computing backends using Intel SGX/AMD SEV or AWS Nitro Enclaves.
  3. FIDO2 + TPM/TEE Hardware Anchoring
    • Each agent’s execution environment binds its private signing key to a hardware root of trust, such as TPM or TEE.
    • Authentication occurs via WebAuthn-style challenges, signed inside a secure enclave, with attestation reports validating runtime integrity.
    • Eliminates key export risk and enables remote trust of agent execution context.
  4. Dynamic Trust Contracts (DTC)
    • Each authenticated interaction is governed by a smart contract defining:
      • Data access policies
      • Audit/tracing rules
      • Time-limited execution permissions
      • Revocation semantics based on real-time observability inputs
    • These contracts are cryptographically signed by the MCP owner and verified prior to execution.
  5. Zero Standing Privilege with Just-In-Time Delegation
    • Agents do not persist access tokens.
    • Authorization is granted at runtime through delegated trust, using time-bound, task-specific credentials derived from identity and context proof.

Authentication Flow Example

  1. Agent Bootstraps Identity
    • Generates ephemeral DID linked to owner’s permanent identity
    • Signs its public key using its hardware-anchored root
  2. Agent Requests Access to Service
    • Prepares CB-PoP: signs request metadata, timestamps, hash of recent model inputs, and enclave measurement
    • Attaches DID and enclave attestation proof
  3. Service Validates Request
    • Resolves DID and verifies VC chain
    • Confirms enclave integrity and CB-PoP freshness
    • Checks smart contract for permission rules
  4. Access Granted
    • Service encrypts data with agent’s public key (ensuring only that enclave can decrypt)
    • Transaction is logged immutably with context metadata

Why It’s Better than OAuth

FeatureOAuth 2.0CADA
Agent IdentityStatic Client IDDynamic, Decentralized DID
Trust ModelPredefined ScopesRuntime Context + Attestation
Token SecurityBearerEphemeral, Context-bound, Non-exportable
Privilege ModelLong-lived AccessZero-standing Privilege
RevocationManual / OpaqueSmart Contracts, Observable Context



I started to write some stuff last night in Rust, I'll get this up in Github in the next few days.

Generate a Decentralized Identity (DID)


use ssi::did::DIDMethod;
use ssi::did_resolve::DIDResolver;
use ssi::jwk::{JWK, Params as JWKParams};
use ssi::vc::URI;

fn generate_did() -> Result<(), Box<dyn std::error::Error>> {
    let jwk = JWK {
        params: JWKParams::OKP(ssi::jwk::OctetParams {
            curve: "Ed25519".to_string(),
            public_key: vec![],
            private_key: Some(vec![]), // Generate ephemeral keypair
        }),
        ..Default::default()
    };

    let did = ssi::did::did_key::DIDKey.generate(&jwk)?;
    println!("Generated DID: {}", did);
    Ok(())
}


Bind Key to Hardware (e.g. TPM or Nitro Enclave)


use tss_esapi::Context;
use tss_esapi::structures::{Auth, Public};

fn generate_tpm_bound_key() -> Result<(), Box<dyn std::error::Error>> {
    let mut context = Context::new(Default::default())?;
    let key_auth = Auth::try_from(vec![0u8; 32])?;

    let public = Public::rsa_encrypt_decrypt_key(/* your key parameters here */);
    let (key_handle, _) = context.create_primary(public, key_auth)?;
    println!("Key generated and bound to TPM context.");
    Ok(())
}

Create a Context-Bound Proof Token (CB-PoP)
use chrono::Utc;
use ring::signature::{Ed25519KeyPair, KeyPair};
use serde_json::json;

fn create_cb_pop(agent_id: &str, model_digest: &str, enclave_measurement: &str) -> String {
    let now = Utc::now().timestamp();

    let token = json!({
        "agent_id": agent_id,
        "timestamp": now,
        "context": {
            "model_state_hash": model_digest,
            "enclave": enclave_measurement
        }
    });

    // Sign it using an ephemeral keypair inside enclave or bound to TPM
    let keypair = Ed25519KeyPair::from_pkcs8(&get_private_key_bytes()).unwrap();
    let signature = keypair.sign(token.to_string().as_bytes());

    json!({
        "token": token,
        "signature": base64::encode(signature.as_ref())
    }).to_string()
}
Smart Contract

use ethers::prelude::*;
use std::sync::Arc;

#[tokio::main]
async fn validate_contract_permission(agent_id: String) -> Result<(), Box<dyn std::error::Error>> {
    let provider = Provider::<Http>::try_from("https://mainnet.infura.io/v3/YOUR_PROJECT_ID")?;
    let client = Arc::new(SignerMiddleware::new(provider, Wallet::from(...)));

    let contract = Contract::new("0xYourContractAddress", contract_abi, client);
    let is_allowed: bool = contract.method::<_, bool>("isAuthorized", agent_id)?.call().await?;
    println!("Access allowed: {}", is_allowed);
    Ok(())
}
Unknown's avatar Pete 5:41 pm on June 30, 2025
Tags: AI, , python,   

Implementing OAuth with an MCP (Model Context Protocol) AI Test Server: A Technical Deep Dive

I wasn’t really sure I even wanted to write this up — mostly because there are some limitations in MCP that make things a little… awkward. But I figured someone else is going to hit the same wall eventually, so here we are.

If you’re trying to use OAuth 2.0 with MCP, there’s something you should know: it doesn’t support the full OAuth framework. Not even close.

MCP only works with the default well-known endpoints:

  • /.well-known/openid-configuration
  • /.well-known/oauth-authorization-server

Before we get going, let me write this in the biggest and most awkward text I can find.

Run the Device Flow outside of MCP, then inject the token into the session manually.

And those have to be hosted at the default paths, on the same domain as the issuer. If you’re using split domains, custom paths, or a setup where your metadata lives somewhere else (which is super common in enterprise environments)… tough luck. There’s no way to override the discovery URL.

It also doesn’t support other flows like device_code, jwt_bearer, or anything that might require pluggable negotiation. You’re basically stuck with the default authorization code flow, and even that assumes everything is laid out exactly the way it expects.

So yeah — if you’re planning to hook MCP into a real-world OAuth deployment, just be aware of what you’re signing up for. I wish this part of the protocol were a little more flexible, but for now, it’s pretty locked down.

Model Context Protocol (MCP) is an emerging standard for AI model interaction that provides a unified interface for working with various AI models. When implementing OAuth with an MCP test server, we’re dealing with a specialized scenario where authentication and authorization must accommodate both human users and AI agents.

This technical guide covers the implementation of OAuth 2.0 in an MCP environment, focusing on the unique requirements of AI model authentication, token exchange patterns, and security considerations specific to AI workflows.

Prerequisites

Before implementing OAuth with your MCP test server:

  1. MCP Server Setup: A running MCP test server (v0.4.0 or later)
  2. Developer Credentials: Client ID and secret from the MCP developer portal
  3. OpenSSL: For generating key pairs and testing JWT signatures
  4. Understanding of MCP’s Auth Requirements: Familiarity with MCP’s auth extensions for AI contexts

Section 1: MCP-Specific OAuth Configuration

1.1 Registering Your Application

MCP extends standard OAuth with AI-specific parameters:

curl -X POST https://auth.modelcontextprotocol.io/register \
  -H "Content-Type: application/json" \
  -d '{
    "client_name": "Your AI Agent",
    "client_type": "ai_service",  # MCP-specific client type
    "grant_types": ["authorization_code", "client_credentials"],
    "redirect_uris": ["https://your-domain.com/auth/callback"],
    "scopes": ["mc:inference", "mc:fine_tuning"],  # MCP-specific scopes
    "ai_metadata": {  # MCP extension
      "model_family": "your-model-family",
      "capabilities": ["text-generation", "embeddings"]
    }
  }'

1.2 Understanding MCP’s Auth Flows

MCP supports three primary OAuth flows:

  1. Standard Authorization Code Flow: For human users interacting with MCP via UI
  2. Client Credentials Flow: For server-to-server AI service authentication (sucks, doesn’t work, even the work arounds, don’t do it)
  3. Device Flow: For headless AI environments

Section 2: Implementing Authorization Code Flow

2.1 Building the Authorization URL

MCP extends standard OAuth parameters with AI context:

from urllib.parse import urlencode

auth_params = {
    'response_type': 'code',
    'client_id': 'your_client_id',
    'redirect_uri': 'https://your-domain.com/auth/callback',
    'scope': 'openid mc:inference mc:models:read',
    'state': 'anti-csrf-token',
    'mcp_context': json.dumps({  # MCP-specific context
        'model_session_id': 'current-session-uuid',
        'intended_use': 'interactive_chat'
    }),
    'nonce': 'crypto-random-string'
}

auth_url = f"https://auth.modelcontextprotocol.io/authorize?{urlencode(auth_params)}"

2.2 Handling the Callback

The MCP authorization server will return additional AI context in the callback:

@app.route('/auth/callback')
def callback():
    auth_code = request.args.get('code')
    mcp_context = json.loads(request.args.get('mcp_context', '{}'))  # MCP extension

    token_response = requests.post(
        'https://auth.modelcontextprotocol.io/token',
        data={
            'grant_type': 'authorization_code',
            'code': auth_code,
            'redirect_uri': 'https://your-domain.com/auth/callback',
            'client_id': 'your_client_id',
            'client_secret': 'your_client_secret',
            'mcp_context': request.args.get('mcp_context')  # Pass context back
        }
    )

    # MCP tokens include AI-specific claims
    id_token = jwt.decode(token_response.json()['id_token'], verify=False)
    print(f"Model Session ID: {id_token['mcp_session_id']}")
    print(f"Allowed Model Operations: {id_token['mcp_scopes']}")

Section 3: Client Credentials Flow for AI Services

3.1 Requesting Machine-to-Machine Tokens

import requests

response = requests.post(
    'https://auth.modelcontextprotocol.io/token',
    data={
        'grant_type': 'client_credentials',
        'client_id': 'your_client_id',
        'client_secret': 'your_client_secret',
        'scope': 'mc:batch_inference mc:models:write',
        'mcp_assertion': generate_mcp_assertion_jwt()  # MCP requirement
    },
    headers={'Content-Type': 'application/x-www-form-urlencoded'}
)

token_data = response.json()
# MCP includes additional AI context in the response
model_context = token_data.get('mcp_model_context', {})

3.2 Generating MCP Assertion JWTs

MCP requires a signed JWT assertion for client credentials flow:

import jwt
import datetime

def generate_mcp_assertion_jwt():
    now = datetime.datetime.utcnow()
    payload = {
        'iss': 'your_client_id',
        'sub': 'your_client_id',
        'aud': 'https://auth.modelcontextprotocol.io/token',
        'iat': now,
        'exp': now + datetime.timedelta(minutes=5),
        'mcp_metadata': {  # MCP-specific claims
            'model_version': '1.2.0',
            'deployment_env': 'test',
            'requested_capabilities': ['inference', 'training']
        }
    }

    with open('private_key.pem', 'r') as key_file:
        private_key = key_file.read()

    return jwt.encode(payload, private_key, algorithm='RS256')

Section 4: MCP Token Validation

4.1 Validating ID Tokens

MCP ID tokens include standard OIDC claims plus MCP extensions:

from jwt import PyJWKClient
from jwt.exceptions import InvalidTokenError

def validate_mcp_id_token(id_token):
    jwks_client = PyJWKClient('https://auth.modelcontextprotocol.io/.well-known/jwks.json')

    try:
        signing_key = jwks_client.get_signing_key_from_jwt(id_token)
        decoded = jwt.decode(
            id_token,
            signing_key.key,
            algorithms=['RS256'],
            audience='your_client_id',
            issuer='https://auth.modelcontextprotocol.io'
        )

        # Validate MCP-specific claims
        if not decoded.get('mcp_session_id'):
            raise InvalidTokenError("Missing MCP session ID")

        return decoded
    except Exception as e:
        raise InvalidTokenError(f"Token validation failed: {str(e)}")

4.2 Handling MCP Token Introspection

def introspect_mcp_token(token):
    response = requests.post(
        'https://auth.modelcontextprotocol.io/token/introspect',
        data={
            'token': token,
            'client_id': 'your_client_id',
            'client_secret': 'your_client_secret'
        }
    )

    introspection = response.json()
    if not introspection['active']:
        raise Exception("Token is not active")

    # Check MCP-specific introspection fields
    if 'mc:inference' not in introspection['scope'].split():
        raise Exception("Missing required inference scope")

    return introspection

Section 5: MCP-Specific Considerations

5.1 Handling Model Session Context

MCP tokens include session context that must be propagated:

def call_mcp_api(endpoint, access_token):
    headers = {
        'Authorization': f'Bearer {access_token}',
        'X-MCP-Context': json.dumps({
            'session_continuity': True,
            'model_temperature': 0.7,
            'max_tokens': 2048
        })
    }

    response = requests.post(
        f'https://api.modelcontextprotocol.io/{endpoint}',
        headers=headers,
        json={'prompt': 'Your AI input here'}
    )

    return response.json()

5.2 Token Refresh with MCP Context

def refresh_mcp_token(refresh_token, mcp_context):
    response = requests.post(
        'https://auth.modelcontextprotocol.io/token',
        data={
            'grant_type': 'refresh_token',
            'refresh_token': refresh_token,
            'client_id': 'your_client_id',
            'client_secret': 'your_client_secret',
            'mcp_context': json.dumps(mcp_context)
        }
    )

    if response.status_code != 200:
        raise Exception(f"Refresh failed: {response.text}")

    return response.json()

Section 6: Testing and Debugging

6.1 Using MCP’s Test Token Endpoint

curl -X POST https://test-auth.modelcontextprotocol.io/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=test_client" \
  -d "client_secret=test_secret" \
  -d "scope=mc:test_all" \
  -d "mcp_test_mode=true" \
  -d "mcp_override_context={\"bypass_limits\":true}"

6.2 Analyzing MCP Auth Traces

Enable MCP debug headers:

headers = {
    'Authorization': 'Bearer test_token',
    'X-MCP-Debug': 'true',
    'X-MCP-Traceparent': '00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-01'
}

Why did this suck so much?

Implementing OAuth with an MCP test server requires attention to MCP’s AI-specific extensions while following standard OAuth 2.0 patterns. Key takeaways:

  1. Always include MCP context parameters in auth flows
  2. Validate MCP-specific claims in tokens
  3. Propagate session context through API calls
  4. Leverage MCP’s test endpoints during development

For production deployments, ensure you:

  • Rotate keys and secrets regularly
  • Monitor token usage patterns
  • Implement proper scope validation
  • Handle MCP session expiration gracefully