Innovation Circle #2: the AI Mindset

Author: Radu Bobe - Digital Identity Consultant

After diving into the world of AI Agents in the first session of this learning series, where we explored how an AI agent can become a true “digital teammate, we continue the journey with Innovation Circle #2, focused on building an AI Mindset. This time, our colleagues took part in two workshops, gaining valuable insights on how to increase efficiency through AI and how to secure an MCP server. 

Workshop insights 

During this learning experience dedicated to our team of professionals, we took a deeper look into the practical applications of artificial intelligence. 

The event started with a session regarding the use of AI in our day-by-day work. Diana Dima showed us how we can increase efficiency by leveraging AI in our daily responsibilities and shared a comprehensive map of AI usage across our organization. The workshop was interactive, with many colleagues sharing how they integrate AI into their daily tasks. 

The day continued with a hands-on session on MCP security, led by Radu Bobe. Our colleagues discovered the MCP Oauth Authorization Architecture along with some essential concepts when referring to MCP security.  

As MCP’s become more complex, the area of possible vulnerabilities increases. Prompt injection, tool poisoning or authentication bypass are only a few risks that must be taken into consideration when developing MCP based AI applications.

The session opened with an analysis of these risks before outlining the proposed solution for MCP Authorization. Then, our colleagues explored all the necessary steps for preventing unauthorized access to data and functionalities by granting access. 

The goal of this approach was to grant access only to authorized agents and users to specific tools from an internally accessible MCP server hosting various tools. The demo illustrated the OAuth2 authorization using Ping Advanced Identity Cloud. 

The authorization flow starts with Ping end-user credentials, returning the authorization code. Then, using the authorization code with Proof Key Code Exchange (PKCE) and OIDC, the access token is obtained. The MCP server is accessed via HTTP request that contains the previously obtained Bearer access token on the “Authorization” header. In the end, using a dedicated endpoint, we analysed the validity and the scopes of the access token, as the user rights should be dictated by the available scopes. 

As the demo sparked interest, we aim to expand the capabilities of the actual solution. Stay tuned for more details about our agentic journey that will continue in the next sessions of the Innovation Circle series!