Identity Propagation in MCP: OBO, Multi-Hop Chains, and the Trust Problem

Abstract

MCP solved tool connectivity faster than the ecosystem solved identity, and that gap is becoming dangerous. Today, most MCP systems can call APIs and internal platforms at scale, but downstream services often cannot identify the real user behind a request. APIs see the MCP server, not the human who initiated the action. That works in demos. It fails in production. This talk explores why identity propagation is becoming a critical infrastructure problem for MCP systems, especially as agents begin operating across multiple services, organizations, and delegated workflows. We break down: - the identity loss problem in MCP - single-hop OBO (On-Behalf-Of) delegation - multi-hop identity propagation across service chains - identity transfer vs impersonation - user consent and authorization boundaries The session also covers practical OBO token exchange flows, delegated scopes, downscoping, auditability, and the security risks that emerge once AI agents begin chaining tools autonomously. Finally, we examine the infrastructure MCP still lacks: - standardized identity propagation - workload identity between MCP servers - delegated authorization models - cross-service audit chains - least-privilege enforcement for autonomous agents Attendees leave with a production-focused mental model for secure identity propagation in MCP systems, and a clearer understanding of what must exist before autonomous AI infrastructure can safely scale.