ExecutiveGov

NIST Releases Concept Paper on AI Agent Identity, Authorization Controls

NIST’s NCCoE is seeking public comment on a concept paper exploring identity and authorization standards for software and AI ...
GitHub

OAuth 2 / OpenID Connect for JavaScript Runtimes

This software provides a collection of routines that can be used to build client modules for OAuth 2.1, OAuth 2.0 with the latest Security Best Current Practices (BCP), and FAPI 2.0, as well as OpenID ...
Infosecurity-magazine.com

OAuth Device Code Phishing Campaigns Surge Targets Microsoft 365

A surge in phishing campaigns abusing Microsoft’s OAuth device code authorization flow has been observed with multiple threat clusters using the technique to gain unauthorized access to Microsoft 365 ...
CSOonline

OAuth token compromise hits Salesforce ecosystem again, Gainsight impacted

Attackers leveraged stolen secrets to hijack integrations and access customer data, highlighting the need for enterprises to audit connected apps and enforce token hygiene. Salesforce has disclosed ...
Bleeping Computer

New CoPhish attack steals OAuth tokens via Copilot Studio agents

A new phishing technique dubbed 'CoPhish' weaponizes Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate and trusted Microsoft domains. The technique was ...
GitHub

Adopt Tenant Claim from OpenID Enterprise Extensions for ID-JAG

If the IdP is multi-tenant and uses the same issuer for all tenants, the Resource Application will already have IdP-specific logic to determine the tenant from the OpenID Connect ID Token (e.g. a ...
marktechpost

Understanding OAuth 2.1 for MCP (Model Context Protocol) Servers: Discovery, Authorization, and Access Phases

OAuth 2.1 is the officially mandated authorization standard in the Model Context Protocol (MCP) specifications. According to the official documentation, authorization servers must implement OAuth 2.1 ...
CSOonline

Cybercrooks faked Microsoft OAuth apps for MFA phishing

Proofpoint observed campaigns impersonating trusted brands like SharePoint and DocuSign with malicious OAuth applications to get into Microsoft 365 accounts. Threat actors have cooked up a clever way ...
The Hacker News

Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts

Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part ...
Infosecurity-magazine.com

Russian Threat Actors Target NGOs with New OAuth Phishing Tactics

A new wave of targeted phishing attacks exploiting Microsoft 365’s OAuth workflows has been uncovered by cybersecurity experts. These campaigns, observed by Volexity since March 2025, involve ...
Biometric Companies

OpenID forms group to address silos between AI and identity communities

The OpenID Foundation has launched an Artificial Intelligence Identity Management Community Group to tackle emerging gaps between AI platforms and identity standards. As AI reshapes everything from ...
Mobile ID News

Google Enhances Android’s Digital ID Capabilities with OpenID Support and Zero-Knowledge Proofs

Google has introduced significant updates to Android’s digital credentials capabilities, enhancing the platform’s ability to handle virtual driving licenses, IDs, and passports. The expansion builds ...