2025-12-2 Maverics Console Release Notes

  • 3 minute(s) read
Prev Next

New Features

Overview: Enhanced Token Lifecycle Control for AI Agent Operations

These three enhancements work together to provide comprehensive, fine-grained control over token issuance and lifecycle for AI agent operations:

  1. Delegation ensures clear identity chains showing who is acting and on whose behalf

  2. Per-Tool TTL enables policy-driven token lifetimes based on operation sensitivity

  3. Client-Requested TTL provides dynamic control for applications to further reduce token lifetime based on runtime context

Orchestrator Update Required

All of these features require Orchestrator v2025.12.2 or newer.

MCP Bridge

Delegated Token Exchange Support

Overview

The MCP Bridge now supports delegated token exchange in addition to the previously available impersonation mode. This enhancement provides improved security and observability for agentic use cases by maintaining a clear chain of authentication that shows both the end user and the acting agent in the access token.

What's New

  • Default Behavior Change: MCP Bridge apps now use delegation by default when performing token exchange

  • RFC 8693 Compliance: Access tokens issued through delegation include the standardized act (actor) claim that identifies the AI agent acting on behalf of the user

  • Backward Compatibility: Impersonation mode remains available and can still be configured when needed, though delegation is recommended for most use cases

Key Benefits

  • Enhanced Security: Delegation provides a clearer audit trail by distinguishing between the principal (end user) and the actor (AI agent)

  • Standards Alignment: Implements OAuth 2.0 Token Exchange (RFC 8693) delegation semantics

Configuration

In the MCP Bridge App definition under Outbound Request Authorization, select Exchange Type: Delegation.

Technical Details

When delegation is used, access tokens contain an act claim that identifies the bridge application acting on behalf of the authenticated user. This provides downstream systems with visibility into both identities in the transaction chain.

Per-Tool Access Token Lifetime Configuration

Overview

The MCP Bridge app now supports fine-grained control over access token lifetimes on a per-tool basis. This enhancement enables least-privilege security policies by issuing short-lived tokens tailored to specific tool operations, significantly reducing the attack surface for AI agent operations.

What's New

  • Per-Tool TTL Configuration: Define custom access token lifetimes for individual tools or tool patterns in the MCP Bridge configuration

  • Scope Integration: Combine TTL settings with scope definitions for comprehensive per-tool authorization policies

  • Pattern Matching: Use regular expressions to apply TTL policies across multiple tools with a single configuration entry

  • Config Evolution: New tools configuration section replaces the deprecated scopeMappings field

Key Benefits

  • Principle of Least Privilege: Issue tokens with the minimum lifetime necessary for each operation

  • Risk Reduction: Limit the window of opportunity for token compromise or misuse

  • Operational Flexibility: Different tools can have different security requirements based on sensitivity

Configuration

From the MCP Bridge app, click Edit then scroll to the Tool Configuration section and click Add Tool Configuration.

Technical Details

Custom TTL on the MCP Bridge App requires using the Maverics Orchestrator as your OIDC provider. This capability is not available when using other identity services.

OIDC Provider

Client-Requested Access Token Lifetime

Overview

The OIDC Provider now enables clients to request custom access token lifetimes dynamically through the X-Maverics-Oauth-Access-Token-Lifetime HTTP header. This capability allows clients to request shorter-lived tokens for specific operations without requiring server-side configuration changes.

What's New

  • Dynamic TTL Requests: Clients can specify desired access token lifetime using the X-Maverics-Oauth-Access-Token-Lifetime header in token endpoint requests

  • Multi-Grant Support: Available across all OAuth grant types:

    • Authorization Code

    • Client Credentials

    • Token Exchange (RFC 8693)

    • Resource Owner Password Credentials

    • Refresh Token

  • Security Constraints: Requested lifetime is validated against the configured maximum for the OIDC application

  • Error Handling: Returns HTTP 400 Bad Request when invalid or excessive TTL values are requested

Key Benefits

  • Client Control: Applications can request appropriately scoped token lifetimes based on operation context

  • Security Best Practices: Enables implementation of time-based least privilege without administrative overhead

  • Operational Agility: No server configuration changes required for different use case TTL requirements

Usage

Include the X-Maverics-Oauth-Access-Token-Lifetime header in token endpoint requests:

POST /oauth/token HTTP/1.1
Host: identity.example.com
Content-Type: application/x-www-form-urlencoded
X-Maverics-Oauth-Access-Token-Lifetime: 300
grant_type=authorization_code&code=ABC123&...

The value should be specified in seconds. The resulting access token will have a lifetime equal to the requested value or the configured maximum for the OIDC application, whichever is lower.

Security Considerations

  • Requested TTL values cannot exceed the Access Token lifetime configured for the OIDC application

  • Invalid header values result in a 400 Bad Request error response

  • This feature enhances security by enabling shorter-lived tokens while maintaining administrative control through maximum lifetime policies

UI Polish❤️

  • The Publish Preview now defaults to the latest version. This will show less inspector errors by default.

  • Improvements to drag-n-drop for MCP app icons, OpenAPI specs, and Rego policies.

Related articles