Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Explain how the confused deputy problem arises in MCP and describe a specific OAuth 2.1 misconfiguration that enables privilege escalation.
A confused deputy is an MCP server with broad delegated authority tricked into acting for an attacker; defend with per-user consent, audience-bound tokens, least privilege, and no token passthrough.
Picture a hotel valet holding the master key to every car in the lot. You hand him your ticket and he fetches your car. Now a stranger hands him a forged ticket. The valet cannot tell the difference, so he happily drives off in someone else's car. The valet is not a thief. He is confused. He has far more authority than any single guest, and he acts on whoever asks. An MCP server is that valet. It holds powerful credentials and acts on behalf of users, so if its checks are sloppy, an attacker can borrow that power. The defense is making the valet verify each request truly belongs to the person it claims to serve, and never handing him the master key in the first place.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
6 min: define confused deputy, map it onto an MCP server's ambient authority, walk the PKCE-skip escalation, then cover the four defenses: per-user consent, audience-bound tokens, least privilege, and no token passthrough.
| Defense | What it stops | Failure if skipped |
|---|---|---|
| PKCE enforcement | Authorization-code interception and replay | Attacker redeems stolen code for the server's scope |
| Audience-bound tokens | Token replay across resources and passthrough abuse | A token minted for one API is accepted by another |
| Per-user consent | Shared ambient authority across all users | One grant silently serves every requester |
| Least-privilege scopes | Blast radius of any successful trick | A single confused call yields admin-level access |
| No token passthrough | Downstream services becoming the next deputy | Backend acts on a scope it never validated |
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Assuming PKCE alone fixes it. PKCE stops code interception, but a server with broad ambient authority and no audience binding is still a confused deputy.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.