AGENTFORCE-33.1 · MCP Over-Provisioning

🔐 Enterprise Tier · 🟠 High · Category: Graph: MCP Identity Mismatch

Detection Logic

Proves the identity mismatch between what the MCP server claims to do and what its authorizing Connected App actually has access to.

graph LR
  CFG["ProjectConfig\n[squirex.json MCP config]"]
  APP["ConnectedApp\n[OAuthScope: full / ModifyAllData]"]
  TOOLS["MCP Tools\n[narrow stated purpose]"]

  CFG -->|AUTHORIZES| APP
  CFG -->|declares| TOOLS
  APP -->|"⚠️ actual org-wide access"| APP
  TOOLS -.->|"stated purpose gap"| APP

What Triggers It

ProjectConfig node contains MCP server endpoint configuration
ProjectConfig → AUTHORIZES → ConnectedApp[hasFullAccess=true]
OR ConnectedApp.oauthScopes contains: full, modifyalldata, or viewalldata

Why It Matters

The MCP server runs as a background integration identity. If its Connected App has full scope and an attacker compromises the MCP server's OAuth token (e.g., through source code exposure), they have org-wide read/write access — not just the narrow access the tool's description implies.

This rule operationalizes the principle of least privilege for AI integration identities.

Remediation

Replace over-provisioned OAuth scopes with the minimum required:

Tool purpose	Required scopes
Read Contacts	`api`
Create Cases	`api`
Send emails	`api`, `email`
Read + update records	`api`
Full admin operations	⚠️ Reconsider your product design

In your Connected App's OAuth configuration:

<!-- Before -->
<scopes>full</scopes>

<!-- After -->
<scopes>api</scopes>

Store the OAuth consumer key/secret in a Named Credential — never in the MCP server's environment variables.

Detection Logic​

What Triggers It​

Why It Matters​

Remediation​

Detection Logic

What Triggers It

Why It Matters

Remediation