227: MCP Security, Framework Fatigue, and AI Agents with Will Johnson (Presented by CodeRabbit)

This week, Robbie and Adam talk with Will Johnson—senior developer advocate at Auth0—about web dev, parenting, and internet culture. They debate whether CSS is a “real” programming language, riff on how modern frameworks can feel over-engineered, and dig into the security risks emerging around AI agents and MCP. Will shares what he’s been learning about MCP security, why he’s cautious with new tools, and how Auth0’s new AI agent offering helps manage identity, permissions, and token safety. Presented by CodeRabbit: https://coderabbit.ai In this episode: (00:00) - Intro (01:49) - Meet Will Johnson (02:19) - Whiskey rating & review: Jameson Triple Triple (07:13) - Hot Take: Git rebase vs git merge (09:42) - Parenting talk: kids, wrestling, and learning consequences (11:57) - Hot Take: Is CSS a programming language? (14:37) - What Will’s working on at Auth0 (AI + MCP security) (16:57) - The most interesting MCP-related hacks and security risks (18:27) - Can “skills” become an attack vector too? (19:47) - Security vulnerabilities, Next.js updates, and patching fatigue (20:48) - How Will’s family got into K-Pop Demon Hunters (25:51) - The Moana live-action trailer “looks like useEffect” (and why) (27:17) - Is React essentially processed American food? (27:58) - Sugar-free Oreos: what are we even doing here? (29:18) - Have we overcomplicated frontend development? (31:32) - Why Rails is the best-engineered dev experience Will has used (32:25) - How Auth0 teams are structured (35:47) - Passkeys explained (41:43) - Plugs and how to connect with Will (43:12) - How AI agents fit into auth Links Auth0: https://auth0.com/ Jameson Triple Triple: https://www.jamesonwhiskey.com/en-us/our-whiskey/jameson-triple-triple/ Three Sheets: https://en.wikipedia.org/wiki/Three_Sheets Jack Daniel's Reserve: https://www.jackdaniels.com/ Google Chrome: https://www.google.com/chrome/ Shopify: https://www.shopify.com/ CSS: https://www.w3.org/Style/CSS/ JavaScript: https://developer.mozilla.org/en-US/docs/Web/JavaScript MCP: https://modelcontextprotocol.io/ Next.js: https://nextjs.org/ KPop Demon Hunters: https://en.wikipedia.org/wiki/KPop_Demon_Hunters Britney Spears: https://britneyspears.com/ NSYNC: https://nsync.com/ B2K: https://en.wikipedia.org/wiki/B2K Chris Brown: https://en.wikipedia.org/wiki/Chris_Brown Netflix: https://netflix.com Stanford University: https://www.stanford.edu/ Moana: https://movies.disney.com/moana Dak Prescott: https://en.wikipedia.org/wiki/Dak_Prescott React: https://react.dev/ Oreo: https://www.oreo.com/ jQuery: https://jquery.com/ Ken Wheeler: https://x.com/ken_wheeler/ ES6: https://www.w3schools.com/js/js_es6.asp BlingBlingjs: https://github.com/argyleink/blingblingjs Astro: https://astro.build/ Rails: https://rubyonrails.org/ Laravel: https://laravel.com/ Egghead: https://egghead.io/ Grok: https://grok.com/ 1Password: https://1password.com/ Google Zanzibar: https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/ AWS: https://aws.amazon.com/ Netlify: https://www.netlify.com/ Pokemon Go: https://pokemongolive.com/ Connect with Will Website: https://auth0.com/ai X / Twitter: https://x.com/willjohnsonio Connect with the hosts Robbie Wagner: https://x.com/RobbieTheWagner Chuck Carpenter: https://x.com/CharlesWthe3rd Adam Argyle: https://x.com/argyleink Subscribe and stay in touch Website: https://whiskey.fm Apple Podcasts: https://podcasts.apple.com/us/podcast/whiskey-web-and-whatnot/id1552776603 Spotify: https://open.spotify.com/show/19jiuHAqzeKnkleQUpZxDf Overcast: https://overcast.fm/itunes1552776603 YouTube: https://www.youtube.com/@WhiskeyWebAndWhatnot Whiskey Web and Whatnot Merch Enjoying the podcast and want us to make more? Help support us by picking up some of our fresh merch at https://whiskey.fund.