MCP OAuth: share credentials across servers with same OAuth provider

Resolved 💬 3 comments Opened Mar 13, 2026 by thujikun Closed Mar 16, 2026

Problem

When using multiple MCP servers that share the same OAuth provider (e.g., same Google OAuth Client ID), users must complete a separate OAuth flow for each server. In our setup we have 6+ MCP servers all using the same Google OAuth — each time Claude Code encounters a new server, it initiates a fresh OAuth dance even though the user has already authenticated with the same provider.

Proposed Solution

Allow MCP servers to declare a shared OAuth provider identity (e.g., via issuer in .well-known/oauth-authorization-server). When multiple servers report the same issuer and client ID, Claude Code could:

  1. Reuse the existing access token from a previously authenticated server
  2. Or at minimum, skip the dynamic client registration and reuse the PKCE flow result

This would effectively give users SSO across MCP servers managed by the same organization.

Example

{
  "mcpServers": {
    "gws": { "type": "http", "url": "https://mcp-gws.example.com/mcp" },
    "grafana": { "type": "sse", "url": "https://mcp-grafana.example.com/sse" },
    "code-graph": { "type": "http", "url": "https://mcp-code-graph.example.com/mcp" }
  }
}

All three servers return the same issuer in their OAuth metadata. User authenticates once → all three servers are authorized.

Why not a single gateway?

Merging all servers behind one URL is impractical because:

  • Different users need different server combinations
  • Too many tools in one server degrades LLM tool selection accuracy
  • Servers have different deployment lifecycles and permissions (e.g., one server needs elevated Google Workspace scopes)

Current Workaround

Users click through multiple OAuth redirects. Since all servers use the same Google OAuth Client, Google auto-approves after the first login (browser session), but the user still goes through the redirect flow for each server individually.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗