Customize MCP OAuth authentication - id_token over access_token
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
We have a remote MCP server which lives behind Google Cloud IAP. IAP, by definition, requires user's identity and doesn't accept ya29 access_token. However, the default authentication implemented in Claude only gets access_token from authentication server response, even when id_token is also present in the same response.
As a result, it sends ya29 access_token to IAP, and IAP rejects it.
Proposed Solution
Please implement some customization which lets us choose which field to choose from https://oauth2.googleapis.com/token json response - "id_token" or "access_token".
Alternative Solutions
1) Set "oauth"."authServerMetadataUrl" to own Auth interceptor server, which puts "id_token" to "access_token" field and returns modified response to Claude.
2) Create a local tool which, does all the same authentication steps as Claude, but in the end picks "id_token" instead of "access_token". Use it in "headersHelper" https://code.claude.com/docs/en/mcp#use-dynamic-headers-for-custom-authentication
Priority
High - Significant impact on productivity
Feature Category
MCP server integration
Use Case Example
Add "tokenFieldName" field to MCP json:
claude mcp add-json mytool '{"type":"http","url":"https://mytool.mycompany.domain","oauth":{"clientId":"<OAuth client id>","callbackPort":4444,"tokenFieldName":"id_token"}}'