Customize MCP OAuth authentication - id_token over access_token

Open 💬 0 comments Opened Jun 22, 2026 by Lesha17

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

We have a remote MCP server which lives behind Google Cloud IAP. IAP, by definition, requires user's identity and doesn't accept ya29 access_token. However, the default authentication implemented in Claude only gets access_token from authentication server response, even when id_token is also present in the same response.
As a result, it sends ya29 access_token to IAP, and IAP rejects it.

Proposed Solution

Please implement some customization which lets us choose which field to choose from https://oauth2.googleapis.com/token json response - "id_token" or "access_token".

Alternative Solutions

1) Set "oauth"."authServerMetadataUrl" to own Auth interceptor server, which puts "id_token" to "access_token" field and returns modified response to Claude.
2) Create a local tool which, does all the same authentication steps as Claude, but in the end picks "id_token" instead of "access_token". Use it in "headersHelper" https://code.claude.com/docs/en/mcp#use-dynamic-headers-for-custom-authentication

Priority

High - Significant impact on productivity

Feature Category

MCP server integration

Use Case Example

Add "tokenFieldName" field to MCP json:

claude mcp add-json mytool '{"type":"http","url":"https://mytool.mycompany.domain","oauth":{"clientId":"<OAuth client id>","callbackPort":4444,"tokenFieldName":"id_token"}}'

Additional Context

https://docs.cloud.google.com/iap/docs/authentication-howto

View original on GitHub ↗