Adjust ID token handling for proxy mode

Scott Strickland · Scott Strickland · commit 7adffb1abcec · 2025-11-17T12:11:00.000-08:00
In proxy mode, the `id_token` from the upstream identity provider is
now mapped to `access_token` in the response. This ensures that the
token is verifiable, whereas the upstream access token might be from a
different issuer.

Without this fix, authentication to MCP-Trino appears to work, but upon
making any requests, there are token verification failures.
diff --git a/handlers.go b/handlers.go
@@ -586,7 +586,14 @@ func (h *OAuth2Handler) HandleToken(w http.ResponseWriter, r *http.Request) {
 
 	// Add ID token if present
 	if idToken, ok := token.Extra("id_token").(string); ok {
-		response["id_token"] = idToken
+		if h.config.Mode == "proxy" {
+			// In proxy mode, trino-mcp is going to expect to receive id tokens
+			// that can be validated, not access tokens which can be opaque or
+			// from another issuer (e.g. Microsoft Graph when using Azure).
+			response["access_token"] = idToken
+		} else {
+			response["id_token"] = idToken
+        }
 	}
 
 	// Add scope if present
