Problem
AWS Bedrock AgentCore, Cognito, and other OIDC-based servers expect the ID token (not the access token) as the Bearer credential. mcp-stdio always uses access_token, so authentication fails on these servers.
Reference: mcp-remote#219
Proposed solution
Add --oauth-use-id-token CLI flag. When set:
- Store
id_token from the token response in TokenData / token_store.py
ensure_token() returns id_token as the effective Bearer value- Refresh path preserves
id_token from the new token response
Scope
token_store.py — add id_token: str | None = None to TokenDataoauth.py — _parse_token_response() captures id_token; ensure_token() honours the flagcli.py — --oauth-use-id-token flag; propagated to ensure_token()
Difficulty
Small
Problem
AWS Bedrock AgentCore, Cognito, and other OIDC-based servers expect the ID token (not the access token) as the Bearer credential. mcp-stdio always uses
access_token, so authentication fails on these servers.Reference: mcp-remote#219
Proposed solution
Add
--oauth-use-id-tokenCLI flag. When set:id_tokenfrom the token response inTokenData/token_store.pyensure_token()returnsid_tokenas the effective Bearer valueid_tokenfrom the new token responseScope
token_store.py— addid_token: str | None = NonetoTokenDataoauth.py—_parse_token_response()capturesid_token;ensure_token()honours the flagcli.py—--oauth-use-id-tokenflag; propagated toensure_token()Difficulty
Small