Skip to content

GoogleProvider: client_id uses OAuth app ID (aud) instead of user ID (sub) #3721

Closed
#3722
Closed
GoogleProvider: client_id uses OAuth app ID (aud) instead of user ID (sub)#3721
#3722
Labels
authRelated to authentication (Bearer, JWT, OAuth, WorkOS) for client or server.bugSomething isn't working. Reports of errors, unexpected behavior, or broken functionality.
@shigechika

Description

@shigechika
shigechika
opened on Mar 31, 2026

What happened?

GoogleProvider sets client_id=aud (the OAuth app ID) in AccessToken. Since aud is the same for all users of the same OAuth app, multi-user MCP servers cannot distinguish users from the token.

GitHubProvider uses the user ID (str(user_data["id"])) for client_id, which works correctly for multi-user.

Example Code

# After Google OAuth, all users get the same client_id:
token = await google_provider.verify_token(access_token)
print(token.client_id)  # "123456.apps.googleusercontent.com" (same for ALL users)
print(token.claims["sub"])  # "1098765432" (unique per user, but not in client_id)

# GitHubProvider returns user ID as client_id:
token = await github_provider.verify_token(access_token)
print(token.client_id)  # "12345678" (unique per user)

Version Information

FastMCP version: 3.2.0
MCP version: 1.26.0
Python version: 3.14.3
Platform: macOS-26.4-x86_64-i386-64bit-Mach-O

Metadata

Metadata

Assignees

No one assigned

    Labels

    authRelated to authentication (Bearer, JWT, OAuth, WorkOS) for client or server.bugSomething isn't working. Reports of errors, unexpected behavior, or broken functionality.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions