When using OIDCProxy with IntrospectionVerifier, how do I get the user's id_token?

[bendavis78]

I'm using the following setup:

token_verifier = IntrospectionTokenVerifier(
    introspection_url=f"{OPENID_URL}/introspection/",
    client_id=UPSTREAM_CLIENT_ID,
    client_secret=UPSTREAM_CLIENT_SECRET,
    required_scopes=["openid", "email"],
)

auth = OIDCProxy(
    config_url=f"{OPENID_URL}/.well-known/openid-configuration",
    client_id=UPSTREAM_CLIENT_ID,
    client_secret=UPSTREAM_CLIENT_SECRET,
    base_url=f"{settings.MCP_SERVER_BASE_URL}",
    token_verifier=token_verifier,
)

mcp = FastMCP(name="test", auth=auth, instructions=INSTRUCTIONS)

In my tool function I need access to the OIDC id_token provided by the upstream auth server in order to check certain permissions on the JWT. I can make an extra request to our OIDC token endpoint but that seems unnecessary given that request already should have happened during the OAuth flow. Is there a way to get that token?

[aiwebb]

Same exact problem! I'm using AWSCognitoProvider and I'm surprised by the lack of a get_id_token method or similar. I have no way of knowing who the user is!

[dexalex84]

That will be nice as well.

For example in this code in "OAuthProxy":

            # Exchange IdP code for tokens (server-side)
            oauth_client = AsyncOAuth2Client(
                client_id=self._upstream_client_id,
                client_secret=self._upstream_client_secret.get_secret_value(),
                token_endpoint_auth_method=self._token_endpoint_auth_method,
                timeout=HTTP_TIMEOUT_SECONDS,
            )
            ....
            idp_tokens: dict[str, Any] = await oauth_client.fetch_token(
                    **token_params
                ) 
                

For OKTA

idp_tokens has both tokens
idp_token =

{
  "sub": "xxxxx",
  "name": "John Dow",   <<<< name
  "email": "[email protected]", <<<< email
  "ver": 1,
  "iss": "https://xxxx.okta.com",
  "aud": "xxxxx",
  "iat": xxx,
  "exp": xxxx,
  "jti": "xxxx",
  "amr": [
   .....
  ],
  "idp": "xxxx",
  "preferred_username": "[email protected]",  ID or Account name
....
}

but
access token has only:

{
  "ver": 1,
  "iss": "https://xxxx.okta.com",
  "aud": "https://xxxx.okta.com",
  "sub": "[email protected]",
  "iat": xxx,
  "exp": xxxxx,
  "cid": "xxx",
  "uid": "xxxx",
  "scp": [
    "openid",
    "email",
    "profile",
    "groups",
    "offline_access"
  ],
  "auth_time": xxxx
}

so getting in addition to "Account name", full name, email can be helpful

Also it can have IDP groups info could be very useful to get in MCP middleware to apply some sec measures