From 7adffb1abceca18968b1a384f30e51ed6c939333 Mon Sep 17 00:00:00 2001
From: Scott Strickland <sstrickland@zoox.com>
Date: Mon, 17 Nov 2025 09:39:33 -0800
Subject: [PATCH] Adjust ID token handling for proxy mode

In proxy mode, the `id_token` from the upstream identity provider is
now mapped to `access_token` in the response. This ensures that the
token is verifiable, whereas the upstream access token might be from a
different issuer.

Without this fix, authentication to MCP-Trino appears to work, but upon
making any requests, there are token verification failures.
---
 handlers.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/handlers.go b/handlers.go
index a1fec89..870d22f 100644
--- a/handlers.go
+++ b/handlers.go
@@ -586,7 +586,14 @@ func (h *OAuth2Handler) HandleToken(w http.ResponseWriter, r *http.Request) {
 
 	// Add ID token if present
 	if idToken, ok := token.Extra("id_token").(string); ok {
-		response["id_token"] = idToken
+		if h.config.Mode == "proxy" {
+			// In proxy mode, trino-mcp is going to expect to receive id tokens
+			// that can be validated, not access tokens which can be opaque or
+			// from another issuer (e.g. Microsoft Graph when using Azure).
+			response["access_token"] = idToken
+		} else {
+			response["id_token"] = idToken
+        }
 	}
 
 	// Add scope if present