[v1.x] Add subject and claims to AccessToken (#2690)

maxisbey · web-flow · commit 1abcca2408a6 · 2026-05-26T15:49:44.000+01:00
diff --git a/examples/servers/simple-auth/mcp_simple_auth/auth_server.py b/examples/servers/simple-auth/mcp_simple_auth/auth_server.py
@@ -123,6 +123,8 @@ async def introspect_handler(request: Request) -> Response:
                 "iat": int(time.time()),
                 "token_type": "Bearer",
                 "aud": access_token.resource,  # RFC 8707 audience claim
+                "sub": access_token.subject,  # RFC 7662 subject
+                "iss": str(server_settings.server_url),
             }
         )
 
diff --git a/examples/servers/simple-auth/mcp_simple_auth/simple_auth_provider.py b/examples/servers/simple-auth/mcp_simple_auth/simple_auth_provider.py
@@ -186,6 +186,7 @@ async def handle_simple_callback(self, username: str, password: str, state: str)
             scopes=[self.settings.mcp_scope],
             code_challenge=code_challenge,
             resource=resource,  # RFC 8707
+            subject=username,
         )
         self.auth_codes[new_code] = auth_code
 
@@ -224,6 +225,7 @@ async def exchange_authorization_code(
             scopes=authorization_code.scopes,
             expires_at=int(time.time()) + 3600,
             resource=authorization_code.resource,  # RFC 8707
+            subject=authorization_code.subject,
         )
 
         # Store user data mapping for this token
diff --git a/examples/servers/simple-auth/mcp_simple_auth/token_verifier.py b/examples/servers/simple-auth/mcp_simple_auth/token_verifier.py
@@ -75,6 +75,8 @@ async def verify_token(self, token: str) -> AccessToken | None:
                     scopes=data.get("scope", "").split() if data.get("scope") else [],
                     expires_at=data.get("exp"),
                     resource=data.get("aud"),  # Include resource in token
+                    subject=data.get("sub"),  # RFC 7662 subject (resource owner)
+                    claims=data,
                 )
             except Exception as e:
                 logger.warning(f"Token introspection failed: {e}")
diff --git a/src/mcp/server/auth/provider.py b/src/mcp/server/auth/provider.py
@@ -1,5 +1,5 @@
 from dataclasses import dataclass
-from typing import Generic, Literal, Protocol, TypeVar
+from typing import Any, Generic, Literal, Protocol, TypeVar
 from urllib.parse import parse_qs, urlencode, urlparse, urlunparse
 
 from pydantic import AnyUrl, BaseModel
@@ -25,13 +25,15 @@ class AuthorizationCode(BaseModel):
     redirect_uri: AnyUrl
     redirect_uri_provided_explicitly: bool
     resource: str | None = None  # RFC 8707 resource indicator
+    subject: str | None = None  # resource owner; propagate to the issued AccessToken
 
 
 class RefreshToken(BaseModel):
     token: str
     client_id: str
     scopes: list[str]
     expires_at: int | None = None
+    subject: str | None = None  # resource owner; propagate to refreshed AccessTokens
 
 
 class AccessToken(BaseModel):
@@ -40,6 +42,8 @@ class AccessToken(BaseModel):
     scopes: list[str]
     expires_at: int | None = None
     resource: str | None = None  # RFC 8707 resource indicator
+    subject: str | None = None  # RFC 7662/9068 `sub`: resource owner; unique only per issuer
+    claims: dict[str, Any] | None = None  # additional claims (e.g. `iss`, `act`)
 
 
 RegistrationErrorCode = Literal[
diff --git a/src/mcp/server/fastmcp/server.py b/src/mcp/server/fastmcp/server.py
@@ -1282,9 +1282,14 @@ async def log(
             related_request_id=self.request_id,
         )
 
+    # TODO(maxisbey): see if this is needed otherwise remove
     @property
     def client_id(self) -> str | None:
-        """Get the client ID if available."""
+        """Get the client ID if available.
+
+        Note: this reads from the MCP request's `_meta` params, not the OAuth
+        bearer token. For that, use `get_access_token().client_id`.
+        """
         return (
             getattr(self.request_context.meta, "client_id", None) if self.request_context.meta else None
         )  # pragma: no cover
diff --git a/tests/server/fastmcp/auth/test_auth_integration.py b/tests/server/fastmcp/auth/test_auth_integration.py
@@ -54,6 +54,7 @@ async def authorize(self, client: OAuthClientInformationFull, params: Authorizat
             redirect_uri_provided_explicitly=params.redirect_uri_provided_explicitly,
             expires_at=time.time() + 300,
             scopes=params.scopes or ["read", "write"],
+            subject="test-user",
         )
         self.auth_codes[code.code] = code
 
@@ -80,6 +81,7 @@ async def exchange_authorization_code(
             client_id=client.client_id,
             scopes=authorization_code.scopes,
             expires_at=int(time.time()) + 3600,
+            subject=authorization_code.subject,
         )
 
         self.refresh_tokens[refresh_token] = access_token
@@ -109,6 +111,7 @@ async def load_refresh_token(self, client: OAuthClientInformationFull, refresh_t
             client_id=token_info.client_id,
             scopes=token_info.scopes,
             expires_at=token_info.expires_at,
+            subject=token_info.subject,
         )
 
         return refresh_obj
@@ -142,6 +145,7 @@ async def exchange_refresh_token(
             client_id=client.client_id,
             scopes=scopes or token_info.scopes,
             expires_at=int(time.time()) + 3600,
+            subject=refresh_token.subject,
         )
 
         self.refresh_tokens[new_refresh_token] = new_access_token
@@ -170,6 +174,7 @@ async def load_access_token(self, token: str) -> AccessToken | None:
             client_id=token_info.client_id,
             scopes=token_info.scopes,
             expires_at=token_info.expires_at,
+            subject=token_info.subject,
         )
 
     async def revoke_token(self, token: AccessToken | RefreshToken) -> None:
@@ -783,6 +788,7 @@ async def test_authorization_get(
         assert auth_info.client_id == client_info["client_id"]
         assert "read" in auth_info.scopes
         assert "write" in auth_info.scopes
+        assert auth_info.subject == "test-user"
 
         # 6. Refresh the token
         response = await test_client.post(
@@ -803,6 +809,10 @@ async def test_authorization_get(
         assert new_token_response["access_token"] != access_token
         assert new_token_response["refresh_token"] != refresh_token
 
+        refreshed_auth_info = await mock_oauth_provider.load_access_token(new_token_response["access_token"])
+        assert refreshed_auth_info
+        assert refreshed_auth_info.subject == "test-user"
+
         # 7. Revoke the token
         response = await test_client.post(
             "/revoke",

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,8 @@ async def introspect_handler(request: Request) -> Response:`
`123`	`123`	`"iat": int(time.time()),`
`124`	`124`	`"token_type": "Bearer",`
`125`	`125`	`"aud": access_token.resource, # RFC 8707 audience claim`
	`126`	`+ "sub": access_token.subject, # RFC 7662 subject`
	`127`	`+ "iss": str(server_settings.server_url),`
`126`	`128`	`}`
`127`	`129`	`)`
`128`	`130`
Original file line number	Diff line number	Diff line change
`@@ -186,6 +186,7 @@ async def handle_simple_callback(self, username: str, password: str, state: str)`
`186`	`186`	`scopes=[self.settings.mcp_scope],`
`187`	`187`	`code_challenge=code_challenge,`
`188`	`188`	`resource=resource, # RFC 8707`
	`189`	`+ subject=username,`
`189`	`190`	`)`
`190`	`191`	`self.auth_codes[new_code] = auth_code`
`191`	`192`
`@@ -224,6 +225,7 @@ async def exchange_authorization_code(`
`224`	`225`	`scopes=authorization_code.scopes,`
`225`	`226`	`expires_at=int(time.time()) + 3600,`
`226`	`227`	`resource=authorization_code.resource, # RFC 8707`
	`228`	`+ subject=authorization_code.subject,`
`227`	`229`	`)`
`228`	`230`
`229`	`231`	`# Store user data mapping for this token`
Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,8 @@ async def verify_token(self, token: str) -> AccessToken \| None:`
`75`	`75`	`scopes=data.get("scope", "").split() if data.get("scope") else [],`
`76`	`76`	`expires_at=data.get("exp"),`
`77`	`77`	`resource=data.get("aud"), # Include resource in token`
	`78`	`+ subject=data.get("sub"), # RFC 7662 subject (resource owner)`
	`79`	`+ claims=data,`
`78`	`80`	`)`
`79`	`81`	`except Exception as e:`
`80`	`82`	`logger.warning(f"Token introspection failed: {e}")`