Description
Summary
Add support for configuring the audience (aud) parameter in OAuth 2.0 and OpenID Connect flows initiated via MCP Inspector.
Motivation
Currently, MCP Inspector does not allow setting a custom audience parameter when requesting access tokens. As a result:
• Tokens are issued for the default Auth0 Management API (aud = https://.auth0.com/api/v2/)
• This often leads to unexpected scopes or encrypted tokens (JWE) depending on API settings
• Users intending to test custom APIs with their own audience identifiers cannot do so via MCP Inspector
• The token’s behavior (payload, encryption, scopes) becomes incorrect for anything other than the Management API
Proposed Solution
Allow users to configure a custom audience value as part of:
• The OAuth authorize request
• The /oauth/token request (especially for client credentials flow)
This could be exposed as a simple input field in the UI when setting up an OAuth test session, or as part of an advanced configuration section.
Benefits
• Supports testing real-world OAuth setups involving custom APIs
• Aligns with Auth0, Azure AD, Okta, and other providers that require an explicit audience
• Avoids the accidental issuance of encrypted or mis-scoped tokens
• Matches behavior already supported in tools like Postman and curl
References
• Auth0: How to pass audience
• OpenID Connect Spec - Audience Claim
⸻
Let me know if you’d like a version tailored for GitHub Issues, or a version in German.