e04ed9c211
CF: Deploy Dev Docs / deploy (push) Has been cancelled
Sync Labels / build (push) Has been cancelled
tests / unit tests (macos-latest) (push) Has been cancelled
tests / unit tests (windows-latest) (push) Has been cancelled
tests / unit tests (ubuntu-latest) (push) Has been cancelled
85 lines
4.2 KiB
Markdown
85 lines
4.2 KiB
Markdown
---
|
|
title: "Google Sign-In"
|
|
type: docs
|
|
weight: 1
|
|
description: >
|
|
Use Google Sign-In for OAuth 2.0 flow and token lifecycle.
|
|
---
|
|
|
|
## Getting Started
|
|
|
|
Google Sign-In manages the OAuth 2.0 flow and token lifecycle. To integrate the Google Sign-In workflow to your web app, [follow this guide][gsi-setup].
|
|
|
|
After setting up Google Sign-In, configure your auth service in the toolbox. The Google auth provider supports two distinct validation modes:
|
|
|
|
1. **Web App Claims (OIDC)**: Used to authenticate user requests in web applications.
|
|
2. **MCP Authorization**: Used to secure the entire MCP server transport (SSE or Stdio).
|
|
|
|
[gsi-setup]: https://developers.google.com/identity/sign-in/web/sign-in
|
|
|
|
## Configuration Modes
|
|
|
|
### 1. Web App OIDC Authentication
|
|
If you are developing a web application using the Toolbox and need to retrieve user claims from Google ID tokens sent in custom request headers, configure the `clientId` field.
|
|
|
|
- **Header**: Expects the token in the `<name>_token` header (e.g. `my-google-auth_token`).
|
|
- **Token Type**: Google OIDC ID tokens (JWT).
|
|
|
|
#### Example
|
|
```yaml
|
|
kind: authService
|
|
name: my-google-auth
|
|
type: google
|
|
clientId: ${YOUR_GOOGLE_CLIENT_ID}
|
|
```
|
|
|
|
---
|
|
|
|
### 2. MCP Authorization
|
|
To secure all endpoints on your MCP server using Google OAuth tokens, enable `mcpEnabled` and specify the `audience` field.
|
|
|
|
- **Header**: Expects the token in the standard `Authorization: Bearer <token>` header.
|
|
- **Token Type**: Supports both Google **ID tokens (JWT)** and Google **opaque access tokens**.
|
|
|
|
#### Example
|
|
```yaml
|
|
kind: authService
|
|
name: my-google-auth
|
|
type: google
|
|
audience: ${YOUR_GOOGLE_CLIENT_ID}
|
|
mcpEnabled: true
|
|
scopesRequired:
|
|
- https://www.googleapis.com/auth/userinfo.email
|
|
```
|
|
|
|
> [!IMPORTANT]
|
|
> - For **ID tokens (JWT)**: Local cryptographic signature verification is performed, which requires `audience` to be configured. If `audience` is not set, the provider will fall back to using `clientId`. If neither is configured, validation will fail.
|
|
> - For **Opaque tokens**: The provider automatically queries Google's secure tokeninfo endpoint (`https://oauth2.googleapis.com/tokeninfo`) and validates the resulting audience against the configured `audience` field (falling back to `clientId` if `audience` is not set).
|
|
|
|
---
|
|
|
|
## Behavior
|
|
|
|
### Authorized Invocations
|
|
When using [Authorized Invocations][auth-invoke], a tool will be considered authorized if it has a valid OAuth 2.0 token that matches the Client ID or Audience.
|
|
|
|
[auth-invoke]: ../tools/_index.md#authorized-invocations
|
|
|
|
### Authenticated Parameters
|
|
When using [Authenticated Parameters][auth-params], any [claim provided by the id-token][provided-claims] can be used for the parameter.
|
|
|
|
[auth-params]: ../tools/_index.md#authenticated-parameters
|
|
[provided-claims]: https://developers.google.com/identity/openid-connect/openid-connect#obtaininguserprofileinformation
|
|
|
|
---
|
|
|
|
## Reference
|
|
|
|
| **field** | **type** | **required** | **description** |
|
|
|----------------|:--------:|:------------:|----------------------------------------------------------------------------------------------------------------------------------------------|
|
|
| type | string | true | Must be "google". |
|
|
| clientId | string | false | Client ID of your application. Required for validating ID tokens in non-MCP web apps (`GetClaimsFromHeader`), and acts as a fallback for `audience` in MCP auth mode if `audience` is not configured. |
|
|
| audience | string | false | Expected audience. Required for validating ID tokens in MCP Auth mode (unless `clientId` is configured as a fallback). If specified, also validates opaque token audiences. Disallowed if `mcpEnabled` is false. |
|
|
| mcpEnabled | bool | false | Enforces global MCP transport authentication using the `Authorization: Bearer` header. Defaults to false. |
|
|
| scopesRequired | []string | false | A list of required scopes that must be present in the token's claims/metadata to be considered valid. Disallowed if `mcpEnabled` is false. |
|