Files
wehub-resource-sync e04ed9c211
CF: Deploy Dev Docs / deploy (push) Has been cancelled
Sync Labels / build (push) Has been cancelled
tests / unit tests (macos-latest) (push) Has been cancelled
tests / unit tests (windows-latest) (push) Has been cancelled
tests / unit tests (ubuntu-latest) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:32:45 +08:00

85 lines
4.2 KiB
Markdown

---
title: "Google Sign-In"
type: docs
weight: 1
description: >
Use Google Sign-In for OAuth 2.0 flow and token lifecycle.
---
## Getting Started
Google Sign-In manages the OAuth 2.0 flow and token lifecycle. To integrate the Google Sign-In workflow to your web app, [follow this guide][gsi-setup].
After setting up Google Sign-In, configure your auth service in the toolbox. The Google auth provider supports two distinct validation modes:
1. **Web App Claims (OIDC)**: Used to authenticate user requests in web applications.
2. **MCP Authorization**: Used to secure the entire MCP server transport (SSE or Stdio).
[gsi-setup]: https://developers.google.com/identity/sign-in/web/sign-in
## Configuration Modes
### 1. Web App OIDC Authentication
If you are developing a web application using the Toolbox and need to retrieve user claims from Google ID tokens sent in custom request headers, configure the `clientId` field.
- **Header**: Expects the token in the `<name>_token` header (e.g. `my-google-auth_token`).
- **Token Type**: Google OIDC ID tokens (JWT).
#### Example
```yaml
kind: authService
name: my-google-auth
type: google
clientId: ${YOUR_GOOGLE_CLIENT_ID}
```
---
### 2. MCP Authorization
To secure all endpoints on your MCP server using Google OAuth tokens, enable `mcpEnabled` and specify the `audience` field.
- **Header**: Expects the token in the standard `Authorization: Bearer <token>` header.
- **Token Type**: Supports both Google **ID tokens (JWT)** and Google **opaque access tokens**.
#### Example
```yaml
kind: authService
name: my-google-auth
type: google
audience: ${YOUR_GOOGLE_CLIENT_ID}
mcpEnabled: true
scopesRequired:
- https://www.googleapis.com/auth/userinfo.email
```
> [!IMPORTANT]
> - For **ID tokens (JWT)**: Local cryptographic signature verification is performed, which requires `audience` to be configured. If `audience` is not set, the provider will fall back to using `clientId`. If neither is configured, validation will fail.
> - For **Opaque tokens**: The provider automatically queries Google's secure tokeninfo endpoint (`https://oauth2.googleapis.com/tokeninfo`) and validates the resulting audience against the configured `audience` field (falling back to `clientId` if `audience` is not set).
---
## Behavior
### Authorized Invocations
When using [Authorized Invocations][auth-invoke], a tool will be considered authorized if it has a valid OAuth 2.0 token that matches the Client ID or Audience.
[auth-invoke]: ../tools/_index.md#authorized-invocations
### Authenticated Parameters
When using [Authenticated Parameters][auth-params], any [claim provided by the id-token][provided-claims] can be used for the parameter.
[auth-params]: ../tools/_index.md#authenticated-parameters
[provided-claims]: https://developers.google.com/identity/openid-connect/openid-connect#obtaininguserprofileinformation
---
## Reference
| **field** | **type** | **required** | **description** |
|----------------|:--------:|:------------:|----------------------------------------------------------------------------------------------------------------------------------------------|
| type | string | true | Must be "google". |
| clientId | string | false | Client ID of your application. Required for validating ID tokens in non-MCP web apps (`GetClaimsFromHeader`), and acts as a fallback for `audience` in MCP auth mode if `audience` is not configured. |
| audience | string | false | Expected audience. Required for validating ID tokens in MCP Auth mode (unless `clientId` is configured as a fallback). If specified, also validates opaque token audiences. Disallowed if `mcpEnabled` is false. |
| mcpEnabled | bool | false | Enforces global MCP transport authentication using the `Authorization: Bearer` header. Defaults to false. |
| scopesRequired | []string | false | A list of required scopes that must be present in the token's claims/metadata to be considered valid. Disallowed if `mcpEnabled` is false. |