60e0ffc959
Upgrade checks / Notify on failure (push) Has been cancelled
Upgrade checks / Close issue on success (push) Has been cancelled
Schema Crash Test / Real-world schema crash test (232K schemas) (push) Has been cancelled
Run static analysis / static_analysis (push) Has been cancelled
Tests / Tests: Python 3.10 on ubuntu-latest (push) Has been cancelled
Tests / Tests: Python 3.13 on ubuntu-latest (push) Has been cancelled
Tests / Tests: Python 3.10 on windows-latest (push) Has been cancelled
Tests / Tests with lowest-direct dependencies (push) Has been cancelled
Tests / MCP conformance tests (push) Has been cancelled
Tests / Integration tests (push) Has been cancelled
Tests / Package install smoke (push) Has been cancelled
Upgrade checks / Static analysis (push) Has been cancelled
Upgrade checks / Tests: Python 3.10 on ubuntu-latest (push) Has been cancelled
Upgrade checks / Tests: Python 3.13 on ubuntu-latest (push) Has been cancelled
Upgrade checks / Tests: Python 3.10 on windows-latest (push) Has been cancelled
Upgrade checks / Integration tests (push) Has been cancelled
Update MCPServerConfig Schema / update-config-schema (push) Has been cancelled
Update SDK Documentation / update-sdk-docs (push) Has been cancelled
189 lines
7.3 KiB
Plaintext
189 lines
7.3 KiB
Plaintext
---
|
|
title: Google OAuth 🤝 FastMCP
|
|
sidebarTitle: Google
|
|
description: Secure your FastMCP server with Google OAuth
|
|
icon: google
|
|
---
|
|
|
|
import { VersionBadge } from "/snippets/version-badge.mdx"
|
|
|
|
<VersionBadge version="2.12.0" />
|
|
|
|
This guide shows you how to secure your FastMCP server using **Google OAuth**. Since Google doesn't support Dynamic Client Registration, this integration uses the [**OAuth Proxy**](/servers/auth/oauth-proxy) pattern to bridge Google's traditional OAuth with MCP's authentication requirements.
|
|
|
|
## Configuration
|
|
|
|
### Prerequisites
|
|
|
|
Before you begin, you will need:
|
|
1. A **[Google Cloud Account](https://console.cloud.google.com/)** with access to create OAuth 2.0 Client IDs
|
|
2. Your FastMCP server's URL (can be localhost for development, e.g., `http://localhost:8000`)
|
|
|
|
### Step 1: Create a Google OAuth 2.0 Client ID
|
|
|
|
Create an OAuth 2.0 Client ID in your Google Cloud Console to get the credentials needed for authentication:
|
|
|
|
<Steps>
|
|
<Step title="Navigate to OAuth Consent Screen">
|
|
Go to the [Google Cloud Console](https://console.cloud.google.com/apis/credentials) and select your project (or create a new one).
|
|
|
|
First, configure the OAuth consent screen by navigating to **APIs & Services → OAuth consent screen**. Choose "External" for testing or "Internal" for G Suite organizations.
|
|
</Step>
|
|
|
|
<Step title="Create OAuth 2.0 Client ID">
|
|
Navigate to **APIs & Services → Credentials** and click **"+ CREATE CREDENTIALS"** → **"OAuth client ID"**.
|
|
|
|
Configure your OAuth client:
|
|
|
|
- **Application type**: Web application
|
|
- **Name**: Choose a descriptive name (e.g., "FastMCP Server")
|
|
- **Authorized JavaScript origins**: Add your server's base URL (e.g., `http://localhost:8000`)
|
|
- **Authorized redirect URIs**: Add your server URL + `/auth/callback` (e.g., `http://localhost:8000/auth/callback`)
|
|
|
|
<Warning>
|
|
The redirect URI must match exactly. The default path is `/auth/callback`, but you can customize it using the `redirect_path` parameter. For local development, Google allows `http://localhost` URLs with various ports. For production, you must use HTTPS.
|
|
</Warning>
|
|
|
|
<Tip>
|
|
If you want to use a custom callback path (e.g., `/auth/google/callback`), make sure to set the same path in both your Google OAuth Client settings and the `redirect_path` parameter when configuring the GoogleProvider.
|
|
</Tip>
|
|
</Step>
|
|
|
|
<Step title="Save Your Credentials">
|
|
After creating the client, you'll receive:
|
|
|
|
- **Client ID**: A string ending in `.apps.googleusercontent.com`
|
|
- **Client Secret**: A string starting with `GOCSPX-`
|
|
|
|
Download the JSON credentials or copy these values securely.
|
|
|
|
<Tip>
|
|
Store these credentials securely. Never commit them to version control. Use environment variables or a secrets manager in production.
|
|
</Tip>
|
|
</Step>
|
|
</Steps>
|
|
|
|
### Step 2: FastMCP Configuration
|
|
|
|
Create your FastMCP server using the `GoogleProvider`, which handles Google's OAuth flow automatically:
|
|
|
|
```python server.py
|
|
from fastmcp import FastMCP
|
|
from fastmcp.server.auth.providers.google import GoogleProvider
|
|
|
|
# The GoogleProvider handles Google's token format and validation
|
|
auth_provider = GoogleProvider(
|
|
client_id="123456789.apps.googleusercontent.com", # Your Google OAuth Client ID
|
|
client_secret="GOCSPX-abc123...", # Your Google OAuth Client Secret
|
|
base_url="http://localhost:8000", # Must match your OAuth configuration
|
|
required_scopes=[ # Request user information
|
|
"openid",
|
|
"https://www.googleapis.com/auth/userinfo.email",
|
|
],
|
|
# redirect_path="/auth/callback" # Default value, customize if needed
|
|
)
|
|
|
|
mcp = FastMCP(name="Google Secured App", auth=auth_provider)
|
|
|
|
# Add a protected tool to test authentication
|
|
@mcp.tool
|
|
async def get_user_info() -> dict:
|
|
"""Returns information about the authenticated Google user."""
|
|
from fastmcp.server.dependencies import get_access_token
|
|
|
|
token = get_access_token()
|
|
# The GoogleProvider stores user data in token claims
|
|
return {
|
|
"google_id": token.claims.get("sub"),
|
|
"email": token.claims.get("email"),
|
|
"name": token.claims.get("name"),
|
|
"picture": token.claims.get("picture"),
|
|
"locale": token.claims.get("locale")
|
|
}
|
|
```
|
|
|
|
## Testing
|
|
|
|
### Running the Server
|
|
|
|
Start your FastMCP server with HTTP transport to enable OAuth flows:
|
|
|
|
```bash
|
|
fastmcp run server.py --transport http --port 8000
|
|
```
|
|
|
|
Your server is now running and protected by Google OAuth authentication.
|
|
|
|
### Testing with a Client
|
|
|
|
Create a test client that authenticates with your Google-protected server:
|
|
|
|
```python test_client.py
|
|
from fastmcp import Client
|
|
import asyncio
|
|
|
|
async def main():
|
|
# The client will automatically handle Google OAuth
|
|
async with Client("http://localhost:8000/mcp", auth="oauth") as client:
|
|
# First-time connection will open Google login in your browser
|
|
print("✓ Authenticated with Google!")
|
|
|
|
# Test the protected tool
|
|
result = await client.call_tool("get_user_info")
|
|
print(f"Google user: {result['email']}")
|
|
print(f"Name: {result['name']}")
|
|
|
|
if __name__ == "__main__":
|
|
asyncio.run(main())
|
|
```
|
|
|
|
When you run the client for the first time:
|
|
1. Your browser will open to Google's authorization page
|
|
2. Sign in with your Google account and grant the requested permissions
|
|
3. After authorization, you'll be redirected back
|
|
4. The client receives the token and can make authenticated requests
|
|
|
|
<Info>
|
|
The client caches tokens locally, so you won't need to re-authenticate for subsequent runs unless the token expires or you explicitly clear the cache.
|
|
</Info>
|
|
|
|
## Production Configuration
|
|
|
|
<VersionBadge version="2.13.0" />
|
|
|
|
For production deployments with persistent token management across server restarts, configure `jwt_signing_key` and `client_storage`:
|
|
|
|
```python server.py
|
|
import os
|
|
from fastmcp import FastMCP
|
|
from fastmcp.server.auth.providers.google import GoogleProvider
|
|
from key_value.aio.stores.redis import RedisStore
|
|
from key_value.aio.wrappers.encryption import FernetEncryptionWrapper
|
|
from cryptography.fernet import Fernet
|
|
|
|
# Production setup with encrypted persistent token storage
|
|
auth_provider = GoogleProvider(
|
|
client_id="123456789.apps.googleusercontent.com",
|
|
client_secret="GOCSPX-abc123...",
|
|
base_url="https://your-production-domain.com",
|
|
required_scopes=["openid", "https://www.googleapis.com/auth/userinfo.email"],
|
|
|
|
# Production token management
|
|
jwt_signing_key=os.environ["JWT_SIGNING_KEY"],
|
|
client_storage=FernetEncryptionWrapper(
|
|
key_value=RedisStore(
|
|
host=os.environ["REDIS_HOST"],
|
|
port=int(os.environ["REDIS_PORT"])
|
|
),
|
|
fernet=Fernet(os.environ["STORAGE_ENCRYPTION_KEY"])
|
|
)
|
|
)
|
|
|
|
mcp = FastMCP(name="Production Google App", auth=auth_provider)
|
|
```
|
|
|
|
<Note>
|
|
Parameters (`jwt_signing_key` and `client_storage`) work together to ensure tokens and client registrations survive server restarts. **Wrap your storage in `FernetEncryptionWrapper` to encrypt sensitive OAuth tokens at rest** - without it, tokens are stored in plaintext. Store secrets in environment variables and use a persistent storage backend like Redis for distributed deployments.
|
|
|
|
For complete details on these parameters, see the [OAuth Proxy documentation](/servers/auth/oauth-proxy#configuration-parameters).
|
|
</Note> |