ContextQMD
Back to Genai Toolbox

Google Sign-In

docs/en/documentation/configuration/authentication/google.md

1.4.04.1 KB
Original Source

Getting Started

Google Sign-In manages the OAuth 2.0 flow and token lifecycle. To integrate the Google Sign-In workflow to your web app, follow this guide.

After setting up Google Sign-In, configure your auth service in the toolbox. The Google auth provider supports two distinct validation modes:

  1. Web App Claims (OIDC): Used to authenticate user requests in web applications.
  2. MCP Authorization: Used to secure the entire MCP server transport (SSE or Stdio).

Configuration Modes

1. Web App OIDC Authentication

If you are developing a web application using the Toolbox and need to retrieve user claims from Google ID tokens sent in custom request headers, configure the clientId field.

  • Header: Expects the token in the <name>_token header (e.g. my-google-auth_token).
  • Token Type: Google OIDC ID tokens (JWT).

Example

yaml
kind: authService
name: my-google-auth
type: google
clientId: ${YOUR_GOOGLE_CLIENT_ID}

2. MCP Authorization

To secure all endpoints on your MCP server using Google OAuth tokens, enable mcpEnabled and specify the audience field.

  • Header: Expects the token in the standard Authorization: Bearer <token> header.
  • Token Type: Supports both Google ID tokens (JWT) and Google opaque access tokens.

Example

yaml
kind: authService
name: my-google-auth
type: google
audience: ${YOUR_GOOGLE_CLIENT_ID}
mcpEnabled: true
scopesRequired:
  - https://www.googleapis.com/auth/userinfo.email

[!IMPORTANT]

  • For ID tokens (JWT): Local cryptographic signature verification is performed, which requires audience to be configured. If audience is not set, the provider will fall back to using clientId. If neither is configured, validation will fail.
  • For Opaque tokens: The provider automatically queries Google's secure tokeninfo endpoint (https://oauth2.googleapis.com/tokeninfo) and validates the resulting audience against the configured audience field (falling back to clientId if audience is not set).

Behavior

Authorized Invocations

When using Authorized Invocations, a tool will be considered authorized if it has a valid OAuth 2.0 token that matches the Client ID or Audience.

Authenticated Parameters

When using Authenticated Parameters, any claim provided by the id-token can be used for the parameter.

Reference

fieldtyperequireddescription
typestringtrueMust be "google".
clientIdstringfalseClient ID of your application. Required for validating ID tokens in non-MCP web apps (GetClaimsFromHeader), and acts as a fallback for audience in MCP auth mode if audience is not configured.
audiencestringfalseExpected audience. Required for validating ID tokens in MCP Auth mode (unless clientId is configured as a fallback). If specified, also validates opaque token audiences. Disallowed if mcpEnabled is false.
mcpEnabledboolfalseEnforces global MCP transport authentication using the Authorization: Bearer header. Defaults to false.
scopesRequired[]stringfalseA list of required scopes that must be present in the token's claims/metadata to be considered valid. Disallowed if mcpEnabled is false.