Google Provider Guide
Overview
Google provider uses OIDC/JWKS for JWT validation with Google's identity platform. Ideal for Google Workspace integration.
When to Use
✅ Good for:
Google Workspace integration
Consumer applications with Google Sign-In
Applications requiring Google account authentication
Cross-platform user auth (Android, iOS, Web)
Setup in Google Cloud Console
1. Create OAuth Client
Go to Google Cloud Console
Select your project (or create new)
Navigate to APIs & Services → Credentials
Click Create Credentials → OAuth client ID
Configure OAuth consent screen if prompted (see below)
Select application type:
Web application (for proxy mode)
Desktop app or iOS/Android (for native mode)
2. Configure OAuth Consent Screen
Required before creating OAuth client:
Navigate to APIs & Services → OAuth consent screen
Choose User Type:
Internal - Google Workspace users only
External - Anyone with Google account
Fill in:
App name: Your MCP Server
User support email: Your email
Developer contact: Your email
Add scopes:
openidprofileemail
Save and Continue
3. Create OAuth Client ID
For Web Application (Proxy Mode):
Authorized JavaScript origins:
https://your-server.comAuthorized redirect URIs:
https://your-server.com/oauth/callback
For Desktop App (Native Mode):
No redirect URIs needed (client handles it)
4. Get Configuration Values
After creation, note:
Client ID:
<id>.apps.googleusercontent.comClient Secret: (for proxy mode only)
Issuer: Always
https://accounts.google.com
Configuration (Native Mode)
When: Client handles OAuth (Claude Desktop, mobile apps)
oauth.WithOAuth(mux, &oauth.Config{
Provider: "google",
Issuer: "https://accounts.google.com",
Audience: "123456789.apps.googleusercontent.com", // Your Client ID
})Important: For Google, Audience must be your Client ID, not a custom value.
Configuration (Proxy Mode)
When: Server proxies OAuth for simple clients
oauth.WithOAuth(mux, &oauth.Config{
Provider: "google",
Issuer: "https://accounts.google.com",
Audience: "123456789.apps.googleusercontent.com", // Your Client ID
ClientID: "123456789.apps.googleusercontent.com",
ClientSecret: "GOCSPX-...", // From Google Console
ServerURL: "https://your-server.com",
RedirectURIs: "https://your-server.com/oauth/callback",
})Testing
1. Start MCP Server
export GOOGLE_CLIENT_ID="123456789.apps.googleusercontent.com"
export GOOGLE_CLIENT_SECRET="GOCSPX-..."
go run main.go2. Test OAuth Flow (Browser)
# Get authorization URL
curl https://your-server.com/.well-known/oauth-authorization-server
# Open in browser to authenticate
open "https://your-server.com/oauth/authorize?..."3. Test Token Validation
Get token from Google Sign-In, then:
curl -X POST https://your-server.com/mcp \
-H "Authorization: Bearer <google-id-token>" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"hello","arguments":{}}}'User Claims
Google ID tokens include:
{
"sub": "1234567890",
"email": "[email protected]",
"email_verified": true,
"name": "John Doe",
"picture": "https://...",
"aud": "your-client-id.apps.googleusercontent.com",
"iss": "https://accounts.google.com",
"exp": 1234567890,
"iat": 1234567890
}oauth-mcp-proxy extracts:
sub→ User.Subjectemail→ User.Emailnameoremail→ User.Username
Troubleshooting
"Failed to initialize OIDC provider"
Check: Can reach
https://accounts.google.com/.well-known/openid-configurationCheck: No typo in issuer URL (must be exact)
"Invalid audience"
Google uses Client ID as audience
Check:
Config.Audiencematches your Client ID exactlyExample:
123456789.apps.googleusercontent.com
"redirect_uri_mismatch" error
Check: Redirect URI in Google Console matches
Config.RedirectURIsMust be exact match (including https://)
No localhost in production
"invalid_client" error
Check: ClientID and ClientSecret correct
Check: Client type matches mode (Web app for proxy mode)
Production Checklist
References
Last updated
Was this helpful?