OIDC implemented for google drive mcp#89
Open
GokulVGAot wants to merge 3 commits into
Open
Conversation
Signed-off-by: gokul-aot <gokul.vg@aot-technologies.com>
Signed-off-by: gokul-aot <gokul.vg@aot-technologies.com>
Signed-off-by: gokul-aot <gokul.vg@aot-technologies.com>
b296bb7 to
8c769dd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds per-user Google Drive authentication via MCP upstream bearer passthrough (OIDC-compatible).
When GOOGLE_DRIVE_AUTH_PROVIDER=upstream_bearer is set, the Google Drive connector uses the caller’s Google OAuth access token from each MCP request (Authorization: Bearer …) instead of a service account. This supports ToolHive embedded OIDC and similar IdPs where the MCP client forwards the user’s Google token.
Key changes:
upstream_bearer auth provider in ConnectorFactory — reads token from request-scoped context and builds google.oauth2.credentials.Credentials per call.
Request context (set_upstream_bearer / get_upstream_bearer) in node_wire_runtime.auth.base for per-request credential threading.
MCP upstream passthrough in authenticate_mcp_request() — when the google-drive-only MCP server runs with upstream_bearer, the incoming Bearer token is accepted as the Google token (not validated as NW_MCP_API_KEY).
Passthrough gating on McpServer — enabled only when connector_ids == ["google_drive"] and auth provider is upstream_bearer; unified mcp_entrypoint keeps existing API-key/JWT MCP auth.
Scope auto-grant for upstream callers under NW_MCP_SCOPE_POLICY_DEFAULT=deny so tools/list is not empty.
Per-request Drive client in GoogleDriveConnector when per_request_credentials=True.
GOOGLE_DRIVE_AUTH_PROVIDER env override (wins over connectors.yaml).
How to test manually:
Set GOOGLE_DRIVE_AUTH_PROVIDER=upstream_bearer and NW_MCP_AUTH_DISABLED=false (auth disabled skips passthrough token extraction).
Run uv run nw-google-drive with NW_MCP_TRANSPORT=streamable-http (port 8081).
Send MCP requests with Authorization: Bearer (OAuth Playground or ToolHive OIDC).
Call google_drive.files.list / google_drive.files.upload.
Note: REST playground /scenarios/gdrive-archival does not use MCP passthrough; it is out of scope for this feature unless extended separately.
Related Issue
Type of Change
Checklist
ruff,mypy,bandit,pytest).git commit -s) per the DCO.