Skip to content

OIDC implemented for google drive mcp#89

Open
GokulVGAot wants to merge 3 commits into
AOT-Technologies:mainfrom
GokulVGAot:feature/OIDC-implemented-for-google-drive-mcp
Open

OIDC implemented for google drive mcp#89
GokulVGAot wants to merge 3 commits into
AOT-Technologies:mainfrom
GokulVGAot:feature/OIDC-implemented-for-google-drive-mcp

Conversation

@GokulVGAot

Copy link
Copy Markdown
Collaborator

Description

Adds per-user Google Drive authentication via MCP upstream bearer passthrough (OIDC-compatible).

When GOOGLE_DRIVE_AUTH_PROVIDER=upstream_bearer is set, the Google Drive connector uses the caller’s Google OAuth access token from each MCP request (Authorization: Bearer …) instead of a service account. This supports ToolHive embedded OIDC and similar IdPs where the MCP client forwards the user’s Google token.

Key changes:

upstream_bearer auth provider in ConnectorFactory — reads token from request-scoped context and builds google.oauth2.credentials.Credentials per call.
Request context (set_upstream_bearer / get_upstream_bearer) in node_wire_runtime.auth.base for per-request credential threading.
MCP upstream passthrough in authenticate_mcp_request() — when the google-drive-only MCP server runs with upstream_bearer, the incoming Bearer token is accepted as the Google token (not validated as NW_MCP_API_KEY).
Passthrough gating on McpServer — enabled only when connector_ids == ["google_drive"] and auth provider is upstream_bearer; unified mcp_entrypoint keeps existing API-key/JWT MCP auth.
Scope auto-grant for upstream callers under NW_MCP_SCOPE_POLICY_DEFAULT=deny so tools/list is not empty.
Per-request Drive client in GoogleDriveConnector when per_request_credentials=True.
GOOGLE_DRIVE_AUTH_PROVIDER env override (wins over connectors.yaml).
How to test manually:

Set GOOGLE_DRIVE_AUTH_PROVIDER=upstream_bearer and NW_MCP_AUTH_DISABLED=false (auth disabled skips passthrough token extraction).
Run uv run nw-google-drive with NW_MCP_TRANSPORT=streamable-http (port 8081).
Send MCP requests with Authorization: Bearer (OAuth Playground or ToolHive OIDC).
Call google_drive.files.list / google_drive.files.upload.
Note: REST playground /scenarios/gdrive-archival does not use MCP passthrough; it is out of scope for this feature unless extended separately.

Related Issue

Type of Change

  • Bug fix
  • New feature
  • Documentation
  • Refactor / chore

Checklist

  • [ x] I ran the quality checks locally (ruff, mypy, bandit, pytest).
  • [ x] New files include the required SPDX/REUSE license header.
  • [ x] I added or updated tests where appropriate.
  • [ x] I updated documentation where appropriate.
  • [ x] My commits use a correctly configured git identity (real name and email).
  • [ x] All my commits are signed off (git commit -s) per the DCO.

Signed-off-by: gokul-aot <gokul.vg@aot-technologies.com>
Signed-off-by: gokul-aot <gokul.vg@aot-technologies.com>
Signed-off-by: gokul-aot <gokul.vg@aot-technologies.com>
@GokulVGAot GokulVGAot force-pushed the feature/OIDC-implemented-for-google-drive-mcp branch from b296bb7 to 8c769dd Compare July 1, 2026 06:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant