1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
/**
* @license
* Copyright 2025 Google LLC
* SPDX-License-Identifier: Apache-2.0
*/
import { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js';
import {
OAuthClientInformation,
OAuthClientInformationFull,
OAuthClientMetadata,
OAuthTokens,
} from '@modelcontextprotocol/sdk/shared/auth.js';
import { GoogleAuth } from 'google-auth-library';
import { MCPServerConfig } from '../config/config.js';
const ALLOWED_HOSTS = [/^.+\.googleapis\.com$/, /^(.*\.)?luci\.app$/];
export class GoogleCredentialProvider implements OAuthClientProvider {
private readonly auth: GoogleAuth;
// Properties required by OAuthClientProvider, with no-op values
readonly redirectUrl = '';
readonly clientMetadata: OAuthClientMetadata = {
client_name: 'Gemini CLI (Google ADC)',
redirect_uris: [],
grant_types: [],
response_types: [],
token_endpoint_auth_method: 'none',
};
private _clientInformation?: OAuthClientInformationFull;
constructor(private readonly config?: MCPServerConfig) {
const url = this.config?.url || this.config?.httpUrl;
if (!url) {
throw new Error(
'URL must be provided in the config for Google Credentials provider',
);
}
const hostname = new URL(url).hostname;
if (!ALLOWED_HOSTS.some((pattern) => pattern.test(hostname))) {
throw new Error(
`Host "${hostname}" is not an allowed host for Google Credential provider.`,
);
}
const scopes = this.config?.oauth?.scopes;
if (!scopes || scopes.length === 0) {
throw new Error(
'Scopes must be provided in the oauth config for Google Credentials provider',
);
}
this.auth = new GoogleAuth({
scopes,
});
}
clientInformation(): OAuthClientInformation | undefined {
return this._clientInformation;
}
saveClientInformation(clientInformation: OAuthClientInformationFull): void {
this._clientInformation = clientInformation;
}
async tokens(): Promise<OAuthTokens | undefined> {
const client = await this.auth.getClient();
const accessTokenResponse = await client.getAccessToken();
if (!accessTokenResponse.token) {
console.error('Failed to get access token from Google ADC');
return undefined;
}
const tokens: OAuthTokens = {
access_token: accessTokenResponse.token,
token_type: 'Bearer',
};
return tokens;
}
saveTokens(_tokens: OAuthTokens): void {
// No-op, ADC manages tokens.
}
redirectToAuthorization(_authorizationUrl: URL): void {
// No-op
}
saveCodeVerifier(_codeVerifier: string): void {
// No-op
}
codeVerifier(): string {
// No-op
return '';
}
}
|
