Add Google credentials provider for authenticating with MCP servers (#4748)

2025-12-20 16:57:46 +00:00 · 2025-07-24 10:37:39 -07:00
parent 3dd6e431df
commit d254d4ce00
6 changed files with 262 additions and 1 deletions
--- a/packages/core/src/mcp/google-auth-provider.test.ts
+++ b/packages/core/src/mcp/google-auth-provider.test.ts
@@ -0,0 +1,67 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { GoogleAuth } from 'google-auth-library';
+import { GoogleCredentialProvider } from './google-auth-provider.js';
+import { vi, describe, beforeEach, it, expect, Mock } from 'vitest';
+import { MCPServerConfig } from '../config/config.js';
+
+vi.mock('google-auth-library');
+
+describe('GoogleCredentialProvider', () => {
+  it('should throw an error if no scopes are provided', () => {
+    expect(() => new GoogleCredentialProvider()).toThrow(
+      'Scopes must be provided in the oauth config for Google Credentials provider',
+    );
+  });
+
+  it('should use scopes from the config if provided', () => {
+    const config = {
+      oauth: {
+        scopes: ['scope1', 'scope2'],
+      },
+    } as MCPServerConfig;
+    new GoogleCredentialProvider(config);
+    expect(GoogleAuth).toHaveBeenCalledWith({
+      scopes: ['scope1', 'scope2'],
+    });
+  });
+
+  describe('with provider instance', () => {
+    let provider: GoogleCredentialProvider;
+
+    beforeEach(() => {
+      const config = {
+        oauth: {
+          scopes: ['scope1', 'scope2'],
+        },
+      } as MCPServerConfig;
+      provider = new GoogleCredentialProvider(config);
+      vi.clearAllMocks();
+    });
+
+    it('should return credentials', async () => {
+      const mockClient = {
+        getAccessToken: vi.fn().mockResolvedValue({ token: 'test-token' }),
+      };
+      (GoogleAuth.prototype.getClient as Mock).mockResolvedValue(mockClient);
+
+      const credentials = await provider.tokens();
+
+      expect(credentials?.access_token).toBe('test-token');
+    });
+
+    it('should return undefined if access token is not available', async () => {
+      const mockClient = {
+        getAccessToken: vi.fn().mockResolvedValue({ token: null }),
+      };
+      (GoogleAuth.prototype.getClient as Mock).mockResolvedValue(mockClient);
+
+      const credentials = await provider.tokens();
+      expect(credentials).toBeUndefined();
+    });
+  });
+});
--- a/packages/core/src/mcp/google-auth-provider.ts
+++ b/packages/core/src/mcp/google-auth-provider.ts
@@ -0,0 +1,83 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js';
+import {
+  OAuthClientInformation,
+  OAuthClientInformationFull,
+  OAuthClientMetadata,
+  OAuthTokens,
+} from '@modelcontextprotocol/sdk/shared/auth.js';
+import { GoogleAuth } from 'google-auth-library';
+import { MCPServerConfig } from '../config/config.js';
+
+export class GoogleCredentialProvider implements OAuthClientProvider {
+  private readonly auth: GoogleAuth;
+
+  // Properties required by OAuthClientProvider, with no-op values
+  readonly redirectUrl = '';
+  readonly clientMetadata: OAuthClientMetadata = {
+    client_name: 'Gemini CLI (Google ADC)',
+    redirect_uris: [],
+    grant_types: [],
+    response_types: [],
+    token_endpoint_auth_method: 'none',
+  };
+  private _clientInformation?: OAuthClientInformationFull;
+
+  constructor(private readonly config?: MCPServerConfig) {
+    const scopes = this.config?.oauth?.scopes;
+    if (!scopes || scopes.length === 0) {
+      throw new Error(
+        'Scopes must be provided in the oauth config for Google Credentials provider',
+      );
+    }
+    this.auth = new GoogleAuth({
+      scopes,
+    });
+  }
+
+  clientInformation(): OAuthClientInformation | undefined {
+    return this._clientInformation;
+  }
+
+  saveClientInformation(clientInformation: OAuthClientInformationFull): void {
+    this._clientInformation = clientInformation;
+  }
+
+  async tokens(): Promise<OAuthTokens | undefined> {
+    const client = await this.auth.getClient();
+    const accessTokenResponse = await client.getAccessToken();
+
+    if (!accessTokenResponse.token) {
+      console.error('Failed to get access token from Google ADC');
+      return undefined;
+    }
+
+    const tokens: OAuthTokens = {
+      access_token: accessTokenResponse.token,
+      token_type: 'Bearer',
+    };
+    return tokens;
+  }
+
+  saveTokens(_tokens: OAuthTokens): void {
+    // No-op, ADC manages tokens.
+  }
+
+  redirectToAuthorization(_authorizationUrl: URL): void {
+    // No-op
+  }
+
+  saveCodeVerifier(_codeVerifier: string): void {
+    // No-op
+  }
+
+  codeVerifier(): string {
+    // No-op
+    return '';
+  }
+}