Skip to content

Consolidate Google Workspace MCP integration: multi-service support with unified resource and token exchange #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yosrixp merged 1 commit into from
Apr 15, 2026
Merged

Consolidate Google Workspace MCP integration: multi-service support with unified resource and token exchange #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 19 additions & 10 deletions deploy/mcp-oauth-proxy/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,11 @@ data:
github:
paths: "/github/*"
policy: authenticated
google:
paths: "/google/*"
{{- range .Values.googleWorkspaceServices }}
{{ .name }}:
paths: "/{{ .name }}/*"
policy: authenticated
{{- end }}
slack:
paths: "/slack/*"
policy: authenticated
Expand Down Expand Up @@ -125,23 +127,25 @@ data:
{{- end }}
redirect-path: /github/authorize/callback
restore-path-after-redirect: true
google:
{{- range .Values.googleWorkspaceServices }}
{{ .name }}:
provider: google
client-id: {{ .Values.oidc.google.clientId | quote }}
client-id: {{ $.Values.oidc.googleWorkspace.clientId | quote }}
credentials:
client-secret:
provider:
key: {{ .Values.oidc.google.clientSecretKey }}
key: {{ $.Values.oidc.googleWorkspace.clientSecretKey }}
method: post
authentication:
scopes:
{{- range .Values.oidc.google.scopes }}
{{- range (index $.Values.oidc .scopesKey).scopes }}
- {{ . | quote }}
{{- end }}
redirect-path: /google/authorize/callback
redirect-path: /{{ .name }}/authorize/callback
restore-path-after-redirect: true
extra-params:
access_type: "offline"
{{- end }}
slack:
auth-server-url: "https://slack.com"
discovery-enabled: false
Expand Down Expand Up @@ -312,6 +316,9 @@ data:
namespace: {{ .Values.application.k8s.namespace | quote }}
token-exchange:
idp: {{ .Values.oidc.provider }}
google-workspace:
client-id: {{ .Values.oidc.googleWorkspace.clientId | quote }}
client-secret-key: {{ .Values.oidc.googleWorkspace.clientSecretKey }}
athenz-token-exchange:
audience: {{ .Values.application.tokenExchange.athenzTokenExchange.audience | default "sys.auth.gcp" | quote }}
google-workforce:
Expand Down Expand Up @@ -363,9 +370,11 @@ data:
- name: github
endpoint: {{ .Values.oidc.github.endpoint | quote }}
username-claim: {{ .Values.oidc.github.claim | quote }}
- name: google
endpoint: {{ .Values.oidc.google.endpoint | quote }}
username-claim: {{ .Values.oidc.google.claim | quote }}
{{- range .Values.googleWorkspaceServices }}
- name: {{ .name }}
endpoint: {{ $.Values.oidc.googleWorkspace.endpoint | quote }}
username-claim: {{ $.Values.oidc.googleWorkspace.claim | quote }}
{{- end }}
- name: embrace
endpoint: {{ .Values.oidc.embrace.authorizationUrl | quote }}
username-claim: {{ .Values.oidc.embrace.claim | quote }}
Expand Down
62 changes: 61 additions & 1 deletion deploy/mcp-oauth-proxy/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,32 @@ application:
enabled:
issuer:

googleWorkspaceServices:
- name: google-drive
scopesKey: googleDrive
- name: google-docs
scopesKey: googleDocs
- name: google-sheets
scopesKey: googleSheets
- name: google-slides
scopesKey: googleSlides
- name: google-gmail
scopesKey: googleGmail
- name: google-calendar
scopesKey: googleCalendar
- name: google-tasks
scopesKey: googleTasks
- name: google-chat
scopesKey: googleChat
- name: google-forms
scopesKey: googleForms
- name: google-keep
scopesKey: googleKeep
- name: google-meet
scopesKey: googleMeet
- name: google-cloud-platform
scopesKey: googleCloudPlatform

oidc:
authServerUrl:
claim:
Expand All @@ -203,11 +229,45 @@ oidc:
clientSecretKey:
scopes:
- offline_access
google:
googleWorkspace:
endpoint: "https://accounts.google.com/o/oauth2/v2/auth"
clientId:
claim:
clientSecretKey:
googleDrive:
scopes:
- openid
googleDocs:
scopes:
- openid
googleSheets:
scopes:
- openid
googleSlides:
scopes:
- openid
googleGmail:
scopes:
- openid
googleCalendar:
scopes:
- openid
googleTasks:
scopes:
- openid
googleChat:
scopes:
- openid
googleForms:
scopes:
- openid
googleKeep:
scopes:
- openid
googleMeet:
scopes:
- openid
googleCloudPlatform:
scopes:
- openid
slack:
Expand Down
10 changes: 6 additions & 4 deletions src/main/java/io/athenz/mop/quarkus/CustomTokenStateManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,10 +93,12 @@ private static String toTokenKey(String tokenState) {
}

private String getProviderFromOidcConfig(OidcTenantConfig oidcConfig) {
if (oidcConfig.provider().isPresent()) {
return oidcConfig.provider().get().name().toLowerCase();
} else {
return providerDefault;
if (oidcConfig.tenantId().isPresent()) {
String tenantId = oidcConfig.tenantId().get();
if (!"Default".equals(tenantId)) {
return tenantId;
}
}
return providerDefault;
}
}
6 changes: 3 additions & 3 deletions src/main/java/io/athenz/mop/resource/BaseResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ public abstract class BaseResource {
* Build success redirect with authorization code
* RFC 6749 Section 4.1.2
*/
Response buildSuccessRedirect(String redirectUri, String code, String state) {
protected Response buildSuccessRedirect(String redirectUri, String code, String state) {
try {
StringBuilder locationBuilder = new StringBuilder(redirectUri);

Expand Down Expand Up @@ -127,7 +127,7 @@ private static String trimQuotes(String userName) {
return userName;
}

String getUsername(UserInfo userInfo, String userNameClaim, String token) {
protected String getUsername(UserInfo userInfo, String userNameClaim, String token) {
String userName = null;
if (userInfo != null) {
userName = getUserNameFromUserInfo(userInfo, userNameClaim);
Expand All @@ -145,7 +145,7 @@ String getUsername(UserInfo userInfo, String userNameClaim, String token) {
return userName;
}

void logoutFromProvider(String provider, OidcSession oidcSession) {
protected void logoutFromProvider(String provider, OidcSession oidcSession) {
log.info("Logging out of {} OIDC session", provider);
oidcSession.logout().await().indefinitely();
}
Expand Down
136 changes: 0 additions & 136 deletions src/main/java/io/athenz/mop/resource/GoogleResource.java
View file
Open in desktop

This file was deleted.

Loading