📢 v1.0.0: This guide shows examples for both
mark3labs/mcp-goand officialmodelcontextprotocol/go-sdk. See examples/README.md for complete setup guide.
Google provider uses OIDC/JWKS for JWT validation with Google's identity platform. Ideal for Google Workspace integration.
✅ Good for:
- Google Workspace integration
- Consumer applications with Google Sign-In
- Applications requiring Google account authentication
- Cross-platform user auth (Android, iOS, Web)
- Go to Google Cloud Console
- Select your project (or create new)
- Navigate to APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- Configure OAuth consent screen if prompted (see below)
- Select application type:
- Web application (for proxy mode)
- Desktop app or iOS/Android (for native mode)
Required before creating OAuth client:
- Navigate to APIs & Services → OAuth consent screen
- Choose User Type:
- Internal - Google Workspace users only
- External - Anyone with Google account
- Fill in:
- App name: Your MCP Server
- User support email: Your email
- Developer contact: Your email
- Add scopes:
openidprofileemail
- Save and Continue
For Web Application (Proxy Mode):
- Authorized JavaScript origins:
https://your-server.com - Authorized redirect URIs:
https://your-server.com/oauth/callback
For Desktop App (Native Mode):
- No redirect URIs needed (client handles it)
After creation, note:
- Client ID:
<id>.apps.googleusercontent.com - Client Secret: (for proxy mode only)
- Issuer: Always
https://accounts.google.com
When: Client handles OAuth (Claude Desktop, mobile apps)
oauth.WithOAuth(mux, &oauth.Config{
Provider: "google",
Issuer: "https://accounts.google.com",
Audience: "123456789.apps.googleusercontent.com", // Your Client ID
})Important: For Google, Audience must be your Client ID, not a custom value.
When: Server proxies OAuth for simple clients
oauth.WithOAuth(mux, &oauth.Config{
Provider: "google",
Issuer: "https://accounts.google.com",
Audience: "123456789.apps.googleusercontent.com", // Your Client ID
ClientID: "123456789.apps.googleusercontent.com",
ClientSecret: "GOCSPX-...", // From Google Console
ServerURL: "https://your-server.com",
RedirectURIs: "https://your-server.com/oauth/callback",
})export GOOGLE_CLIENT_ID="123456789.apps.googleusercontent.com"
export GOOGLE_CLIENT_SECRET="GOCSPX-..."
go run main.go# Get authorization URL
curl https://your-server.com/.well-known/oauth-authorization-server
# Open in browser to authenticate
open "https://your-server.com/oauth/authorize?..."Get token from Google Sign-In, then:
curl -X POST https://your-server.com/mcp \
-H "Authorization: Bearer <google-id-token>" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"hello","arguments":{}}}'Google ID tokens include:
{
"sub": "1234567890",
"email": "user@gmail.com",
"email_verified": true,
"name": "John Doe",
"picture": "https://...",
"aud": "your-client-id.apps.googleusercontent.com",
"iss": "https://accounts.google.com",
"exp": 1234567890,
"iat": 1234567890
}oauth-mcp-proxy extracts:
sub→ User.Subjectemail→ User.Emailnameoremail→ User.Username
- Check: Can reach
https://accounts.google.com/.well-known/openid-configuration - Check: No typo in issuer URL (must be exact)
- Google uses Client ID as audience
- Check:
Config.Audiencematches your Client ID exactly - Example:
123456789.apps.googleusercontent.com
- Check: Redirect URI in Google Console matches
Config.RedirectURIs - Must be exact match (including https://)
- No localhost in production
- Check: ClientID and ClientSecret correct
- Check: Client type matches mode (Web app for proxy mode)
- Use HTTPS for all endpoints
- Store ClientSecret in environment variables
- Configure OAuth consent screen properly
- Set appropriate token expiration
- Verify email domain restrictions if needed
- Enable Google Account security features
- Monitor Google API quotas