OAuth
OAuth Access Tokens
Setup
Admins can enable this feature in Glean’s Client API Settings. To enable the use of OAuth access tokens with our Rest APIs, click on the toggle labeled “Allow OAuth token-based access.” You will need to provide the following:
Select your OAuth provider
Choose from supported providers: Azure, GSuite, Okta, or OneLogin
Specify the issuer subdomain
Required if your provider is not GSuite. This value can be found on the payload of your JWT access tokens, and should have one of the following formats:
https://login.microsoftonline.com/<directory_ID>/v2.0
for Azurehttps://<subdomain>.okta.com
for Oktahttps://<subdomain>.onelogin.com/oidc/2
for OneLogin
Enter Client IDs
Provide a comma-separated list of Client IDs of the applications for which your access tokens will be issued.
Once saved, your settings may need up to 10 minutes to take effect.
Using Access Tokens
To use an OAuth access token to authenticate against the Rest API, set the following HTTP headers:
Authorization: Bearer <access_token>
X-Glean-Auth-Type: OAUTH
Note that OAuth access tokens are treated as user-permissioned tokens.
By default these tokens have access to all of the scopes available to client APIs. If you need these tokens restricted to specific scopes, please contact your Glean representative.
If using GSuite access tokens, please ensure that your tokens are granted the following scopes:
openid
email
profile
Obtaining Access Tokens
Overview
- Token Issuance: Glean does not issue OAuth tokens in this flow. Instead, your Identity Provider (IDP), such as Okta or Google Workspace, issues the tokens. Glean acts only as a consumer of these tokens.
- Token Validation: Glean validates the following attributes of each OAuth token:
- Token Issuer – must be configured in the Glean UI
- Client ID – must match the expected value, also configured in the UI
- Audience (optional) – can be configured by Glean Support
- Utilize security best practices and proper token management to secure access and refresh tokens. Check access tokens for expiration and fetch new tokens via the refresh token if needed.
Selecting the right identity provider is very important. Usually, it’s recommended to select the IDP to be used for Glean SSO.
The steps for obtaining a token are:
Create an OAuth 2.0 client
Register the client with Glean
Use a standard OAuth flow (e.g. an authorization grant flow) to obtain a token
Example: GSuite
In this example, we’ll create a Gsuite Oauth Client and create a local custom application that handles Oauth callback using auth code flow + exchange the auth code for User Access Token / Refresh token. Then making a Search API call using user Access Token
Register OAuth 2.0 Client with IDP
Steps to Create an OAuth Client ID in Google Cloud Console
Create client credentials
Navigate to https://console.cloud.google.com/apis/credentials and click Create Credentials > OAuth Client ID.
Choose the appropriate application type
For this example, select Web application.
Enter a name for your OAuth client
Configure redirect URLs
Under Authorized redirect URIs, add the URI that will handle the
authorization code exchange. This URI is where the OAuth server (e.g., Google)
will send the authorization code after user consent. - This redirect URI
typically points to a backend service that receives the authorization code and
exchanges it for an access token and refresh token - For local testing
instance using this example, we can enter: -
http://127.0.0.1:5000/oauth/callback
Click create
Be sure to store the Client ID and Client Secret securely.
Validate audience
Navigate to https://console.cloud.google.com/auth/audience and make sure that only allowed users / authorized domain users can use your Oauth Client.
Register Glean as an OAuth Token Consumer
Navigate to Glean token management
Configure client ID
Under OAuth Access Tokens > Gsuite, enter the Client ID you obtained in Step 6 above.
Click save
Test the Flow End-to-End
Run an OAuth resource server
Run the example flask server (replace CLIENT_ID / CLIENT_SECRET)
Acquire a token
Navigate to http://127.0.0.1:5000/oauth/authorize.
After successfully authenticating, you should see an Access Token + Refresh token issued by Gsuite
Test the token
Make the following call with the access token
Example Flask Server
This example server is for testing purposes only. Never use this in production.