OAuth with IdP-issued tokens

​

When to choose IdP-based OAuth (REST)

• You already operate enterprise OAuth in your IdP and want to reuse those tokens for Client API access.

​

High-level steps

1. Register an OAuth client in your IdP using Authorization Code; add Proof Key for Code Exchange (PKCE) for public/native clients.
2. In Glean Admin, enable OAuth token acceptance for the Client API and register the allowed client_id values and issuer configuration.
3. Your application runs the Authorization Code flow against your IdP and obtains an access token.
4. Your application calls the Glean Client API, passing the bearer token in the Authorization header and includes the header X-Glean-Auth-Type: OAuth.

​

Token characteristics

• User-scoped; permissions are enforced by Glean at request time.
• Validation includes issuer and client_id (and optional audience if configured by your admin).
• Expiry and refresh are controlled by your IdP.

​

Common pitfalls and troubleshooting

• 401/403 due to OAuth not enabled in Glean or missing X-Glean-Auth-Type header.
• Mismatch between registered client_id/issuer in Glean Admin and the token presented.
• IdP-side assignments/policies preventing user token issuance.
• Attempting to call the Indexing API with OAuth tokens.

​

MCP note

​

IdP setup references

• Entra ID (OIDC) setup
• Google (OIDC) setup
• Okta (SAML) setup
• Generic SAML overview

​

Canonical IdP references

• Microsoft Entra ID (Azure AD): Authorization code flow · Register an application
• Google Identity Platform: OAuth 2.0 for Web Server Applications · OAuth 2.0 for Mobile & Desktop Apps (PKCE)
• Okta: Implement the Authorization Code flow · OIDC and OAuth 2.0 overview
• OneLogin: OpenID Connect (developer docs)

​

Related links

• Back to Overview
• Forward to Glean OAuth Authorization Server
• Client API authentication overview
• OAuth (IdP tokens) developer guide
• MCP Remote Server (overview/host configurator)
• MCP Server setup (admin enablement context)