Skip to main content
Customers can register an OAuth 2.1 (OAuth) application in their enterprise Identity Provider (IdP) and enable Glean to accept those IdP-issued access tokens for Client API calls. Glean validates and enforces permissions for user-scoped tokens; token lifecycle (issuance, expiry, refresh) is governed by your IdP.
OAuth authentication is only supported for the Client API and MCP Remote Servers. Indexing API operations require Glean-issued tokens and do not accept OAuth.

When to choose IdP-based OAuth (REST)

  • You already operate enterprise OAuth in your IdP and want to reuse those tokens for Client API access.

How this compares to the Glean OAuth Authorization Server

This page covers IdP‑issued tokens only: your identity provider (for example, Google Workspace, Microsoft Entra ID, Okta, OneLogin) acts as the OAuth authorization server, and Glean validates those tokens. In contrast, the Glean OAuth Authorization Server:
  • Issues OAuth tokens directly from Glean, while still delegating user sign‑in to your existing SSO IdP.
  • Is the recommended path for:
    • MCP Remote Servers.
    • Admin‑managed static OAuth clients (for partner integrations or custom internal apps).
  • Provides Glean‑defined scopes and centralized controls for which applications can access Glean.
If you are deciding between IdP‑based OAuth and the Glean OAuth server for a new integration, see:

High-level steps

  1. Register an OAuth client in your IdP using Authorization Code; add Proof Key for Code Exchange (PKCE) for public/native clients.
  2. In Glean Admin, enable OAuth token acceptance for the Client API and register the allowed client_id values and issuer configuration.
  3. Your application runs the Authorization Code flow against your IdP and obtains an access token.
  4. Your application calls the Glean Client API, passing the bearer token in the Authorization header and includes the header X-Glean-Auth-Type: OAuth.

Token characteristics

  • User-scoped; permissions are enforced by Glean at request time.
  • Validation includes issuer and client_id (and optional audience if configured by your admin).
  • Expiry and refresh are controlled by your IdP.

Common pitfalls and troubleshooting

  • 401/403 due to OAuth not enabled in Glean or missing X-Glean-Auth-Type header.
  • Mismatch between registered client_id/issuer in Glean Admin and the token presented.
  • IdP-side assignments/policies preventing user token issuance.
  • Attempting to call the Indexing API with OAuth tokens.

MCP note

MCP Remote Servers typically rely on the Glean OAuth Authorization Server path with Dynamic Client Registration (DCR). Do not attempt to wire MCP hosts directly to IdP-based REST OAuth unless your host’s guidance explicitly supports that model.

IdP setup references

Use your IdP’s standard application registration and policy configuration. We recommend OpenID Connect (OIDC).

Canonical IdP references