OAuth Authentication for Client API
OAuth is the recommended authentication method for Client API integrations. It allows you to use access tokens from your existing identity provider without managing additional tokens.
OAuth Benefits
- No token management - Use existing identity provider tokens
- Full API access - No scope restrictions like Glean tokens
- Provider flexibility - Works with Google, Azure, Okta, OneLogin
- Enterprise security - Leverages your existing auth infrastructure
OAuth authentication is only supported for Client API. Indexing API operations require Glean-issued tokens.
Authentication Headers
OAuth requests require these specific headers:
Authorization: Bearer <oauth_access_token>
X-Glean-Auth-Type: OAUTH
Header Details
| Header | Description | Example Value |
|---|---|---|
Authorization | Bearer token from your OAuth provider | Bearer eyJ0eXAiOiJKV1Q... |
X-Glean-Auth-Type | Required to specify OAuth authentication | OAUTH |
Quick Setup Overview
Configure your identity provider
Set up OAuth application in Google Workspace, Azure, Okta, or OneLogin
Enable OAuth in Glean
Navigate to Client API Settings and enable OAuth
Register your Client ID
Add your OAuth application's Client ID to Glean's configuration
Use OAuth tokens
Include Authorization and X-Glean-Auth-Type headers in your requests
Prerequisites
Before setting up OAuth authentication:
- Admin access to Glean's admin console
- Identity provider account (Google Workspace, Azure, Okta, or OneLogin)
- OAuth application configured in your identity provider
Provider-Specific Setup
Choose your identity provider for detailed setup instructions:
Google Workspace (GSuite)
Complete Google Workspace Setup
Create OAuth Application
- Go to Google Cloud Console Credentials
- Click Create Credentials → OAuth Client ID
- Choose Web application
- Add redirect URIs:
- For testing:
http://127.0.0.1:5000/oauth/callback - For production: Your actual callback URL
Configure Scopes
Your GSuite tokens must include these scopes:
openidemailprofile
Register with Glean
- Navigate to Glean Token Management
- Under OAuth Access Tokens → GSuite, enter your Client ID
- Click Save and wait up to 10 minutes for settings to take effect
Microsoft Azure
Complete Azure Setup
App Registration
- Go to Azure Portal
- Navigate to Azure Active Directory → App registrations
- Click New registration
- Configure:
- Name: Your application name
- Redirect URI: Your callback URL
Configure Permissions
Add required API permissions:
- Microsoft Graph:
openid,email,profile
Get Credentials
Note your:
- Application (client) ID
- Directory (tenant) ID
Register with Glean
- Navigate to Glean Token Management
- Configure:
- Client ID: Your Application (client) ID
- Issuer:
https://login.microsoftonline.com/<directory_ID>/v2.0
Okta
Complete Okta Setup
Create OIDC Application
- Go to Okta Admin Console
- Navigate to Applications → Create App Integration
- Choose OIDC - OpenID Connect → Web Application
- Configure redirect URIs and logout redirect URIs
Configure Scopes
Ensure your application has appropriate scopes configured
Get Credentials
Note your:
- Client ID
- Okta domain
Register with Glean
- Navigate to Glean Token Management
- Configure:
- Client ID: Your Okta application client ID
- Issuer:
https://<your-okta-domain>.okta.com
OneLogin
Complete OneLogin Setup
Create OIDC Application
- Go to OneLogin Admin Console
- Navigate to Applications → Add App
- Search for "OpenID Connect (OIDC)" and select it
- Configure:
- Application Type: Web
- Redirect URIs: Your callback URLs
Get Credentials
Go to the SSO tab and note your:
- Client ID
- Client Secret
Register with Glean
- Navigate to Glean Token Management
- Configure:
- Client ID: Your OneLogin application client ID
- Issuer:
https://<your-onelogin-subdomain>.onelogin.com/oidc/2
Implementation Examples
Basic Search Request
curl -X POST https://instance-be.glean.com/rest/api/v1/search \
-H 'Authorization: Bearer <oauth_token>' \
-H 'X-Glean-Auth-Type: OAUTH' \
-H 'Content-Type: application/json' \
-d '{
"query": "quarterly reports",
"pageSize": 10
}'
Chat Request
curl -X POST https://instance-be.glean.com/rest/api/v1/chat \
-H 'Authorization: Bearer <oauth_token>' \
-H 'X-Glean-Auth-Type: OAUTH' \
-H 'Content-Type: application/json' \
-d '{
"query": "What are the latest quarterly results?",
"conversationId": "optional-conversation-id"
}'
Token Properties
Understanding OAuth token characteristics:
- Scope: Full Client API access (not restricted by scopes)
- User context: Treated as user-permissioned tokens
- Expiration: Managed by your identity provider
- API Support: Client API only (Indexing API not supported)
- Security: Leverages your existing identity provider security
Testing OAuth Authentication
Test Command
curl -X POST https://<instance>-be.glean.com/rest/api/v1/search \
-H 'Authorization: Bearer <OAUTH_TOKEN>' \
-H 'X-Glean-Auth-Type: OAUTH' \
-H 'Content-Type: application/json' \
-d '{"query": "test", "pageSize": 1}'
Expected Response
Successful authentication returns a 200 status with search results:
{
"results": [...],
"trackingToken": "...",
"requestId": "..."
}
Troubleshooting OAuth
Common OAuth Errors
| Error | Cause | Solution |
|---|---|---|
Missing X-Glean-Auth-Type header | OAuth header not set | Add X-Glean-Auth-Type: OAUTH header |
Invalid token format | Malformed token | Verify token is valid JWT from your provider |
401 Unauthorized | Invalid or expired token | Verify token is correct and not expired |
403 Forbidden | OAuth not enabled | Contact admin to enable OAuth in Glean settings |
Debugging Steps
Verify OAuth is enabled
Check that OAuth is enabled in Glean Token Management
Confirm headers
Ensure you have both required headers:
Authorization: Bearer <oauth_token>X-Glean-Auth-Type: OAUTH
Validate token
Verify your OAuth token is valid and not expired
Test with simple endpoint
Start with a basic search request before testing complex operations
Best Practices
Security
- Use HTTPS for all OAuth flows and API requests
- Validate tokens before making API requests
- Handle token refresh gracefully in your application
- Store tokens securely - never commit to version control
Development
- Test OAuth flow in development environment first
- Handle errors gracefully - OAuth tokens can expire or be revoked
- Implement proper logging for OAuth authentication events
- Monitor token usage through your identity provider
Production
- Use production OAuth applications - don't use development credentials
- Implement token caching to reduce identity provider calls
- Set up monitoring for authentication failures
- Plan for token rotation and refresh scenarios
Next Steps
Client API Reference
Explore available Client API endpoints that work with OAuth
Search Implementation
Learn advanced search techniques with OAuth authentication
Need Help?
- Admin Setup: Contact your Glean administrator for OAuth configuration
- Provider Issues: Consult your identity provider documentation
- API Issues: Check the Client API Reference
- Community: Join discussions at community.glean.com