You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Rename dcr-client-id references to ge-client-id for consistency
The client ID used by Gemini Enterprise is not always created via DCR
(Option B uses static credentials), so rename all generic references
from dcr_client_id/dcr-client-id to ge_client_id/ge-client-id and
update related prose accordingly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: docs/authentication-flow.md
+13-12Lines changed: 13 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -253,7 +253,7 @@ Customer User Gemini Enterprise Red Hat SSO (Keycloak)
253
253
| to Red Hat SSO | | |
254
254
| /auth? | | |
255
255
| response_type=code | | |
256
-
| client_id=<dcr_id> | | |
256
+
| client_id=<ge_id> | | |
257
257
| redirect_uri=<uri> | | |
258
258
| scope=openid | | |
259
259
| agent:insights | | |
@@ -280,8 +280,8 @@ Customer User Gemini Enterprise Red Hat SSO (Keycloak)
280
280
| | authorization_code | |
281
281
| | code=<auth_code> | |
282
282
| | redirect_uri=<callback> | |
283
-
| | client_id=<dcr_client_id> | |
284
-
| | client_secret=<dcr_secret> | |
283
+
| | client_id=<ge_client_id> | |
284
+
| | client_secret=<ge_secret> | |
285
285
| |----------------------------->| |
286
286
| | | |
287
287
| |<-- { | |
@@ -304,8 +304,9 @@ Customer User Gemini Enterprise Red Hat SSO (Keycloak)
304
304
2. Gemini Enterprise redirects the user's browser to the Red Hat SSO
305
305
authorization endpoint with:
306
306
-`response_type=code` (authorization code flow)
307
-
-`client_id` = the DCR-created (or static) client ID linked to this order
308
-
-`redirect_uri` = Gemini Enterprise's callback URL (from the DCR
307
+
-`client_id` = the Gemini Enterprise client ID linked to this order
308
+
(created via DCR or provided as static credentials)
309
+
-`redirect_uri` = Gemini Enterprise's callback URL (from the registration
309
310
`redirect_uris`)
310
311
-`scope` = `openid agent:insights`
311
312
-`state` = CSRF protection token
@@ -356,7 +357,7 @@ Gemini Enterprise Lightspeed Agent Red Hat
356
357
| |<-- { |
357
358
| | "active": true, |
358
359
| | "sub": "<user-id>", |
359
-
| | "azp": "<dcr-client-id>", |
360
+
| | "azp": "<ge-client-id>", |
360
361
| | "scope": "openid agent:insights",|
361
362
| | "preferred_username": "jdoe", |
362
363
| | "email": "jdoe@example.com", |
@@ -368,8 +369,8 @@ Gemini Enterprise Lightspeed Agent Red Hat
368
369
| |-- Verify "agent:insights" in scopes |
369
370
| | |
370
371
| |-- Resolve order: |
371
-
| | azp (dcr-client-id) |
372
-
| | → DCR DB lookup → order_id |
372
+
| | azp (ge-client-id) |
373
+
| | → credentials DB → order_id |
373
374
| | → Entitlement DB → state == ACTIVE |
374
375
| | |
375
376
| |-- Store token in ContextVar |
@@ -392,7 +393,7 @@ Gemini Enterprise Lightspeed Agent Red Hat
392
393
endpoint (`/protocol/openid-connect/token/introspect`). The agent
393
394
authenticates this call using its **own** credentials
394
395
(`RED_HAT_SSO_CLIENT_ID` / `RED_HAT_SSO_CLIENT_SECRET`), not the
395
-
DCR-created credentials. This is the standard Resource Server pattern —
396
+
Gemini Enterprise credentials. This is the standard Resource Server pattern —
396
397
the agent's client credentials give it permission to introspect any
397
398
token issued within the realm.
398
399
@@ -402,8 +403,8 @@ Gemini Enterprise Lightspeed Agent Red Hat
402
403
If missing, the agent returns `403 Forbidden`.
403
404
404
405
d. **Resolves the order**: Uses the `azp` (authorized party) claim from
405
-
the introspection response — this is the `client_id` of the DCR-created
406
-
client — to look up the corresponding `order_id` in the DCR database.
406
+
the introspection response — this is the Gemini Enterprise `client_id`
407
+
— to look up the corresponding `order_id` in the credentials database.
407
408
Then verifies the marketplace entitlement for that `order_id` is in
408
409
`ACTIVE` state. If the order is not found or not active, the agent
409
410
returns `403 Forbidden`.
@@ -418,7 +419,7 @@ Gemini Enterprise Lightspeed Agent Red Hat
418
419
| Credential | Owner | Purpose |
419
420
|---|---|---|
420
421
|`RED_HAT_SSO_CLIENT_ID` / `RED_HAT_SSO_CLIENT_SECRET`| The agent itself (Resource Server) | Authenticating to the introspection endpoint to validate incoming Bearer tokens |
421
-
|DCR`client_id` / `client_secret`| Gemini Enterprise (OAuth Client) | Obtaining access tokens on behalf of users via the authorization code flow |
422
+
|GE`client_id` / `client_secret`| Gemini Enterprise (OAuth Client) | Obtaining access tokens on behalf of users via the authorization code flow |
0 commit comments