@@ -16,8 +16,8 @@ through to authenticated API calls.
1616| ** Gemini Enterprise** | Google's AI platform that acts as the ** OAuth 2.0 Client** |
1717| ** Red Hat SSO (Keycloak)** | The ** OAuth 2.0 Authorization Server** that issues and validates tokens |
1818| ** Lightspeed Agent** | The ** OAuth 2.0 Resource Server** that serves A2A requests |
19- | ** MCP Server ** | Downstream tool server that provides access to Red Hat Lightspeed APIs |
20-
19+ | ** Agent (Marketplace Handler) ** | Manages marketplace subscriptions, entitlements, and credential registration (DCR / static) |
20+ | ** Red Hat Lightspeed MCP Server ** | Downstream tool server that provides access to Red Hat Lightspeed APIs |
2121---
2222
2323## Step 1 — Subscription (Entitlement Creation)
@@ -138,60 +138,96 @@ client credentials in Red Hat SSO and provide them during registration. This
138138is the current default mode.
139139
140140```
141- Customer Admin Google Card Form Gemini Enterprise Agent (Marketplace Handler) Red Hat SSO
142- | | | | |
143- |-- Open agent card ---->| | | |
144- | | | | |
145- | (Card displays | | | |
146- | client_id and | | | |
147- | client_secret | | | |
148- | fields to fill in) | | | |
149- | | | | |
150- |-- Copy client_id and | | | |
151- | client_secret from | | | |
152- | Red Hat SSO ---------|----------------------->| | |
153- | | | | |
154- | | |-- POST /dcr | |
155- | | | { software_statement, | |
156- | | | client_id, | |
157- | | | client_secret } ------>| |
158- | | | | |
159- | | | |-- Validate Google JWT |
160- | | | |-- Validate account/order |
161- | | | | |
162- | | | |-- POST /token |
163- | | | | grant_type= |
164- | | | | client_credentials ---->|
165- | | | | |-- Validate
166- | | | |<-- 200 OK ----------------| credentials
167- | | | | |
168- | | | |-- Encrypt & store |
169- | | | | credentials |
170- | | | | (linked to order_id) |
171- | | | | |
172- | | |<-- { client_id, | |
173- | | | client_secret, | |
174- | | | expires_at: 0 } ------| |
141+ Customer Admin Red Hat Google Form Google Card Form Gemini Enterprise Agent (Marketplace Handler) Red Hat SSO
142+ | | | | | |
143+ |-- Fill in request --->| | | | |
144+ | form (org details, | | | | |
145+ | contact info) | | | | |
146+ | |-- Request processed | | | |
147+ | | by Red Hat team | | | |
148+ | | | | | |
149+ |<-- Email with | | | | |
150+ | client_id and | | | | |
151+ | client_secret -------| | | | |
152+ | | | | | |
153+ | [Credentials received — proceed to register] | | | |
154+ | | | | | |
155+ |-- Open agent card -----|----------------------->| | | |
156+ | | | | | |
157+ | | | (Card displays | | |
158+ | | | client_id and | | |
159+ | | | client_secret | | |
160+ | | | fields to fill in) | | |
161+ | | | | | |
162+ |-- Enter client_id and | | | | |
163+ | client_secret from | | | | |
164+ | email ---------------|----------------------->| | | |
165+ | | | | | |
166+ |-- Submit form ---------|----------------------->| | | |
167+ | | |-- Register agent ----->| | |
168+ | | | | | |
169+ | | | |-- POST /dcr | |
170+ | | | | { software_statement, | |
171+ | | | | client_id, | |
172+ | | | | client_secret } ------>| |
173+ | | | | | |
174+ | | | | |-- Validate Google JWT |
175+ | | | | | (verify signature, |
176+ | | | | | issuer, audience, |
177+ | | | | | extract claims: |
178+ | | | | | account_id, order_id) |
179+ | | | | | |
180+ | | | | |-- Validate account_id |
181+ | | | | | is ACTIVE |
182+ | | | | |-- Validate order_id |
183+ | | | | | is ACTIVE |
184+ | | | | | |
185+ | | | | |-- POST /token |
186+ | | | | | grant_type= |
187+ | | | | | client_credentials ---->|
188+ | | | | | |-- Validate
189+ | | | | |<-- 200 OK ----------------| credentials
190+ | | | | | |
191+ | | | | |-- Encrypt & store |
192+ | | | | | credentials |
193+ | | | | | (linked to order_id) |
194+ | | | | | |
195+ | | | |<-- { client_id, | |
196+ | | | | client_secret, | |
197+ | | | | client_secret_ | |
198+ | | | | expires_at: 0 } ------| |
175199```
176200
177201** What happens:**
178202
179- 1 . The customer admin opens the agent's card in Gemini Enterprise. The card
203+ 1 . ** Credential request (prerequisite):** Before registering the agent, the
204+ customer admin must obtain OAuth client credentials from Red Hat. This is
205+ done by filling in the
206+ [ Red Hat credential request form] ( https://forms.gle/PLACEHOLDER ) with
207+ the required organization details and contact information. The Red Hat
208+ team processes the request, provisions the OAuth client in Red Hat SSO,
209+ and sends the ` client_id ` and ` client_secret ` to the customer admin
210+ ** using Bitwarden Send url via email** .
211+
212+ > ** Note:** This is a one-time provisioning step. The customer admin
213+ > must complete this form and wait to receive the credentials by email
214+ > before proceeding with agent registration in Gemini Enterprise.
215+
216+ 2 . The customer admin opens the agent's card in Gemini Enterprise. The card
180217 displays a registration form with fields for ` client_id ` and
181218 ` client_secret ` .
182- 2 . The customer admin obtains these credentials from their Red Hat SSO
183- instance (or from the Red Hat team that pre-provisioned them) and enters
184- them into the form.
185- 3 . Gemini Enterprise sends a ` POST /dcr ` request that includes both the
219+ 3 . The customer admin enters the ` client_id ` and ` client_secret ` received
220+ via email from Red Hat into the form.
221+ 4 . Gemini Enterprise sends a ` POST /dcr ` request that includes both the
186222 ` software_statement ` JWT and the ` client_id ` / ` client_secret ` in the
187223 request body.
188- 4 . The agent validates the Google JWT and the account/order state (same as
224+ 5 . The agent validates the Google JWT and the account/order state (same as
189225 DCR mode).
190- 5 . The agent validates the provided credentials by performing a
226+ 6 . The agent validates the provided credentials by performing a
191227 ` client_credentials ` grant against the Red Hat SSO token endpoint. If the
192228 grant succeeds, the credentials are confirmed valid.
193- 6 . The agent encrypts and stores the credentials linked to the ` order_id ` .
194- 7 . Returns the credentials back to Gemini Enterprise.
229+ 7 . The agent encrypts and stores the credentials linked to the ` order_id ` .
230+ 8 . Returns the credentials back to Gemini Enterprise.
195231
196232---
197233
@@ -432,6 +468,10 @@ The MCP header provider uses a two-tier priority system:
432468 ` lightspeed-client-secret ` ). This mode uses a dedicated service account
433469 for all MCP calls regardless of the end user.
434470
471+ > ** Note:** This mode is not used in the Google Cloud Marketplace
472+ > deployment, since the agent serves multiple customers from a shared
473+ > instance and does not have per-customer environment variables.
474+
4354752 . ** Priority 2 — Token pass-through** : If no service account credentials are
436476 configured, the agent forwards the caller's Bearer token (stored in the
437477 request-scoped ` ContextVar ` during middleware processing) as an
@@ -463,19 +503,22 @@ The MCP header provider uses a two-tier priority system:
463503 | in Red Hat SSO | | Bearer token
464504 v | 3a. Redirect to 4a. Agent introspects |
465505 order_id created 2b. [Static] Admin Red Hat SSO token using its 5a. MCP server
466- (ACTIVE state) gets client_id/ login page own credentials forwards to
467- secret from | | Lightspeed
468- Red Hat SSO 3b. User logs in 4b. Agent validates APIs
469- and enters with Red Hat scope and |
470- them in the credentials order status 5b. Lightspeed
471- Google card | | APIs validate
472- form 3c. Auth code 4c. Request proceeds token/creds
473- | exchanged for if valid |
474- 2c. Credentials access token | 5c. Response
475- validated and | v flows back
476- stored (linked 3d. Access token Order-bound, to user
477- to order_id) ready to use scope-validated
478- request
506+ (ACTIVE state) requests creds login page own credentials forwards to
507+ via Red Hat | | Lightspeed
508+ Google Form 3b. User logs in 4b. Agent validates APIs
509+ → receives with Red Hat scope and |
510+ client_id/secret credentials order status 5b. Lightspeed
511+ by email | | APIs validate
512+ | 3c. Auth code 4c. Request proceeds token/creds
513+ 2b'. Admin enters exchanged for if valid |
514+ credentials in access token | 5c. Response
515+ Gemini card | v flows back
516+ form 3d. Access token Order-bound, to user
517+ | ready to use scope-validated
518+ 2c. Credentials request
519+ validated and
520+ stored (linked
521+ to order_id)
479522```
480523
481524---
0 commit comments