Context
stacklok/toolhive#4862 adds additionalAuthorizationParams to OIDC and OAuth2 upstream provider configs. This enables passing custom query parameters in authorization requests — the primary use case being Google's access_type=offline for obtaining refresh tokens.
What needs documenting
Add a Google-specific example showing how to configure additionalAuthorizationParams for Google OAuth upstream providers. The example should cover:
- Setting
access_type: "offline" and prompt: "consent" to ensure Google returns a refresh token
- Setting explicit scopes to avoid sending both the standard
offline_access scope and Google's access_type=offline (they serve the same purpose via different mechanisms)
- A note explaining which reserved parameters are blocked (
response_type, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, nonce)
Example CRD snippet:
upstreamProviders:
- name: google
type: oidc
oidcConfig:
issuerURL: https://accounts.google.com
clientId: <google-client-id>
scopes:
- openid
- email
- profile
- https://www.googleapis.com/auth/drive.file
additionalAuthorizationParams:
access_type: "offline"
prompt: "consent"Related
Context
stacklok/toolhive#4862 adds
additionalAuthorizationParamsto OIDC and OAuth2 upstream provider configs. This enables passing custom query parameters in authorization requests — the primary use case being Google'saccess_type=offlinefor obtaining refresh tokens.What needs documenting
Add a Google-specific example showing how to configure
additionalAuthorizationParamsfor Google OAuth upstream providers. The example should cover:access_type: "offline"andprompt: "consent"to ensure Google returns a refresh tokenoffline_accessscope and Google'saccess_type=offline(they serve the same purpose via different mechanisms)response_type,client_id,redirect_uri,scope,state,code_challenge,code_challenge_method,nonce)Example CRD snippet:
Related