AgileData.io Docs
Table Of Contents
AgileData.io Docs
Table Of Contents

2026-05-08 - Full Authentication Migration to the Identity Service

Release

AgileData.io - One Auth Layer to Rule Them All: APIs and WebSockets Now Use the Identity Service

With the identity service launched in May, the rest of the AgileData platform has been updated to authenticate through it consistently. This month’s work migrated the APIs, MCP server, and WebSocket connections away from their previous authentication mechanisms and onto Firebase/GCIP tokens issued by the identity service.

MCP server authentication — The MCP backend no longer handles OAuth itself. Authentication is now delegated entirely to the identity service, which issues Firebase ID tokens that the MCP backend verifies using the RemoteAuthProvider (Firebase token verification with IAP fallback). This removes duplicated auth logic and ensures MCP clients authenticate through the same path as browser users.

Entra group claims in Spanner — For Microsoft (SAML) users, group memberships from Azure Active Directory now flow all the way through to the AgileData users table in Spanner. When a Microsoft user signs in, their Entra group GUIDs are extracted from the SAML assertion and written to the external_groups column. This happens automatically on every login, so group changes in Entra are reflected the next time the user signs in — no separate sync job needed.

Secure WebSocket bearer tokens — WebSocket connections in both the frontend and backend functions now authenticate with a bearer token rather than relying on cookie-based session state. The token is fetched from the GCIP API using the Firebase API key and refreshed automatically (see the WebSocket auto-refresh release note). This closes the last gap in the bearer-token-first authentication architecture.

What’s New:

  • MCP server authentication fully delegated to the identity service (Firebase token verification)

  • Entra/Azure AD group memberships stored in Spanner external_groups on every login

  • WebSocket connections secured with GCIP bearer tokens throughout

  • Google Cloud IAP token creation added using the Firebase GCIP API key

  • Invite emails updated to reference the new GCIP-based login flow

What this means for you:

  • Consistent, reliable authentication for all paths into AgileData — browser, MCP, and WebSocket

  • Microsoft users’ Entra group memberships automatically govern their AgileData access

  • A simpler, more auditable authentication architecture with fewer moving parts

Last Refreshed

Doc Refreshed: 2026-05-08

Table Of Contents

arrow_back
Previous
2026-05-12 - Container Build Reliability Fix — All Environments Now Deploy Fresh
 arrow_forward
Next
2026-04-29 - HTML Content Sanitisation and MCP Token Hardening