Merged
Conversation
michaelneale
force-pushed
the
feat/gemini-oauth-provider
branch
from
20b7e76 to
fc4b0e3
Compare
Adds a new 'gemini_oauth' provider that lets users authenticate with their Google account via OAuth to use Gemini models, without needing an API key. Uses the same OAuth client credentials as the Gemini CLI (public installed-app credentials). Implements PKCE authorization code flow with local callback server, token caching, and automatic refresh. Talks to Google's Code Assist API (cloudcode-pa.googleapis.com) which is the same backend the Gemini CLI uses for OAuth-based access. The generativelanguage.googleapis.com API only supports API key auth for content generation, so Code Assist is the correct endpoint for OAuth. Handles user onboarding via loadCodeAssist/onboardUser for first-time setup, and caches the project ID alongside tokens. Wraps requests in the Code Assist envelope format and unwraps SSE response chunks so the existing Google format parser can handle them. Also adds canonical model name mapping so gemini_oauth models resolve correctly in the model registry. Signed-off-by: Michael Neale <[email protected]>
michaelneale
force-pushed
the
feat/gemini-oauth-provider
branch
from
fc4b0e3 to
9103051
Compare
michaelneale
changed the title
| @@ -1 +1 @@ | |||
| .node-24.10.0.pkg No newline at end of file | |||
Collaborator
There was a problem hiding this comment.
can we upgrade node in a separate pr? we need to change the version in other places such as windows
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new gemini_oauth provider to enable Google-account OAuth (PKCE) sign-in for Gemini access via the internal Code Assist API, and wires it into provider discovery/selection.
Changes:
- Introduces
GeminiOAuthProviderwith OAuth + token caching/refresh and Code Assist request/stream adaptation. - Registers the new provider in the provider module/registry and maps
gemini_oauthto thegooglecanonical provider name. - Updates hermit Node toolchain pointers to Node
24.14.1.
Reviewed changes
Copilot reviewed 4 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| crates/goose/src/providers/gemini_oauth.rs | New OAuth-based Gemini provider using Code Assist API, including caching and SSE adaptation. |
| crates/goose/src/providers/mod.rs | Exposes the new provider module. |
| crates/goose/src/providers/init.rs | Registers GeminiOAuthProvider in the provider registry. |
| crates/goose/src/providers/canonical/name_builder.rs | Canonical provider-name mapping for gemini_oauth. |
| bin/node | Points node shim to .node-24.14.1.pkg. |
| bin/npm | Points npm shim to .node-24.14.1.pkg. |
| bin/npx | Points npx shim to .node-24.14.1.pkg. |
| bin/corepack | Points corepack shim to .node-24.14.1.pkg. |
| bin/.node-24.14.1.pkg | Adds the hermit-generated package bootstrap script for Node 24.14.1. |
Comment on lines
+851
to
+857
| let mut request = reqwest::Client::new() | ||
| .post(&url) | ||
| .header( | ||
| "Authorization", | ||
| format!("Bearer {}", setup.token.access_token), | ||
| ) | ||
| .header("Content-Type", "application/json"); |
There was a problem hiding this comment.
The Code Assist HTTP calls create a fresh reqwest::Client without a configured timeout, which can disable connection pooling and potentially hang indefinitely on network stalls; consider reusing a single client (e.g., stored on the provider/token provider) built with an explicit timeout consistent with other providers’ 600s default.
| if tier.id.is_some() { | ||
| return Err(anyhow!( | ||
| "Your Google account is set up for Gemini but no project was returned. \ | ||
| You may need to set GOOGLE_CLOUD_PROJECT environment variable." |
There was a problem hiding this comment.
This error message suggests setting GOOGLE_CLOUD_PROJECT, but this provider never reads that environment variable and always uses the project ID from loadCodeAssist/onboardUser; either implement an override using that env var or adjust the message to reflect the actual recovery path.
Suggested change
| You may need to set GOOGLE_CLOUD_PROJECT environment variable." | |
| Please verify your Gemini and Google Cloud project configuration and try again." |
Comment on lines
66
to
70
| registry.register::<DatabricksProvider>(true); | ||
| registry.register::<GcpVertexAIProvider>(false); | ||
| registry.register::<GeminiCliProvider>(false); | ||
| registry.register::<GeminiOAuthProvider>(true); | ||
| registry.register::<GithubCopilotProvider>(false); |
There was a problem hiding this comment.
The PR description says this provider should replace gemini_cli and gemini_acp, but both are still registered in the provider registry; either update the description or remove/mark those providers as deprecated/hidden so users aren’t still presented with the old options.
…ert node bump - Replace per-request reqwest::Client::new() with shared HTTP_CLIENT (600s timeout) - Fix misleading GOOGLE_CLOUD_PROJECT error message - Remove gemini_acp provider (deleted, unregistered, test removed) - Update gemini_cli deprecation to point to gemini_oauth - Revert unintended node 24.10.0 -> 24.14.1 upgrade in bin/ - Rename Google Gemini display name to Google Gemini (API Key) Signed-off-by: Michael Neale <[email protected]>
lifeizhou-ap
approved these changes
Mar 26, 2026
michaelneale
added a commit
that referenced
this pull request
Mar 26, 2026
* main: (337 commits) fix: replace panics with user-friendly errors in CLI session builder (#7901) fix: read GOOSE_CONTEXT_LIMIT from config.yaml, not just env vars (#7900) fix: deliver truncation notice as separate content block (#7899) fix: use platform-appropriate commands in developer extension instructions (#7898) fix: replace any with proper SVG types in icon components (#7873) chore: remove debug console.log statements, stale comments, and dead code (#8142) feat: Gemini OAuth provider (#8129) chore(deps): bump picomatch from 2.3.1 to 2.3.2 in /documentation (#8123) feat: show installed skills in UI (#7910) fix(deps): gate keyring platform features behind target-specific deps (#8039) chore(deps): bump yaml from 2.8.2 to 2.8.3 in /evals/open-model-gym/suite (#8124) fix: strip message wrapper in CLI session title generation (#7996) fix(providers): fall back to configured models when models endpoint fetch fails (#7530) chore(deps): bump brace-expansion from 5.0.3 to 5.0.5 in /evals/open-model-gym/suite (#8139) fix: prevent Ollama provider from hanging on tool-calling requests (#7723) fix: VMware Tanzu Platform provider - bug fixes, streaming, UI improvements (#8126) feat: allow GOOSE_CLI_SHOW_THINKING to be set in config.yaml (#8097) fix: GitHub Copilot auth fails to open browser in Desktop app (#6957) (#8019) fix(ci): produce .tar.gz archives for Zed ACP registry compatibility (#8054) feat: add GOOSE_SHOW_FULL_OUTPUT config to disable tool output truncation (#7919) ... # Conflicts: # crates/goose/src/providers/formats/openai.rs
hydrosquall
pushed a commit
to hydrosquall/goose
that referenced
this pull request
Mar 31, 2026
Signed-off-by: Michael Neale <[email protected]> Signed-off-by: Cameron Yick <[email protected]>
blackgirlbytes
pushed a commit
that referenced
this pull request
Apr 2, 2026
* main: (337 commits) fix: replace panics with user-friendly errors in CLI session builder (#7901) fix: read GOOSE_CONTEXT_LIMIT from config.yaml, not just env vars (#7900) fix: deliver truncation notice as separate content block (#7899) fix: use platform-appropriate commands in developer extension instructions (#7898) fix: replace any with proper SVG types in icon components (#7873) chore: remove debug console.log statements, stale comments, and dead code (#8142) feat: Gemini OAuth provider (#8129) chore(deps): bump picomatch from 2.3.1 to 2.3.2 in /documentation (#8123) feat: show installed skills in UI (#7910) fix(deps): gate keyring platform features behind target-specific deps (#8039) chore(deps): bump yaml from 2.8.2 to 2.8.3 in /evals/open-model-gym/suite (#8124) fix: strip message wrapper in CLI session title generation (#7996) fix(providers): fall back to configured models when models endpoint fetch fails (#7530) chore(deps): bump brace-expansion from 5.0.3 to 5.0.5 in /evals/open-model-gym/suite (#8139) fix: prevent Ollama provider from hanging on tool-calling requests (#7723) fix: VMware Tanzu Platform provider - bug fixes, streaming, UI improvements (#8126) feat: allow GOOSE_CLI_SHOW_THINKING to be set in config.yaml (#8097) fix: GitHub Copilot auth fails to open browser in Desktop app (#6957) (#8019) fix(ci): produce .tar.gz archives for Zed ACP registry compatibility (#8054) feat: add GOOSE_SHOW_FULL_OUTPUT config to disable tool output truncation (#7919) ... # Conflicts: # crates/goose/src/providers/formats/openai.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is, similar to chatgpt, using gemini oauth PKCE to login to get access to api.
This should replace gemini cli and gemini acp providers
What
Adds a new
gemini_oauthprovider that lets users sign in with their Google account to use Gemini models — no API key needed.How it works
OAuth flow — Opens browser for Google sign-in, runs a local callback server, exchanges the auth code for tokens using PKCE. Uses the same public installed-app OAuth credentials as the Gemini CLI.
Code Assist API — Talks to
cloudcode-pa.googleapis.com(the same backend the Gemini CLI uses for "Login with Google"). The standardgenerativelanguage.googleapis.comAPI does not accept OAuth tokens for content generation — it is API-key only.User onboarding — First-time users go through
loadCodeAssist/onboardUserto get a project ID, cached alongside tokens at~/.config/goose/gemini_oauth/tokens.json.Request/response adaptation — Wraps outgoing requests in the Code Assist envelope format and unwraps incoming SSE response chunks so the existing Google format parser handles the actual content unchanged.
Token management — Automatic caching, refresh, and re-auth if refresh fails.
Files changed
crates/goose/src/providers/gemini_oauth.rs— new provider (~800 lines)crates/goose/src/providers/mod.rs— module registrationcrates/goose/src/providers/init.rs— provider registration (visible to users)crates/goose/src/providers/canonical/name_builder.rs— mapsgemini_oauth→googlefor model name resolutionContext
The Gemini CLI's "Login with Google" OAuth flow does NOT use the public Gemini API. It uses Google's internal Code Assist API, which has a different request envelope format (wraps the standard Gemini request body) and requires user onboarding. This provider replicates that flow in Rust.