feat: add OIDC SSO support for Google Meet bot login#710
Conversation
|
Hi @degitgitagitya, thanks for the PR! When I first added the signed-in google bot feature, I was wondering if maybe OIDC was the way to go instead of SAML, glad to hear that it works. Will give this a more detailed review when we have more time. |
Hi @noah-duncan , Sure, take your time! Since custom OIDC SSO for Google is relatively new (GA'd November 2025), this might actually be one of the first implementations in a meeting bot use case. |
Merges attendee-labs#710 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add OIDC as an alternative SSO method for Google Meet bot login, keeping existing SAML support fully intact. OIDC is simpler to set up (no certificate generation or xmlsec1 dependency required) and is recommended for new deployments. Changes: - Add sso_mode field to GoogleMeetBotLogin model (default: "saml") - Implement full OIDC IdP: discovery, authorize, token (with PKCE), JWKS, and userinfo endpoints - Add RSA key management for JWT signing (oidc_keys.py) - Update bot adapter to branch Chrome options by sso_mode - Add email entry automation for OIDC Google sign-in flow - Update login creation UI with SAML/OIDC radio toggle - Add OIDC credentials modal for auto-generated client_id/secret - Add comprehensive OIDC test suite (17 tests) alongside SAML tests - Update documentation with OIDC setup instructions - Validate response_type=code and require redirect_uri per RFC - Fail loudly when OIDC keys not configured in production
|
Hey @degitgitagitya thanks again for the PR. Just had a few questions on this before we incorporate it into our codebase.
|
2 participants
Background
Our company has been using Attendee in production and it has been a great foundation for our meeting bot infrastructure. One of the key requirements for our deployment is SSO support for Google Meet bot login — specifically via OIDC (OpenID Connect), which is simpler to set up compared to SAML (no certificate generation or
xmlsec1dependency required).We've been running this feature in our internal fork for a while and would like to contribute it back to the community.
What this PR does
Adds OIDC as an alternative SSO method for
GoogleMeetBotLogin, while keeping the existing SAML support fully intact. New deployments can opt into OIDC via asso_modefield.Changes:
sso_modefield toGoogleMeetBotLoginmodel (default:"saml"for backwards compatibility)oidc_keys.py)sso_modeclient_id/secretresponse_type=codeand requireredirect_uriper RFCMotivation: Google Workspace now supports custom OIDC profiles for SSO
As per the Google Workspace announcement (November 2025), Single Sign-On with custom OpenID Connect profiles is now generally available. Admins can now set up a custom OIDC profile for SSO with Google as the service provider — previously, only SAML and OIDC with pre-configured Microsoft Entra ID were supported.
This means Google Meet bot login via OIDC SSO is now a fully supported and recommended path for Google Workspace customers. This PR aligns Attendee with that capability, allowing bots to authenticate via a custom OIDC identity provider configured by the admin.
Backwards Compatibility
Fully backwards compatible — existing SAML configurations are unaffected. The default
sso_modeis"saml".