Troubleshoot Agent Identity authentication issues

This document describes how to resolve common Authentication using Agent Identity with auth manager errors.

Redirect URI mismatch

If you receive a redirect URI mismatch error from the third-party application during the OAuth flow, ensure that the redirect URI registered in the third-party developer portal exactly matches the URI generated by the auth manager.

To find the generated redirect URI, view the auth provider details in the Google Cloud console or run the following gcloud command:

gcloud alpha agent-identity connectors describe AUTH_PROVIDER_NAME \
    --location="LOCATION"

Missing user role

If your agent can't use the auth provider, verify that the agent identity has the roles/iamconnectors.user role on the auth provider resource.

Issuer endpoint issues

For OIDC providers, verify that the issuer endpoint is publicly accessible and supports the .well-known/openid-configuration discovery document.

If Google Cloud can't fetch the OIDC metadata or JWKS, ensure that the endpoint isn't behind a firewall or restricted network.

401 UNAUTHENTICATED error

If your agent can't authenticate and you see the following error, it might be caused by a Google-managed Context-Aware Access policy that enforces mTLS binding and DPoP cryptographic proofs:

{
  "error": {
    "code": 401,
    "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED"
  }
}

You can opt out of this default Context-Aware Access policy if you have specific token-sharing requirements, or if you need to inject the token directly in the header. To opt out, set the following environment variable when you deploy your agent:

config={
  "env_vars": {
    "GOOGLE_API_PREVENT_AGENT_TOKEN_SHARING_FOR_GCP_SERVICES": False,
  }
}