Implement OIDC SSO for an edtech tool integrating with Google Workspace for Education, retrieving classroom membership via the Google Classroom API after OIDC sign-in
Register the tool in Google Cloud Console as an OAuth 2.0 web application and add the classroom.rosters.readonly and classroom.courses.readonly scopes
Initiate the OIDC authorization code flow redirecting to accounts.google.com/o/oauth2/v2/auth with the required scopes and a state parameter
Exchange the code for tokens at oauth2.googleapis.com/token and validate the id_token claims: iss, aud, hd (hosted domain for G Suite users)
Use the access token to GET classroom.googleapis.com/v1/courses?courseStates=ACTIVE&studentId=me for the authenticated student
GET classroom.googleapis.com/v1/courses/{courseId}/students to enumerate all enrolled students in a course
Refresh the access token using the refresh_token before expiry; store tokens encrypted at rest
Known gotchas
The hd claim in the id_token indicates a Google Workspace domain; do not rely solely on hd to verify institutional membership — also verify the email domain matches your expected institution
Google Classroom API scopes require verification through the Google OAuth app verification process for non-internal apps; unverified apps are limited to test users
Deleting a student from Google Classroom does not revoke their existing OAuth tokens; implement a periodic roster reconciliation to detect dropped enrollments
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp