Skip to content

fix(auth): Support fallback OAuth token and prefixless credential lookups in session state#5899

Open
tonycoco wants to merge 1 commit into
google:mainfrom
tonycoco:fix/agent-engine-auth-key
Open

fix(auth): Support fallback OAuth token and prefixless credential lookups in session state#5899
tonycoco wants to merge 1 commit into
google:mainfrom
tonycoco:fix/agent-engine-auth-key

Conversation

@tonycoco
Copy link
Copy Markdown

@tonycoco tonycoco commented May 29, 2026
edited
Loading

Fixes #4712

Session state might store authentication responses as raw string tokens instead of AuthCredential objects, or under custom credential keys without the standard "temp:" prefix.

Add robust fallback handling to resolve raw token strings, check for prefixless keys, and scan state values for any Google OAuth access tokens starting with "ya29."

The patch updates the get_auth_response method in google/adk/auth/auth_handler.py to do the following:

Check temp:<key> prefix: This maintains the standard OAuth redirection flow.
Check <key> directly: This allows resolving credentials where the application or environment provides them under the exact configuration key without prefixes.
Scan session state for OAuth tokens: This dynamically scans the state dictionary for active Google Cloud access tokens starting with the standard "ya29." prefix. This is common in hosted Google Cloud environments such as Vertex AI Reasoning Engine.

Unit Tests:

  • I have added or updated unit tests for my change.
  • All unit tests pass locally.

Checklist

  • I have read the CONTRIBUTING.md document.
  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have added tests that prove my fix is effective or that my feature works.
  • New and existing unit tests pass locally with my changes.
  • I have manually tested my changes end-to-end.
  • Any dependent changes have been merged and published in downstream modules.

@adk-bot
Copy link
Copy Markdown
Collaborator

adk-bot commented May 29, 2026

Response from ADK Triaging Agent

Hello @tonycoco, thank you for creating this PR!

This PR is a bug fix for #4712, but we noticed that it is missing some information required by our contribution guidelines:

  • Testing Plan: Please include a testing plan section in your PR description to describe how you tested or will test these changes.
  • Logs or Screenshots: For bug fixes, please provide logs or a screenshot after the fix is applied.

Providing this information will help reviewers process and review your PR much more efficiently. Thank you for your contribution!

@adk-bot adk-bot added the services [Component] This issue is related to runtime services, e.g. sessions, memory, artifacts, etc label May 29, 2026
@tonycoco tonycoco force-pushed the fix/agent-engine-auth-key branch 2 times, most recently from 9535ce7 to 2642ad0 Compare May 29, 2026 22:19
@tonycoco
fix(auth): Support fallback OAuth token and prefixless credential loo…
b62b7b3 
…kups in session state

Session state might store authentication responses as raw string tokens instead of AuthCredential objects, or under custom credential keys without the standard "temp:" prefix.

Add robust fallback handling to resolve raw token strings, check for prefixless keys, and scan state values for any Google OAuth access tokens starting with "ya29."
@tonycoco tonycoco force-pushed the fix/agent-engine-auth-key branch from 2642ad0 to b62b7b3 Compare May 29, 2026 22:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

services [Component] This issue is related to runtime services, e.g. sessions, memory, artifacts, etc

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OpenAPIToolset / GoogleAPIToolset not picking up Gemini Enterprise Authorization

2 participants

@tonycoco @adk-bot