feat(auth): Add native support for id_token in OAuth2 credentials

anubhav756 · anubhav756 · commit 6d0f4d1f6714 · 2026-02-07T04:02:00.000+05:30
**Please ensure you have read the [contribution guide](https://github.com/google/adk-python/blob/main/CONTRIBUTING.md) before creating a pull request.** **2. Or, if no issue exists, describe the change:** When performing authentication flows via `OAUTH2` or `OPEN_ID_CONNECT`, the native `OAuth2Token` response from identity providers (like Google OAuth) often includes an `id_token` alongside the `access_token` and `refresh_token`. However, the ADK's `update_credential_with_tokens` utility explicitly drops the `id_token`, preventing agents and tools from verifying user identity or extracting OIDC claims securely. Furthermore, the `OAuth2Auth` model does not have a designated field for `id_token`. 1. Added an `id_token: Optional[str] = None` field to the `OAuth2Auth` pydantic model in `auth_credential.py`. 2. Updated `update_credential_with_tokens` in `oauth2_credential_util.py` to correctly extract and map `tokens.get("id_token")` into the `OAuth2Auth` credential object. 3. Updated the relevant unit tests to ensure `id_token` is asserted and preserved during credential updates. **Unit Tests:** - [x] I have added or updated unit tests for my change. - [x] All unit tests pass locally. Summary of passed `pytest` results: ```bash $ pytest tests/unittests/auth/test_oauth2_credential_util.py ======================= test session starts ======================= platform darwin -- Python 3.11.9, pytest-9.0.1, pluggy-1.6.0 collected 9 items tests/unittests/auth/test_oauth2_credential_util.py ......... [100%] ======================== 9 passed in 0.05s ========================
diff --git a/src/google/adk/auth/auth_credential.py b/src/google/adk/auth/auth_credential.py
@@ -79,6 +79,7 @@ class OAuth2Auth(BaseModelWithConfig):
   auth_code: Optional[str] = None
   access_token: Optional[str] = None
   refresh_token: Optional[str] = None
+  id_token: Optional[str] = None
   expires_at: Optional[int] = None
   expires_in: Optional[int] = None
   audience: Optional[str] = None
diff --git a/src/google/adk/auth/oauth2_credential_util.py b/src/google/adk/auth/oauth2_credential_util.py
@@ -107,11 +107,13 @@ def update_credential_with_tokens(
       auth_credential: The authentication credential to update.
       tokens: The OAuth2Token object containing new token information.
   """
-  auth_credential.oauth2.access_token = tokens.get("access_token")
-  auth_credential.oauth2.refresh_token = tokens.get("refresh_token")
-  auth_credential.oauth2.expires_at = (
-      int(tokens.get("expires_at")) if tokens.get("expires_at") else None
-  )
-  auth_credential.oauth2.expires_in = (
-      int(tokens.get("expires_in")) if tokens.get("expires_in") else None
-  )
+  if auth_credential.oauth2:
+    auth_credential.oauth2.access_token = tokens.get("access_token")
+    auth_credential.oauth2.refresh_token = tokens.get("refresh_token")
+    auth_credential.oauth2.id_token = tokens.get("id_token")
+    auth_credential.oauth2.expires_at = (
+        int(tokens.get("expires_at")) if tokens.get("expires_at") else None
+    )
+    auth_credential.oauth2.expires_in = (
+        int(tokens.get("expires_in")) if tokens.get("expires_in") else None
+    )
diff --git a/tests/unittests/auth/test_oauth2_credential_util.py b/tests/unittests/auth/test_oauth2_credential_util.py
@@ -222,6 +222,7 @@ def test_update_credential_with_tokens(self):
     tokens = OAuth2Token({
         "access_token": "new_access_token",
         "refresh_token": "new_refresh_token",
+        "id_token": "new_id_token",
         "expires_at": expected_expires_at,
         "expires_in": 3600,
     })
@@ -230,5 +231,16 @@ def test_update_credential_with_tokens(self):
 
     assert credential.oauth2.access_token == "new_access_token"
     assert credential.oauth2.refresh_token == "new_refresh_token"
+    assert credential.oauth2.id_token == "new_id_token"
     assert credential.oauth2.expires_at == expected_expires_at
     assert credential.oauth2.expires_in == 3600
+
+  def test_update_credential_with_tokens_none(self):
+    credential = AuthCredential(
+        auth_type=AuthCredentialTypes.API_KEY,
+    )
+    tokens = OAuth2Token({"access_token": "new_access_token"})
+    
+    # Should not raise any exceptions when oauth2 is None
+    update_credential_with_tokens(credential, tokens)
+    assert credential.oauth2 is None
