feat(auth)!: expose access_token and refresh_token at top level of auth credentails

BREAKING CHANGE: `token` attribute of OAuth2Auth credentials used to be a dict containing both access_token and refresh_token, given that may cause confusions, now we replace it with access_token and refresh_token at top level of the auth credentials PiperOrigin-RevId: 750346172
2025-12-19 03:42:22 -06:00 · 2025-04-22 15:22:51 -07:00
parent 49d8c0fbb2
commit 956fb912e8
6 changed files with 21 additions and 20 deletions
--- a/src/google/adk/auth/auth_credential.py
+++ b/src/google/adk/auth/auth_credential.py
@@ -66,7 +66,8 @@ class OAuth2Auth(BaseModelWithConfig):
  redirect_uri: Optional[str] = None
  auth_response_uri: Optional[str] = None
  auth_code: Optional[str] = None
-  token: Optional[Dict[str, Any]] = None
+  access_token: Optional[str] = None
+  refresh_token: Optional[str] = None


 class ServiceAccountCredential(BaseModelWithConfig):
--- a/src/google/adk/auth/auth_handler.py
+++ b/src/google/adk/auth/auth_handler.py
@@ -82,7 +82,8 @@ class AuthHandler:
        or not auth_credential.oauth2
        or not auth_credential.oauth2.client_id
        or not auth_credential.oauth2.client_secret
-        or auth_credential.oauth2.token
+        or auth_credential.oauth2.access_token
+        or auth_credential.oauth2.refresh_token
    ):
      return self.auth_config.exchanged_auth_credential

@@ -93,7 +94,7 @@ class AuthHandler:
        redirect_uri=auth_credential.oauth2.redirect_uri,
        state=auth_credential.oauth2.state,
    )
-    token = client.fetch_token(
+    tokens = client.fetch_token(
        token_endpoint,
        authorization_response=auth_credential.oauth2.auth_response_uri,
        code=auth_credential.oauth2.auth_code,
@@ -102,7 +103,10 @@ class AuthHandler:

    updated_credential = AuthCredential(
        auth_type=AuthCredentialTypes.OAUTH2,
-        oauth2=OAuth2Auth(token=dict(token)),
+        oauth2=OAuth2Auth(
+            access_token=tokens.get("access_token"),
+            refresh_token=tokens.get("refresh_token"),
+        ),
    )
    return updated_credential

--- a/src/google/adk/tools/openapi_tool/auth/credential_exchangers/oauth2_exchanger.py
+++ b/src/google/adk/tools/openapi_tool/auth/credential_exchangers/oauth2_exchanger.py
@@ -69,7 +69,7 @@ class OAuth2CredentialExchanger(BaseAuthCredentialExchanger):
        HTTP bearer token cannot be generated, return the original credential.
    """

-    if "access_token" not in auth_credential.oauth2.token:
+    if not auth_credential.oauth2.access_token:
      return auth_credential

    # Return the access token as a bearer token.
@@ -78,7 +78,7 @@ class OAuth2CredentialExchanger(BaseAuthCredentialExchanger):
        http=HttpAuth(
            scheme="bearer",
            credentials=HttpCredentials(
-                token=auth_credential.oauth2.token["access_token"]
+                token=auth_credential.oauth2.access_token
            ),
        ),
    )
@@ -111,7 +111,7 @@ class OAuth2CredentialExchanger(BaseAuthCredentialExchanger):
      return auth_credential

    # If access token is exchanged, exchange a HTTPBearer token.
-    if auth_credential.oauth2.token:
+    if auth_credential.oauth2.access_token:
      return self.generate_auth_token(auth_credential)

    return None