OAuth with PKCE Authentication for OpenApiToolset

[skullboy-1614]

Hi Everyone,

I am using OpenApiToolset using the Oauth auth schema but the API that I use support only Oauth with PKCE so I need to pass the code verifier to the token generation endpoint.

How can I do that since I cannot find a valid approach.

Thanks

[adk-bot]

Response from ADK Answering Agent (experimental, answer may be inaccurate)

TLDR: Based on the current ADK documentation and source code, there is no direct, out-of-the-box support for passing a code_verifier to enable the OAuth PKCE flow when using the OpenApiToolset.

---

Hi @skullboy-1614,

Thanks for reaching out. I've looked into your question about using OAuth with PKCE in the OpenApiToolset.

The standard authentication setup for OpenApiToolset involves providing an auth_scheme (like OpenIdConnectWithConfig) and an auth_credential dictionary. This configuration primarily handles credentials like a client_id and client_secret. [1, 2]

After reviewing the ADK source code, the configuration classes used by OpenApiToolset, such as OpenIdConnectWithConfig and OAuth2Auth, do not have a parameter to specify a code_verifier or a flag to explicitly enable the PKCE flow. [3]

While the OpenAPI 3.0 specification itself supports defining PKCE, the current implementation of OpenApiToolset in ADK does not seem to expose a way to inject the code_verifier into the token exchange request.

As a potential workaround, you could consider creating a custom FunctionTool for the specific API endpoints that require PKCE. This approach gives you full control over the token acquisition process, allowing you to manually handle the code_verifier exchange. You can find more information on creating custom tools in the ADK documentation. [1]

I hope this information is helpful. This seems like a valuable feature, and you may want to consider opening a feature request in the repository for direct PKCE support in OpenApiToolset.

[1] https://google.github.io/adk-docs/tools-custom/authentication/
[2] https://github.com/google/adk-docs/blob/main/examples/python/snippets/tools/auth/tools_and_agent.py
[3] https://github.com/google/adk-python/blob/main/src/google/adk/tools/openapi_tool/openapi_spec_parser/openapi_toolset.py

[skullboy-1614]

Can I get a sample code for this if possible.

Thanks

[skullboy-1614]

Hi @adk-bot can I monkey patch the method to include code verifier?

[adk-bot]

Response from ADK Answering Agent (experimental, answer may be inaccurate)

TLDR: Based on the available documentation, there is no explicit, built-in support for the OAuth 2.0 PKCE flow (i.e., passing a code_verifier) when configuring authentication for the OpenApiToolset.

---

Hi @skullboy-1614,

Thanks for your question. I've looked into the documentation for OpenApiToolset and its authentication capabilities to see how OAuth with PKCE can be implemented.

The standard method for configuring OAuth2 authentication involves defining an AuthScheme and an AuthCredential. These typically handle the client_id and client_secret for the OAuth 2.0 flow. For example, you would initialize the OpenAPIToolset with these authentication details. [1]

However, after reviewing the documentation, I could not find any explicit parameters or configuration options within OpenApiToolset, AuthCredential, or related authentication classes that allow for the inclusion of a code_verifier as required by the PKCE flow. The documentation and examples primarily cover flows involving client_id and client_secret. [2, 3, 4]

This suggests that the PKCE extension to the OAuth 2.0 Authorization Code flow may not be directly supported by the current authentication framework for OpenApiToolset.

While there is a header_provider argument in OpenAPIToolset that allows for adding dynamic headers [5], the code_verifier is typically sent in the body of the POST request to the token endpoint, so this is unlikely to be a solution.

[1] https://google.github.io/adk-docs/tools-custom/authentication/
[2] https://github.com/google/adk-docs/blob/main/examples/python/snippets/tools/auth/tools_and_agent.py
[3] https://github.com/google/adk-python/blob/main/contributing/samples/oauth_calendar_agent/README.md
[4] https://github.com/google/adk-python/blob/main/contributing/samples/integration_connector_euc_agent/README.md
[5] https://github.com/google/adk-python/blob/main/src/google/adk/tools/openapi_tool/openapi_spec_parser/openapi_toolset.py

[skullboy-1614]

Hi @adk-bot can I monkey patch this method to include the code verifier in request

async def _exchange_client_credentials(
self,
auth_credential: AuthCredential,
auth_scheme: AuthScheme,
) -> ExchangeResult:
"""Exchange client credentials for access token.

Args:
    auth_credential: The OAuth2 credential to exchange.
    auth_scheme: The OAuth2 authentication scheme.

Returns:
    An ExchangeResult object containing the exchanged credential and a
    boolean indicating whether the credential was exchanged.
"""
client, token_endpoint = create_oauth2_session(auth_scheme, auth_credential)
if not client:
  logger.warning(
      "Could not create OAuth2 session for client credentials exchange"
  )
  return ExchangeResult(auth_credential, False)

try:
  tokens = client.fetch_token(
      token_endpoint,
      grant_type=OAuthGrantType.CLIENT_CREDENTIALS,
  )
  update_credential_with_tokens(auth_credential, tokens)
  logger.debug("Successfully exchanged client credentials for access token")
except Exception as e:
  logger.error("Failed to exchange client credentials: %s", e)
  return ExchangeResult(auth_credential, False)

return ExchangeResult(auth_credential, True)

[skullboy-1614]

Hi @adk-bot can I monkey patch this method to include the code verifier in request

async def _exchange_client_credentials(
self,
auth_credential: AuthCredential,
auth_scheme: AuthScheme,
) -> ExchangeResult:
"""Exchange client credentials for access token.

Args:
auth_credential: The OAuth2 credential to exchange.
auth_scheme: The OAuth2 authentication scheme.

Returns:
An ExchangeResult object containing the exchanged credential and a
boolean indicating whether the credential was exchanged.
"""
client, token_endpoint = create_oauth2_session(auth_scheme, auth_credential)
if not client:
logger.warning(
"Could not create OAuth2 session for client credentials exchange"
)
return ExchangeResult(auth_credential, False)

try:
tokens = client.fetch_token(
token_endpoint,
grant_type=OAuthGrantType.CLIENT_CREDENTIALS,
)
update_credential_with_tokens(auth_credential, tokens)
logger.debug("Successfully exchanged client credentials for access token")
except Exception as e:
logger.error("Failed to exchange client credentials: %s", e)
return ExchangeResult(auth_credential, False)

return ExchangeResult(auth_credential, True)

[adk-bot]

Response from ADK Answering Agent (experimental, answer may be inaccurate)

TLDR: The ADK for Python supports OAuth2 for OpenApiToolset, but there is no explicit documentation on how to add the code_verifier for the PKCE flow. The standard OAuth2 implementation might not support PKCE out-of-the-box.

---

Hi @skullboy-1614,

Thanks for your question. I've looked into the ADK documentation to see how OAuth2 with PKCE can be implemented for the OpenApiToolset.

Standard OAuth2 Configuration

The ADK supports OAuth2 by allowing you to configure an auth_scheme and auth_credential when you initialize your OpenAPIToolset. Here is an example of how you would typically set up OAuth2:

from google.adk.auth.auth_schemes import OpenIdConnectWithConfig
from google.adk.auth.auth_credential import AuthCredential, AuthCredentialTypes, OAuth2Auth
from google.adk.tools.openapi_tool.openapi_spec_parser.openapi_toolset import OpenAPIToolset

# 1. Define the Authentication Scheme
auth_scheme = OpenIdConnectWithConfig(
    authorization_endpoint='OAUTH2_AUTH_ENDPOINT_URL',
    token_endpoint='OAUTH2_TOKEN_ENDPOINT_URL',
    scopes=['openid', 'YOUR_OAUTH_SCOPES']
)

# 2. Define the Authentication Credential
auth_credential = AuthCredential(
    auth_type=AuthCredentialTypes.OPEN_ID_CONNECT,
    oauth2=OAuth2Auth(
        client_id="YOUR_CLIENT_ID",
        client_secret="YOUR_CLIENT_SECRET",
    )
)

# 3. Initialize the OpenAPIToolset with Auth configuration
my_toolset = OpenAPIToolset(
    spec_str="...",  # Your OpenAPI spec
    spec_str_type='yaml',
    auth_scheme=auth_scheme,
    auth_credential=auth_credential,
)

This configuration is well-documented for standard OAuth2 flows. [1]

OAuth2 with PKCE

You specifically need to pass a code_verifier for the PKCE flow. After reviewing the documentation, there are no explicit examples or parameters shown in the OpenIdConnectWithConfig or OAuth2Auth classes that allow for a code_verifier to be passed during the token exchange.

The ADK framework is designed to handle the OAuth flow, including the exchange of the authorization code for an access token, automatically. [9] It seems that the current implementation may not have built-in support for the PKCE extension.

This might be a feature that is not yet supported in the ADK. I would recommend raising this as a feature request on the google/adk-python GitHub repository to see if support for PKCE can be added in a future release.

I hope this information is helpful, even though it does not provide a direct solution to your problem.

Best regards,
ADK Answering Agent

[1] https://github.com/google/adk-python/blob/main/docs/tools-custom/authentication.html
[9] https://github.com/google/adk-python/blob/main/contributing/samples/authn-adk-all-in-one/README.md