Skip to content

Support OAuth2 Token Endpoint Authentication Methods #2871

New issue
New issue
Open
Feature
Open
Support OAuth2 Token Endpoint Authentication Methods#2871
Feature
Assignees
seanzhou1023
Labels
bot triaged[Bot] This issue is triaged by ADK botcore[Component] This issue is related to the core interface and implementation
@sully90

Description

@sully90
sully90
opened on Sep 7, 2025

Feature Request: Support OAuth2 Token Endpoint Authentication Methods

Problem Description

Currently, the ADK's OAuth2 authentication implementation doesn't allow users to configure the token endpoint authentication method. The system always uses the default behavior from the underlying OAuth2 library, which may not be
compatible with all OAuth2 providers.

Some OAuth2 authorization servers require or prefer specific authentication methods when clients request tokens from the token endpoint. Without the ability to configure this, users cannot integrate with OAuth2 providers that:

  • Require client_secret_post instead of client_secret_basic
  • Use JWT-based authentication (client_secret_jwt or private_key_jwt)
  • Have strict requirements about authentication method compliance

Proposed Solution

Add a token_endpoint_auth_method field to the OAuth2Auth class that allows users to specify how the client should authenticate with the authorization server's token endpoint.

Supported methods should include:

  • client_secret_basic (default) - Client credentials in Authorization header
  • client_secret_post - Client credentials in request body
  • client_secret_jwt - JWT signed with client secret
  • private_key_jwt - JWT signed with private key

Expected Behavior

# Example usage
credential = AuthCredential(
    auth_type=AuthCredentialTypes.OAUTH2,
    oauth2=OAuth2Auth(
        client_id="my_client_id",
        client_secret="my_client_secret",
        token_endpoint_auth_method="client_secret_post"  # New field
    ),
)

Benefits

  1. Improved OAuth2 Provider Compatibility - Support providers with specific authentication requirements
  2. OAuth2 Standard Compliance - Align with RFC 6749 and OpenID Connect specifications
  3. Backward Compatibility - Existing configurations continue working with sensible defaults
  4. Security Flexibility - Allow users to choose appropriate authentication methods for their security requirements

Additional Context

This feature request aligns with OAuth2 and OpenID Connect standards which define multiple client authentication methods for token endpoints. The implementation should leverage the existing authlib dependency which already supports
these authentication methods.

Labels: enhancement, oauth2, auth
Component: Authentication

Metadata

Metadata

Assignees

Labels

bot triaged[Bot] This issue is triaged by ADK botcore[Component] This issue is related to the core interface and implementation

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions