fix(auth): send PKCE code_challenge in auth URL

Author: pandego

src/google/adk/auth/auth_handler.py

@@ -17,6 +17,7 @@
 import secrets
 from typing import TYPE_CHECKING
 
+from authlib.oauth2.rfc7636 import create_s256_code_challenge
 from fastapi.openapi.models import SecurityBase
 
 from .auth_credential import AuthCredential
@@ -203,7 +204,12 @@ def generate_auth_uri(
       if not auth_credential.oauth2.code_verifier:
         auth_credential.oauth2.code_verifier = secrets.token_urlsafe(64)
       params["code_challenge_method"] = code_challenge_method
-      params["code_verifier"] = auth_credential.oauth2.code_verifier
+      if code_challenge_method == "S256":
+        params["code_challenge"] = create_s256_code_challenge(
+            auth_credential.oauth2.code_verifier
+        )
+      else:
+        params["code_challenge"] = auth_credential.oauth2.code_verifier
 
     uri, state = client.create_authorization_url(
         url=authorization_endpoint, **params

tests/unittests/auth/test_auth_handler.py

@@ -69,7 +69,10 @@ def create_authorization_url(self, url, **kwargs):
           "&code_challenge_method="
           f"{kwargs.get('code_challenge_method')}"
       )
-      params += "&code_challenge=mock_challenge"
+    if kwargs.get("code_challenge"):
+      params += f"&code_challenge={kwargs.get('code_challenge')}"
+    if kwargs.get("code_verifier"):
+      params += f"&code_verifier={kwargs.get('code_verifier')}"
     return f"{url}?{params}", "mock_state"
 
   def fetch_token(
@@ -264,7 +267,8 @@ def test_generate_auth_uri_with_pkce(self, auth_config):
     result = handler.generate_auth_uri()
 
     assert "code_challenge_method=S256" in result.oauth2.auth_uri
-    assert "code_challenge=mock_challenge" in result.oauth2.auth_uri
+    assert "code_challenge=" in result.oauth2.auth_uri
+    assert "code_verifier=" not in result.oauth2.auth_uri
     assert result.oauth2.code_verifier
 
   @patch("google.adk.auth.auth_handler.OAuth2Session", MockOAuth2Session)