OAUTH2 code auth flow broken due to # being appended to the end of the callback query string. #3013
Description
Describe the bug
When using the ApplicationIntegrationToolset configured for OAuth2 Code Authorization Flow with an external provider (specifically tested with Microsoft Entra ID), the final callback from the authorization server to the ADK web server results in a broken state, preventing successful token exchange.
The issue is that the ADK web server's handling of the callback URI (or the redirect back to the client) incorrectly appends a trailing hash symbol (#) to the URL query string.
This causes the authlib.oauth2.client.OAuth2Client class to short circuit and not fetch the actual authorization token causing authorization to break. You can see in the image where the OAuth2Client code searches for any # symbol, and if there is one it returns, assuming the authorization code exists, but it does not.
To Reproduce
- Configure an ApplicationIntegrationToolset with an OAuth2Auth credential set to use Authorization Code Flow (e.g., using AuthCredentialTypes.OAUTH2_CODE) for an external IDP (e.g., Microsoft Entra ID).
- Start the ADK application and initiate a user request that triggers the OAuth flow.
- The user completes the external authorization and is redirected back to the ADK callback URI.
- Observe the failure in the console and the application.
ERROR - oauth2_credential_exchanger.py:100 - Failed to exchange OAuth2 tokens: missing_token: Missing 'access_token' in response.
Expected behavior
The ADK web server should successfully process the authorization code and exchange it for a token. The callback URI should not contain a trailing hash symbol (#).
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
- OS: macOS
- Python version: Python 3.12.9
- ADK version: Version: 1.14.1
Model Information:
- Are you using LiteLLM: No
- Which model is being used: Gemini 2.5 Flash
Additional context
N/A