BaseAuthenticatedTool saves invalid credentials #3016
Description
Is your feature request related to a problem? Please describe.
The BaseAuthenticatedTool run_async implementation obtains credentials from the tool context using the credential manager, which saves the credential for the session, before calling the tool implementation. This means that no future uses of the tool will ask for authentication, even if the user accidentally provided invalid credentials (such as an invalid username/password combo, or a token for a user account instead of an admin account).
This is problematic for automatic tool implementations like MCPTool and OpenAPITool. While a custom tool can remove the credentials from context if necessary (see https://google.github.io/adk-docs/tools/authentication/#authentication-logic-within-the-tool-function), these implementations don't allow a user to re-authenticate on failure.
Describe the solution you'd like
Some mechanism for removing credentials from the context when a tool responds with an unauthorized or forbidden error.