feat: add token_endpoint_auth_method support to OAuth2 credentials

[sully90]

Summary

Add token_endpoint_auth_method field to OAuth2Auth class to allow configuring OAuth2 token endpoint authentication methods. This enables users to specify how the client should authenticate with the authorization server's token
endpoint.

• Add token_endpoint_auth_method field to OAuth2Auth with default value "client_secret_basic"
• Update create_oauth2_session() to pass the authentication method to OAuth2Session
• Maintain backward compatibility with existing OAuth2 configurations

Unit Tests

Added unit test coverage with 3 new test methods:

1. test_create_oauth2_session_with_token_endpoint_auth_method() - Tests explicit auth method setting (client_secret_post)
2. test_create_oauth2_session_with_default_token_endpoint_auth_method() - Tests default behavior (client_secret_basic)
3. test_create_oauth2_session_oauth2_scheme_with_token_endpoint_auth_method() - Tests with OAuth2 scheme using client_secret_jwt

Test Results:
✅ 16/16 OAuth2 credential utility tests passed
✅ 240/240 auth module tests passed (no regressions)
✅ Tests cover both GOOGLE_AI and VERTEX variants
✅ Pylint score: 9.41/10

Changes Made

src/google/adk/auth/auth_credential.py

• Added token_endpoint_auth_method: Optional[str] = "client_secret_basic" to OAuth2Auth class

src/google/adk/auth/oauth2_credential_util.py

• Updated create_oauth2_session() to pass token_endpoint_auth_method parameter to OAuth2Session

tests/unittests/auth/test_oauth2_credential_util.py

• Added 3 comprehensive test methods covering different authentication scenarios

Backward Compatibility

✅ Non-breaking change - All existing OAuth2 configurations continue to work unchanged with the default client_secret_basic authentication method.

Supported Authentication Methods

• client_secret_basic (default) - Client credentials in Authorization header
• client_secret_post - Client credentials in request body
• client_secret_jwt - JWT with client secret
• private_key_jwt - JWT with private key

[gemini-code-assist]

Summary of Changes

Hello @sully90, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the OAuth2 credential handling by introducing support for various token endpoint authentication methods. This provides greater flexibility and security for clients interacting with authorization servers, allowing them to specify their preferred authentication mechanism. The changes are fully backward compatible and include comprehensive test coverage.

Highlights

• OAuth2 Authentication Method Support: Introduced token_endpoint_auth_method to the OAuth2Auth class, allowing configuration of how clients authenticate with the authorization server's token endpoint.
• Integration and Backward Compatibility: The create_oauth2_session() utility now utilizes this new field, while maintaining full backward compatibility with existing OAuth2 configurations by defaulting to "client_secret_basic".
• Comprehensive Unit Testing: Added three new unit tests to cover explicit authentication method settings (e.g., client_secret_post, client_secret_jwt) and verify the default behavior.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[adk-bot]

Response from ADK Triaging Agent

Hello @sully90, thank you for creating this PR!

This PR is a new feature, could you please associate a GitHub issue with this PR? If there is no existing issue, could you please create one?

This information will help reviewers to review your PR more efficiently. Thanks!

[gemini-code-assist]

Code Review

This pull request effectively adds support for token_endpoint_auth_method to the OAuth2Auth class, allowing for more flexible client authentication with OAuth2 token endpoints. The changes are well-implemented and include comprehensive unit tests for the new functionality. My review includes a few suggestions to enhance type safety and improve the maintainability of the new test code.

[sully90]

#2871

[sully90]

@seanzhou1023 any chance of a review on this? It's been open almost 2 months

[DinoChiesa]

I know this has been open a long time, just a quick comment.

The suggested methods are:

• client_secret_basic (default) - Client credentials in Authorization header
• client_secret_post - Client credentials in request body
• client_secret_jwt - JWT with client secret
• private_key_jwt - JWT with private key

Which systems require client_secret_post? That seems like a diversion from RFC 6749; can we not just omit that from formal support in ADK, and provide some sort of sample or guidance for letting people do this "manually" if they really need it?

re: JWT options, I think these are both JWT bearer grants as per RFC 7523, see [sec 2.1] (https://datatracker.ietf.org/doc/html/rfc7523#section-2.1) and [sec 2.2] (https://datatracker.ietf.org/doc/html/rfc7523#section-2.2). I think the names you are suggesting attempt to distinguish between the signing type? Why not just call it jwt_bearer ? And accept a signingKey parameter and an optional algorithm, which determines whether private key or secret key is used?

But, there is a different axis of variance: it is possible to use a JWT:

• as the client credential in a 2-legged grant (supplanting the client_credentials grant defined in RFC 6749), OR
• as the client credential in a 3-legged (authorization_code) grant.

So ideally whatever solution is adopted would need to distinguish these cases .

• auth_code with client ID+secret basicauth encoded (RFC 6749), and/or PKCE
• auth_code with JWT for client credentials (RFC 7523 Sec 2.2)
• client_credentials with client ID+secret basicauth encoded (RFC 6749)
• jwt_bearer with JWT for client credentials (RFC 7523 Sec 2.1)

[sully90]

Which systems require client_secret_post? That seems like a diversion from RFC 6749

https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

Alternatively, the authorization server MAY support including the
client credentials in the request-body using the following
parameters:

client_id
REQUIRED. The client identifier issued to the client during
the registration process described by Section 2.2.

client_secret
REQUIRED. The client secret. The client MAY omit the
parameter if the client secret is an empty string.

This is the mechanism our OAuth server requires (client_secret_post). It's also directly supported by authlib (https://docs.authlib.org/en/latest/client/oauth2.html#client-authentication). I added client_secret_jwt and private_key_jwt as they are also supported by authlib so made sense to add support for them all in one PR.

[DinoChiesa]

ok. Maybe there are 5 cases then. It's complicated.

[adk-bot]

Thank you @sully90 for your contribution! 🎉

Your changes have been successfully imported and merged via Copybara in commit 8782a69.

Closing this PR as the changes are now in the main branch.