1350 - 8 Token ID update#1875
Conversation
✅ Deploy Preview for adk-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
joefernandez
left a comment
There was a problem hiding this comment.
some teaching flow issues and style/mechanical issues to look at, here
|
FYI the new failing link checker CI is due to a different HTTP status code coming from one of Atlassian's websites, unrelated to this PR. I'll fix that in a separate PR shortly. |
koverholt
left a comment
There was a problem hiding this comment.
Thanks for the updates! I verified the ServiceAccount API against adk-python and the core is correct: the params, the audience-required-when-use_id_token validation, and the Cloud Run/Functions purpose all check out.
I left inline comments for the fixes needed before merge. Once those are in I can re-review.
| !!! Tip | ||
| If you receive an authentication error, verify that your service account has the 'Cloud Run Invoker' or equivalent role on the target service. |
There was a problem hiding this comment.
This is not rendering correctly (needs four-space indent for content and a blank line between the tip and content. And this is missing a title, which is optional but usually helpful for readers. Should be of the form:
!!! tip "Troubleshooting authentication errors"
If you receive an authentication error, verify that your service account has the 'Cloud Run Invoker' or equivalent role on the target service.
|
|
||
| **Step 4: Exchange Authorization Code for Tokens** | ||
|
|
||
| ADK automatically generates oauth authorization URL and presents it to your ***Agent Client*** application. your ***Agent Client*** application should follow the same way described in Journey 1 to redirect the user to the authorization URL (with `redirect_uri` appended). Once a user completes the login flow, ADK extracts the authentication callback url from ***Agent Client*** applications, automatically parses the auth code, and generates auth token. At the next Tool call, `tool_context.get_auth_response` in step 2 will contain a valid credential to use in subsequent API calls. |
There was a problem hiding this comment.
This PR renames the ## Journey 1: ... heading to ## Build Agentic Applications with Authenticated Tools, but this sentence still says "described in Journey 1", which now points to a section title that no longer exists. Please update it to reference the renamed section, and make it a proper anchor link:
...the same way described in [Build Agentic Applications with Authenticated Tools](#build-agentic-applications-with-authenticated-tools) to redirect the user to the authorization URL...
| ```python | ||
| from google.adk.auth.auth_credential import ServiceAccount | ||
|
|
||
| # Configure the ServiceAccount to use ID Token authentication. | ||
| # Replace <YOUR_AUDIENCE_URL> with the URL of the service you are calling. | ||
| sa_config = ServiceAccount( | ||
| use_default_credential=True, | ||
| use_id_token=True, | ||
| audience="<YOUR_AUDIENCE_URL>" | ||
| ) | ||
|
|
||
| ``` |
There was a problem hiding this comment.
Unlike subsection A, this snippet stops at the config object and never wires it into a tool, so it's not runnable. Please carry it through to a toolset like A does, using service_account_scheme_credential:
from google.adk.auth.auth_credential import ServiceAccount
from google.adk.tools.openapi_tool.auth.auth_helpers import service_account_scheme_credential
from google.adk.tools.openapi_tool.openapi_spec_parser.openapi_toolset import OpenAPIToolset
# Configure the ServiceAccount to use ID Token authentication.
# Replace <YOUR_AUDIENCE_URL> with the URL of the service you are calling.
sa_config = ServiceAccount(
use_default_credential=True,
use_id_token=True,
audience="<YOUR_AUDIENCE_URL>",
)
auth_scheme, auth_credential = service_account_scheme_credential(sa_config)
sample_toolset = OpenAPIToolset(
spec_str=sa_openapi_spec_str, # Fill this with an OpenAPI spec
spec_str_type="json",
auth_scheme=auth_scheme,
auth_credential=auth_credential,
)|
|
||
| * `service_account_credential` (Optional): Provide the path or dict for your service account JSON key file. Use this if you are running locally or outside of Google Cloud. | ||
|
|
||
| * ` use_default_credential` (Optional): Set to True to use Application Default Credentials (ADC). Recommended if your agent is already running within Google Cloud, for example on Cloud Run or Cloud Functions, as it avoids the need for local key files. |
There was a problem hiding this comment.
There's a leading space inside the backticks here: ` use_default_credential` that needs to be fixed.
|
|
||
| ##### ServiceAccount configuration parameters | ||
|
|
||
| Configure your `ServiceAccount` to use ID token authentication and specify the target service's URL as the `audience`. |
There was a problem hiding this comment.
This sentence duplicates the sentence in line 313 ("configure your ServiceAccount ... specify the target service's URL as the audience"). Suggest removing this one one to avoid the repetition; the parameter bullets below already have the details.
| * **Agent Client** application runs the agent directly (via `runner.run_async`) in the same process. e.g. UI backend, CLI app, or Spark job etc. | ||
| * **Agent Client** application interacts with ADK's fastapi server via `/run` or `/run_sse` endpoint. While ADK's fastapi server could be setup on the same server or different server as ***Agent Client*** application |
There was a problem hiding this comment.
Please revert these two bullets back to ***Agent Client*** to match the rest of the page.
| !!! tip | ||
| Always use `use_id_token=True` and `audience` together. If you provide one without the other, the ADK will raise an error to prevent accidental misconfiguration. |
There was a problem hiding this comment.
For consistency with the tip fix above, this one should get the same treatment: a blank line between the !!! tip line and the content, and an optional title. As in:
!!! tip "Pair `use_id_token` with `audience`"
Always use `use_id_token=True` and `audience` together. If you provide one without the other, the ADK will raise an error to prevent accidental misconfiguration.
| --- | ||
|
|
||
| ## Journey 1: Building Agentic Applications with Authenticated Tools | ||
| ## Build Agentic Applications with Authenticated Tools |
There was a problem hiding this comment.
The page uses sentence case for headings, but several renamed headings in this diff are title case. For consistency, change to sentence case:
## Build agentic applications with authenticated tools### Configure tools with authentication#### A. Use OpenAPI-based toolsets (...)#### B. Use Google API toolsets (...)#### C. Use ID token### Handle the interactive OAuth/OIDC flow (client-side)
Rendered link: https://deploy-preview-1875--adk-docs-preview.netlify.app/tools-custom/authentication/#c-use-id-token
ADK Pull: #1365
Original Issue: #1350 (see item 8)