Skip to content

1350 - 8 Token ID update#1875

Open
zyantw wants to merge 5 commits into
mainfrom
Token-id-update-1350---8
Open

1350 - 8 Token ID update#1875
zyantw wants to merge 5 commits into
mainfrom
Token-id-update-1350---8

Conversation

@zyantw

@zyantw zyantw commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

@zyantw zyantw requested a review from joefernandez June 25, 2026 22:58
@netlify

netlify Bot commented Jun 25, 2026

Copy link
Copy Markdown

Deploy Preview for adk-docs-preview ready!

Name Link
🔨 Latest commit 97e92b3
🔍 Latest deploy log https://app.netlify.com/projects/adk-docs-preview/deploys/6a42ca3474a38d00082fc9c2
😎 Deploy Preview https://deploy-preview-1875--adk-docs-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@joefernandez joefernandez left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some teaching flow issues and style/mechanical issues to look at, here

Comment thread docs/tools-custom/authentication.md Outdated
Comment thread docs/tools-custom/authentication.md Outdated
Comment thread docs/tools-custom/authentication.md Outdated
Comment thread docs/tools-custom/authentication.md Outdated
Comment thread docs/tools-custom/authentication.md Outdated
Comment thread docs/tools-custom/authentication.md
Comment thread docs/tools-custom/authentication.md
@koverholt

koverholt commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

FYI the new failing link checker CI is due to a different HTTP status code coming from one of Atlassian's websites, unrelated to this PR. I'll fix that in a separate PR shortly.

@koverholt koverholt left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates! I verified the ServiceAccount API against adk-python and the core is correct: the params, the audience-required-when-use_id_token validation, and the Cloud Run/Functions purpose all check out.

I left inline comments for the fixes needed before merge. Once those are in I can re-review.

Comment on lines +328 to +329
!!! Tip
If you receive an authentication error, verify that your service account has the 'Cloud Run Invoker' or equivalent role on the target service.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not rendering correctly (needs four-space indent for content and a blank line between the tip and content. And this is missing a title, which is optional but usually helpful for readers. Should be of the form:

!!! tip "Troubleshooting authentication errors"

    If you receive an authentication error, verify that your service account has the 'Cloud Run Invoker' or equivalent role on the target service.


**Step 4: Exchange Authorization Code for Tokens**

ADK automatically generates oauth authorization URL and presents it to your ***Agent Client*** application. your ***Agent Client*** application should follow the same way described in Journey 1 to redirect the user to the authorization URL (with `redirect_uri` appended). Once a user completes the login flow, ADK extracts the authentication callback url from ***Agent Client*** applications, automatically parses the auth code, and generates auth token. At the next Tool call, `tool_context.get_auth_response` in step 2 will contain a valid credential to use in subsequent API calls.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR renames the ## Journey 1: ... heading to ## Build Agentic Applications with Authenticated Tools, but this sentence still says "described in Journey 1", which now points to a section title that no longer exists. Please update it to reference the renamed section, and make it a proper anchor link:

...the same way described in [Build Agentic Applications with Authenticated Tools](#build-agentic-applications-with-authenticated-tools) to redirect the user to the authorization URL...

Comment on lines +315 to +326
```python
from google.adk.auth.auth_credential import ServiceAccount

# Configure the ServiceAccount to use ID Token authentication.
# Replace <YOUR_AUDIENCE_URL> with the URL of the service you are calling.
sa_config = ServiceAccount(
use_default_credential=True,
use_id_token=True,
audience="<YOUR_AUDIENCE_URL>"
)

```

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unlike subsection A, this snippet stops at the config object and never wires it into a tool, so it's not runnable. Please carry it through to a toolset like A does, using service_account_scheme_credential:

from google.adk.auth.auth_credential import ServiceAccount
from google.adk.tools.openapi_tool.auth.auth_helpers import service_account_scheme_credential
from google.adk.tools.openapi_tool.openapi_spec_parser.openapi_toolset import OpenAPIToolset

# Configure the ServiceAccount to use ID Token authentication.
# Replace <YOUR_AUDIENCE_URL> with the URL of the service you are calling.
sa_config = ServiceAccount(
    use_default_credential=True,
    use_id_token=True,
    audience="<YOUR_AUDIENCE_URL>",
)

auth_scheme, auth_credential = service_account_scheme_credential(sa_config)

sample_toolset = OpenAPIToolset(
    spec_str=sa_openapi_spec_str,  # Fill this with an OpenAPI spec
    spec_str_type="json",
    auth_scheme=auth_scheme,
    auth_credential=auth_credential,
)


* `service_account_credential` (Optional): Provide the path or dict for your service account JSON key file. Use this if you are running locally or outside of Google Cloud.

* ` use_default_credential` (Optional): Set to True to use Application Default Credentials (ADC). Recommended if your agent is already running within Google Cloud, for example on Cloud Run or Cloud Functions, as it avoids the need for local key files.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a leading space inside the backticks here: ` use_default_credential` that needs to be fixed.


##### ServiceAccount configuration parameters

Configure your `ServiceAccount` to use ID token authentication and specify the target service's URL as the `audience`.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sentence duplicates the sentence in line 313 ("configure your ServiceAccount ... specify the target service's URL as the audience"). Suggest removing this one one to avoid the repetition; the parameter bullets below already have the details.

Comment on lines +368 to +369
* **Agent Client** application runs the agent directly (via `runner.run_async`) in the same process. e.g. UI backend, CLI app, or Spark job etc.
* **Agent Client** application interacts with ADK's fastapi server via `/run` or `/run_sse` endpoint. While ADK's fastapi server could be setup on the same server or different server as ***Agent Client*** application

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please revert these two bullets back to ***Agent Client*** to match the rest of the page.

Comment on lines +353 to +354
!!! tip
Always use `use_id_token=True` and `audience` together. If you provide one without the other, the ADK will raise an error to prevent accidental misconfiguration.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency with the tip fix above, this one should get the same treatment: a blank line between the !!! tip line and the content, and an optional title. As in:

!!! tip "Pair `use_id_token` with `audience`"

    Always use `use_id_token=True` and `audience` together. If you provide one without the other, the ADK will raise an error to prevent accidental misconfiguration.

---

## Journey 1: Building Agentic Applications with Authenticated Tools
## Build Agentic Applications with Authenticated Tools

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The page uses sentence case for headings, but several renamed headings in this diff are title case. For consistency, change to sentence case:

  • ## Build agentic applications with authenticated tools
  • ### Configure tools with authentication
  • #### A. Use OpenAPI-based toolsets (...)
  • #### B. Use Google API toolsets (...)
  • #### C. Use ID token
  • ### Handle the interactive OAuth/OIDC flow (client-side)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants