fix: issue 3785. id_token missing #3786
Conversation
Summary of ChangesHello @guillaumeblaquiere, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses a critical omission in the OpenID Connect (OIDC) authentication flow by ensuring that the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
adk-bot
added
the
core
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly adds support for id_token in the OIDC flow by updating the OAuth2Auth model and the update_credential_with_tokens utility function. The implementation is straightforward and correct. My only suggestion is to update the existing unit tests to cover this new functionality, ensuring the change is robust and preventing future regressions. I've added a specific comment with a suggestion on how to update the tests.
|
Hi @guillaumeblaquiere , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Can you fix the lint error. You can use autoformat.sh. |
ryanaiagent
added
the
request clarification
|
@ryanaiagent I ran the autoformat but I didn't understand why it was related to the previous error. |
|
@ryanaiagent I didn't understand the error I got during the previous run. I'm happy to work on it, but I need more explanation! |
|
Hi @guillaumeblaquiere , we appreciate your patience and support. Can you please fix the failing unit tests before we can proceed with the review. |
|
@ryanaiagent I checked out the main branch, and I found the same unit test errors. I can fix the test from other developments (to make the test OK), but I'm not sure that will REALLY test the expected features behavior. Let me know what you expect from me at this stage. |
|
Hi @wukath , can you please review this. |
ryanaiagent
added
needs review
|
thanks for contributing! what is the id_token used for? I see that we've added it to auth credential, just wondering if the user personally will be accessing it or if we need to make other changes in the adk codebase |
|
Yes, today I would like to use user credential to let ADK agent act as the user. I image cases where the users must use their own credential when their accessing Cloud Run for instance. |
|
@ryanaiagent unit test fixed, and my local env also (updated project.toml file for this) |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request effectively addresses issue #3785 by integrating id_token into the OAuth2 authentication flow. The changes include updating the OAuth2Auth data model, populating the id_token in the oauth2_credential_util, and adding corresponding unit tests to ensure correctness. Additionally, there are minor import cleanups and adjustments to mocking strategies in the test_remote_a2a_agent.py file, which improve the test suite's robustness. The changes are well-contained and directly address the stated problem.
|
|
||
| assert credential.oauth2.access_token == "new_access_token" | ||
| assert credential.oauth2.refresh_token == "new_refresh_token" | ||
| assert credential.oauth2.id_token == "some_id_token" |
There was a problem hiding this comment.
This assertion verifies that the id_token is correctly set on the OAuth2Auth object after update_credential_with_tokens is called. This is a critical test to ensure the new functionality works as expected.
|
|
||
| [tool.pytest.ini_options] | ||
| testpaths = ["tests"] | ||
| pythonpath = "src" |
There was a problem hiding this comment.
Adding pythonpath = "src" to the [tool.pytest.ini_options] section is a good practice. It ensures that pytest can correctly resolve imports from the src directory, which can prevent import errors during test execution, especially in larger projects with a specific directory structure.
| auth_response_uri: Optional[str] = None | ||
| auth_code: Optional[str] = None | ||
| access_token: Optional[str] = None | ||
| id_token: Optional[str] = None |
There was a problem hiding this comment.
Adding id_token: Optional[str] = None to the OAuth2Auth class is a direct and necessary change to support the id_token in the OIDC flow, as described in the PR. This correctly extends the data model to accommodate the new token type.
| """ | ||
| auth_credential.oauth2.access_token = tokens.get("access_token") | ||
| auth_credential.oauth2.refresh_token = tokens.get("refresh_token") | ||
| auth_credential.oauth2.id_token = tokens.get("id_token", None) |
There was a problem hiding this comment.
Populating the id_token field from the tokens dictionary is crucial for making the id_token available after an OAuth2/OIDC exchange. This change directly implements the solution for issue #3785.
| self.agent.name, | ||
| self.mock_context, | ||
| self.mock_a2a_part_converter, | ||
| self.agent._a2a_part_converter, |
There was a problem hiding this comment.
Changing self.mock_a2a_part_converter to self.agent._a2a_part_converter ensures that the test uses the actual converter instance associated with the agent object, rather than a separate mock. This improves the accuracy of the test by reflecting how the agent would behave in a real scenario.
|
|
||
| # Mock A2A client | ||
| mock_a2a_client = create_autospec(spec=A2AClient, instance=True) | ||
| mock_a2a_client = MagicMock(spec=A2AClient) |
There was a problem hiding this comment.
Replacing create_autospec(spec=A2AClient, instance=True) with MagicMock(spec=A2AClient) can simplify mocking in some cases. MagicMock is generally more flexible and less strict about argument matching than create_autospec(..., instance=True), which can be beneficial for tests that don't require strict adherence to the spec's signature for all calls. If create_autospec was causing issues due to strictness, MagicMock is a reasonable alternative.
There was a problem hiding this comment.
Test failed if I use create_autospec
|
|
||
| # Mock A2A client | ||
| mock_a2a_client = create_autospec(spec=A2AClient, instance=True) | ||
| mock_a2a_client = MagicMock(spec=A2AClient) |
There was a problem hiding this comment.
This change from create_autospec to MagicMock is consistent with the previous change and likely addresses similar issues related to mocking flexibility.
There was a problem hiding this comment.
Test failed if I use create_autospec
|
|
||
| # Mock A2A client | ||
| mock_a2a_client = create_autospec(spec=A2AClient, instance=True) | ||
| mock_a2a_client = MagicMock(spec=A2AClient) |
There was a problem hiding this comment.
This change from create_autospec to MagicMock is consistent with the previous changes and likely addresses similar issues related to mocking flexibility.
There was a problem hiding this comment.
Test failed if I use create_autospec
| tokens = OAuth2Token({ | ||
| "access_token": "new_access_token", | ||
| "refresh_token": "new_refresh_token", | ||
| "id_token": "some_id_token", |
|
Hi @guillaumeblaquiere , Your PR has been received by the team and is currently under review. We will provide feedback as soon as we have an update to share. |
4 participants
Link to Issue or Description of Change
1. Link to an existing issue (if applicable):
Problem:
id_token value is not gathered and made available in the OIDC flow
Solution:
Manual End-to-End (E2E) Tests:
Tested with OIDC and OAuth flow, works well