feat(auth): Add native support for id_token in OAuth2 credentials

anubhav756 · anubhav756 · commit 235335326a79 · 2026-02-07T02:50:51.000+05:30
**Please ensure you have read the [contribution guide](https://github.com/google/adk-python/blob/main/CONTRIBUTING.md) before creating a pull request.** ### Link to Issue or Description of Change **2. Or, if no issue exists, describe the change:** ## Problem When performing authentication flows via `OAUTH2` or `OPEN_ID_CONNECT`, the native `OAuth2Token` response from identity providers (like Google OAuth) often includes an `id_token` alongside the `access_token` and `refresh_token`. However, the ADK's `update_credential_with_tokens` utility explicitly drops the `id_token`, preventing agents and tools from verifying user identity or extracting OIDC claims securely. Furthermore, the `OAuth2Auth` model does not have a designated field for `id_token`. ## Solution 1. Added an `id_token: Optional[str] = None` field to the `OAuth2Auth` pydantic model in `auth_credential.py`. 2. Updated `update_credential_with_tokens` in `oauth2_credential_util.py` to correctly extract and map `tokens.get("id_token")` into the `OAuth2Auth` credential object. 3. Updated the relevant unit tests to ensure `id_token` is asserted and preserved during credential updates. ### Testing Plan **Unit Tests:** - [x] I have added or updated unit tests for my change. - [x] All unit tests pass locally. Summary of passed `pytest` results: ```bash $ pytest tests/unittests/auth/test_oauth2_credential_util.py ======================= test session starts ======================= platform darwin -- Python 3.11.9, pytest-9.0.1, pluggy-1.6.0 collected 9 items tests/unittests/auth/test_oauth2_credential_util.py ......... [100%] ======================== 9 passed in 0.05s ========================
diff --git a/src/google/adk/auth/auth_credential.py b/src/google/adk/auth/auth_credential.py
@@ -79,6 +79,7 @@ class OAuth2Auth(BaseModelWithConfig):
   auth_code: Optional[str] = None
   access_token: Optional[str] = None
   refresh_token: Optional[str] = None
+  id_token: Optional[str] = None
   expires_at: Optional[int] = None
   expires_in: Optional[int] = None
   audience: Optional[str] = None
diff --git a/src/google/adk/auth/oauth2_credential_util.py b/src/google/adk/auth/oauth2_credential_util.py
@@ -109,6 +109,7 @@ def update_credential_with_tokens(
   """
   auth_credential.oauth2.access_token = tokens.get("access_token")
   auth_credential.oauth2.refresh_token = tokens.get("refresh_token")
+  auth_credential.oauth2.id_token = tokens.get("id_token")
   auth_credential.oauth2.expires_at = (
       int(tokens.get("expires_at")) if tokens.get("expires_at") else None
   )
diff --git a/tests/unittests/auth/test_oauth2_credential_util.py b/tests/unittests/auth/test_oauth2_credential_util.py
@@ -222,6 +222,7 @@ def test_update_credential_with_tokens(self):
     tokens = OAuth2Token({
         "access_token": "new_access_token",
         "refresh_token": "new_refresh_token",
+        "id_token": "new_id_token",
         "expires_at": expected_expires_at,
         "expires_in": 3600,
     })
@@ -230,5 +231,6 @@ def test_update_credential_with_tokens(self):
 
     assert credential.oauth2.access_token == "new_access_token"
     assert credential.oauth2.refresh_token == "new_refresh_token"
+    assert credential.oauth2.id_token == "new_id_token"
     assert credential.oauth2.expires_at == expected_expires_at
     assert credential.oauth2.expires_in == 3600

Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,7 @@ def update_credential_with_tokens(`
`109`	`109`	`"""`
`110`	`110`	`auth_credential.oauth2.access_token = tokens.get("access_token")`
`111`	`111`	`auth_credential.oauth2.refresh_token = tokens.get("refresh_token")`
	`112`	`+ auth_credential.oauth2.id_token = tokens.get("id_token")`
`112`	`113`	`auth_credential.oauth2.expires_at = (`
`113`	`114`	`int(tokens.get("expires_at")) if tokens.get("expires_at") else None`
`114`	`115`	`)`