MCP tool Oauth handshake error with "code_challenge required"

[davxiao]

🔴 Required Information

Please ensure all items in this section are completed to allow for efficient
triaging. Requests without complete information may be rejected / deprioritized.
If an item is not applicable to you - please mark it as N/A

Describe the Bug:
A clear and concise description of what the bug is.
Running a local "uv run adk web" agent based on contributing/sample/mcp_toolset_auth and manually set up Oauth required values in there. The remote MCP server is a production MCP server that support Oauth - and MCP server is confirmed working with "Gemini CLI" and Oauth flow works.

With the local agent when authenticating in the Tool, the Oauth sign-in window popped up as expected but show an error "code_challenge required"

Detail:

Remote MCP server discovery URL:
https://mcp.app.wiz.io/.well-known/oauth-protected-resource
Authorization Server Metadata:
https://mcp.app.wiz.io/.well-known/oauth-authorization-server

I captured following Oauth callback URL for troubleshooting

Oauth MCP callback URL generated by In Gemini CLI: (working)
https://mcp.app.wiz.io/oauth2/authorize?client_id=fd4dcc25-66a3-41e5-b469-353c34cabde0&response_type=code&redirect_uri=http%3A%2F%Flocalhost%3A57993%2Foauth%2Fcallback&state=uaNUACOvGXYETLRPyboh3A&code_challenge=DPuGmBuO7z6b4yGyEbWVVEIcuyZjq8EwYLOEiWtmyP0&codechallenge_method=S256&scope=read%3Aall+offline_access&resource=https%3A%2F%2Fmcp.app.wiz.io%2F

callback URL generated by "adk web" (not working, response: code_challenge required)
https://mcp.app.wiz.io/oauth2/authorize?response_type=code&client_id=hrqip7l27jaj3hmp0ovoh67ejitbk2xr453f7d4g4dqzpjd7fpcgs&scope==read+offline_access&state=IYCt5i63KaQMCDiaBPYv1ocEgZbOXY&access_type=offline&prompt=consent&redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2Fdev-ui%2F

agent code snippet

# OAuth2 auth scheme with authorization code flow
# This specifies the OAuth metadata needed for the full OAuth flow
auth_scheme = OAuth2(
    flows=OAuthFlows(
        authorizationCode=OAuthFlowAuthorizationCode(
            authorizationUrl='https://mcp.app.wiz.io/oauth2/authorize',
            tokenUrl='https://mcp.app.wiz.io/oauth2/token',
            scopes={'read': 'all', 'offline_access': 'offline access'},
        )
    )
)

# OAuth credential with client credentials (used for token exchange)
# In a real scenario, this would be used to obtain the access token
auth_credential = AuthCredential(
    auth_type=AuthCredentialTypes.OAUTH2,
    oauth2=OAuth2Auth(
        client_id='hrqip7l27jaj3hmp0ovoh67ejitbk2xr453f7d4g4dqzpjd7fpcgs',
        client_secret='********************',  #removed for security and can provide offline for troubleshooting purposes
        code_challenge_method='S256',
    ),
)

# Create the MCP toolset with OAuth authentication
mcp_toolset = McpToolset(
    connection_params=StreamableHTTPConnectionParams(
        url='https://mcp.app.wiz.io',
    ),
    auth_scheme=auth_scheme,
    auth_credential=auth_credential,
)

# Define the agent that uses the OAuth-protected MCP toolset
root_agent = LlmAgent(
    model='gemini-3-flash-preview',
    name='mcp_toolset_auth',
    instruction="""You are a helpful assistant that can access security posture information via the Wiz MCP tool.""",
    tools=[mcp_toolset],
)

app = App(
    root_agent=root_agent,
    name="mcp_toolset_auth",
)

Steps to Reproduce:
Please provide a numbered list of steps to reproduce the behavior:

1. Install '...'
2. Run '....'
3. Open '....'
4. Provide error or stacktrace

Expected Behavior:
Expect the Oauth callback handshake to come through without error

Observed Behavior:
What actually happened? Include error messages or crash stack traces here.

Environment Details:

• ADK Library Version (pip show google-adk):
• Desktop OS:** [e.g., macOS, Linux, Windows]
• Python Version (python -V):

Model Information:

• Are you using LiteLLM: Yes/No
• Which model is being used: (e.g., gemini-2.5-pro)

---

🟡 Optional Information

Providing this information greatly speeds up the resolution process.
I use "ux run adk web" which I believe is using the latest adk-python version.

Regression:
Did this work in a previous version of ADK? If so, which one?

Logs:
Please attach relevant logs. Wrap them in code blocks (```) or attach a
text file.

// Paste logs here

Screenshots / Video:
If applicable, add screenshots or screen recordings to help explain
your problem.

Additional Context:
Add any other context about the problem here.

Minimal Reproduction Code:
Please provide a code snippet or a link to a Gist/repo that isolates the issue.

// Code snippet here

How often has this issue occurred?:

• Always (100%)
• Often (50%+)
• Intermittently (<50%)
• Once / Rare

[llalitkumarrr]

Hello @davxiao ,

Thank you for raising this. It seems the server you are trying require Proof Key for Code Exchange i.e. PKCE which requires client to generate code_verifier and code_challenge to verify the token request.

Currently code_challenge_method/code_challenge is not supported in OAuth2Auth. The PR #4710 seems to deal this issue. This PR is under review and will be merged once all checks are pass. We request your patience till this is merged. In the mean time if you with you could have a look a the PR and see if this satisfy you requirement.