feat(apigee): add userinfo.email scope for tokeninfo user identification

[polar3130]

Summary

• ApigeeLlm.api_client now explicitly calls google.auth.default() with both cloud-platform and userinfo.email scopes, and passes the credentials to genai.Client
• This enables Apigee Gateway to identify callers via Google's tokeninfo API when using Service Account key authentication
• Change is scoped to ApigeeLlm only — no impact on base Gemini class or genai SDK

Fixes #4721

Test plan

• Added unit test test_api_client_requests_userinfo_email_scope verifying google.auth.default is called with the correct scopes and credentials are passed to genai.Client
• All 52 existing tests in test_apigee_llm.py pass

$ uv run --extra test python -m pytest tests/unittests/models/test_apigee_llm.py -v
======================= 52 passed, 2 warnings in 23.23s ========================

🤖 Generated with Claude Code

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[adk-bot]

Response from ADK Triaging Agent

Hello @polar3130, thank you for your contribution!

It looks like the Contributor License Agreement (CLA) check has failed. Before we can merge this PR, you'll need to sign the CLA. You can find more information in the "checks" section at the bottom of the pull request.

Thanks!

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the ApigeeLlm client's authentication mechanism by explicitly requesting the userinfo.email scope alongside cloud-platform. This ensures that the Apigee Gateway can properly identify users through Google's tokeninfo API when service account key authentication is in use, improving security and traceability for API calls originating from Apigee. The change is isolated to the Apigee-specific LLM implementation, maintaining compatibility with other components.

Highlights

• Authentication Scope Update: The ApigeeLlm.api_client method now explicitly requests cloud-platform and userinfo.email scopes when calling google.auth.default().
• Credential Passing: The credentials obtained with the specified scopes are now passed to the genai.Client constructor.
• Apigee Gateway User Identification: This change enables the Apigee Gateway to identify callers via Google's tokeninfo API when using Service Account key authentication, addressing issue ApigeeLlm: Add userinfo.email scope for Apigee Gateway tokeninfo user identification #4721.
• Scope of Change: The modifications are limited to the ApigeeLlm class and do not affect the base Gemini class or the genai SDK.
• New Unit Test: A new unit test, test_api_client_requests_userinfo_email_scope, was added to verify the correct scope usage and credential passing.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/google/adk/models/apigee_llm.py
  • Imported the google.auth module.
  • Defined a new constant _APIGEE_SCOPES containing the required authentication scopes.
  • Modified the api_client method to obtain credentials using google.auth.default with the new scopes and pass these credentials to the genai.Client.
• tests/unittests/models/test_apigee_llm.py
  • Imported the _APIGEE_SCOPES constant for testing purposes.
  • Added a new asynchronous unit test test_api_client_requests_userinfo_email_scope to verify that google.auth.default is called with the correct scopes and that the resulting credentials are passed to the genai.Client.

Activity

• A new unit test test_api_client_requests_userinfo_email_scope was added to validate the new authentication scope behavior.
• All 52 existing tests in test_apigee_llm.py were confirmed to pass after the changes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request successfully implements the requested feature to add the userinfo.email scope for tokeninfo user identification in ApigeeLlm.api_client. The changes are well-contained within the ApigeeLlm class and do not impact other parts of the codebase. A new unit test has been added to verify the correct behavior, which is a good practice.

[gemini-code-assist]

These assertions are redundant. The test already verifies that mock_auth_default is called with _APIGEE_SCOPES on line 664. If the _APIGEE_SCOPES constant itself is incorrectly defined in apigee_llm.py, that would be a bug in the constant's definition, not in how it's used by api_client. Removing these lines will make the test more concise and focused on the behavior of api_client.