Skip to content

Update ADK doc according to issue #1292 - 7 - External Access Tokens #1304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
adk-bot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update ADK doc according to issue #1292 - 7 - External Access Tokens #1304

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions docs/tools-custom/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,20 @@ You set up authentication when defining your tool:
* **Database/Persistent Storage:** **Strongly consider encrypting** the token data before storing it in the database using a robust encryption library (like `cryptography`) and managing encryption keys securely (e.g., using a key management service).
* **Secure Secret Stores:** For production environments, storing sensitive credentials in a dedicated secret manager (like Google Cloud Secret Manager or HashiCorp Vault) is the **most recommended approach**. Your tool could potentially store only short-lived access tokens or secure references (not the refresh token itself) in the session state, fetching the necessary secrets from the secure store when needed.

## Using External Access Tokens

For Google credentials, you can configure `external_access_token_key` to instruct the tool to retrieve an existing access token from `tool_context.state` instead of performing authentication itself.
This is useful when the agent is invoked in an environment where the user is already authenticated (e.g., a frontend passing the token).
Example:
```python
AuthCredential(
auth_type=AuthCredentialTypes.GOOGLE_CREDENTIALS,
google_credentials_config=GoogleCredentialsConfig(
external_access_token_key="my_access_token"
)
)
```

---

## Journey 1: Building Agentic Applications with Authenticated Tools
Expand Down Expand Up @@ -144,7 +158,7 @@ Pass the scheme and credential during toolset initialization. The toolset applie
auth_scheme = OpenIdConnectWithConfig(
authorization_endpoint=OAUTH2_AUTH_ENDPOINT_URL,
token_endpoint=OAUTH2_TOKEN_ENDPOINT_URL,
scopes=['openid', 'YOUR_OAUTH_SCOPES"]
scopes=['openid', 'YOUR_OAUTH_SCOPES']
)
auth_credential = AuthCredential(
auth_type=AuthCredentialTypes.OPEN_ID_CONNECT,
Expand Down Expand Up @@ -689,4 +703,4 @@ except Exception as e:
required:
- code
- message
```
```
Loading