Introduce normalize_oauth2_tokens

[jayy-77]

Please ensure you have read the contribution guide before creating a pull request.

Link to Issue or Description of Change

1. Link to an existing issue (if applicable):

• Closes: #issue_number
• Related: Concur OAuth2 code exchange fails in ADK: 'str' object has no attribute 'get' (client_secret_post) #4473

2. Or, if no issue exists, describe the change:

If applicable, please follow the issue templates to provide as much detail as
possible.

Problem:
A clear and concise description of what the problem is.

Solution:
A clear and concise description of what you want to happen and why you choose
this solution.

Testing Plan

Please describe the tests that you ran to verify your changes. This is required
for all PRs that are not small documentation or typo fixes.

Unit Tests:

• I have added or updated unit tests for my change.
• All unit tests pass locally.

Please include a summary of passed pytest results.

Manual End-to-End (E2E) Tests:

Please provide instructions on how to manually test your changes, including any
necessary setup or configuration. Please provide logs or screenshots to help
reviewers better understand the fix.

Checklist

• I have read the CONTRIBUTING.md document.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.
• I have manually tested my changes end-to-end.
• Any dependent changes have been merged and published in downstream modules.

Additional context

Add any other context or screenshots about the feature request here.

[gemini-code-assist]

Summary of Changes

Hello @jayy-77, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the robustness and consistency of OAuth2 token handling within the authentication framework. It introduces a dedicated utility function to validate and normalize token responses, which is then integrated into both the authorization code exchange and token refreshing processes. Additionally, it refines the token exchange logic to prevent duplicate client_id parameters when using the client_secret_post authentication method, improving compatibility and correctness.

Highlights

• Introduced normalize_oauth2_tokens function: A new utility function was added to validate and normalize OAuth2 token payloads, ensuring consistent handling across the application.
• Enhanced OAuth2 token exchange: The authorization code exchange process was updated to use the new normalize_oauth2_tokens function and to correctly handle client_id for different token_endpoint_auth_method types, specifically client_secret_post.
• Improved OAuth2 token refreshing: The token refreshing mechanism now also utilizes normalize_oauth2_tokens to process the refreshed token payload.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/google/adk/auth/exchanger/oauth2_credential_exchanger.py
  • Imported normalize_oauth2_tokens for use in token exchange.
  • Modified _exchange_authorization_code to conditionally include client_id in fetch_token arguments based on the token_endpoint_auth_method to avoid duplication for client_secret_post.
  • Applied normalize_oauth2_tokens to the fetched tokens.
  • Enhanced error logging to include the token_endpoint_auth_method for better debugging.
• src/google/adk/auth/oauth2_credential_util.py
  • Imported Mapping from collections.abc.
  • Added a new @experimental function normalize_oauth2_tokens to validate that token payloads are dict-like objects.
  • Integrated normalize_oauth2_tokens into update_credential_with_tokens to ensure all token updates are normalized.
• src/google/adk/auth/refresher/oauth2_credential_refresher.py
  • Imported normalize_oauth2_tokens for use in token refreshing.
  • Applied normalize_oauth2_tokens to tokens obtained during the refresh process.

Activity

• No human activity (comments, reviews, etc.) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[adk-bot]

Response from ADK Triaging Agent

Hello @jayy-77, thank you for creating this PR!

Could you please fill out the PR description, including a link to an existing issue or a description of the change, and a testing plan?

This information will help reviewers to review your PR more efficiently. Thanks!

[gemini-code-assist]

Code Review

This pull request introduces a normalize_oauth2_tokens function to validate token payloads from OAuth libraries. This function is now used during token exchange and refresh flows. The changes improve robustness by ensuring token objects are of the expected type. I've provided a couple of suggestions to address some redundancy. One is to remove a duplicate call to the new normalization function, and another is to simplify the error handling logic by reusing an existing variable. Overall, this is a good addition to the codebase.

[gemini-code-assist]

The normalize_oauth2_tokens function is already being called in oauth2_credential_exchanger.py and oauth2_credential_refresher.py before they call update_credential_with_tokens. Calling it again here is redundant. It's best to have the callers be responsible for normalization and have this function expect a valid token object.

[gemini-code-assist]

To improve maintainability and avoid code duplication, you can reuse the token_auth_method variable that is already defined within the try block. This avoids re-evaluating the same expression in the except block.

          token_auth_method,