Skip to content

fix(auth): Make OAuth prompt parameter configurable#5717

Open
akshay-kumar-bm wants to merge 2 commits into
google:mainfrom
akshay-kumar-bm:fix/oauth-configurable-prompt-3046
Open

fix(auth): Make OAuth prompt parameter configurable#5717
akshay-kumar-bm wants to merge 2 commits into
google:mainfrom
akshay-kumar-bm:fix/oauth-configurable-prompt-3046

Conversation

@akshay-kumar-bm
Copy link
Copy Markdown

@akshay-kumar-bm akshay-kumar-bm commented May 16, 2026

Description

Makes the OAuth prompt query parameter configurable on OAuth2Auth instead of being hardcoded to "consent" in AuthHandler.generate_auth_uri.

Why

Per #3046, hardcoding prompt=consent breaks scenarios where consent is granted at the application level (e.g. Azure Entra ID admin-consented permissions). Non-admin users are sent to a consent screen they cannot complete, blocking the flow. Multiple users have hit this (see issue thread).

What changed

  • src/google/adk/auth/auth_credential.py — Added optional prompt field on OAuth2Auth. Typed as Literal["none", "login", "consent", "select_account"] | str | None — the Literal gives IDE autocomplete for the RFC 6749 / OIDC standard values, and the | str fallback allows IdP-specific values like Azure's "admin_consent" to pass through unchanged.
  • src/google/adk/auth/auth_handler.py — Forwards auth_credential.oauth2.prompt to the authorization endpoint, falling back to "consent" when unset (preserves existing behavior).
  • tests/unittests/auth/test_auth_handler.py — Added 4 new test cases (default-is-consent, custom none, custom select_account, IdP-specific admin_consent), strengthened the existing test_generate_auth_uri_with_audience_and_prompt to actually assert the prompt value, and extended MockOAuth2Session.create_authorization_url to echo the prompt kwarg (mirrors the existing audience pattern).

Issue

Fixes #3046

Testing

  • pytest tests/unittests/auth/test_auth_handler.py — 29 passed
  • pytest tests/unittests/auth/ — 185 passed
  • All 111 OAuth-related tests across the rest of the suite still pass
  • pre-commit run --files <changed files> — all hooks pass

Backward compatibility

The new field defaults to None, and None falls back to "consent" at the call site, so existing callers see no behavior change. No tests were modified to accommodate new behavior — only the previously-untested default was locked in.

Checklist

  • Read CONTRIBUTING.md.
  • Self-reviewed the change.
  • Added/updated unit tests.
  • Ran unit tests locally.

@akshay-kumar-bm
fix: Make OAuth prompt parameter configurable (google#3046)
8b7acf1 
The `prompt` parameter in `AuthHandler.generate_auth_uri` was hardcoded
to "consent", which forced a consent screen on every OAuth flow. This
broke scenarios where consent is granted at the application level (e.g.
Azure Entra ID admin-consented permissions) — non-admin users would be
unable to complete the flow.

This change adds an optional `prompt` field to `OAuth2Auth`. When unset,
the value falls back to "consent" so existing callers see no behavior
change. Callers can now pass standard OIDC values ("none", "login",
"consent", "select_account") or IdP-specific values (e.g. Azure's
"admin_consent") to control the authorization endpoint behavior.

Fixes google#3046
@rohityan rohityan self-assigned this May 18, 2026
@rohityan rohityan added the agent config [Component] This issue is related to the Agent Config interface and implementation label May 18, 2026
@rohityan
Copy link
Copy Markdown
Collaborator

rohityan commented May 18, 2026

Hi @akshay-kumar-bm , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Your PR has been received by the team and is currently under review. We will provide feedback as soon as we have an update to share.

@rohityan rohityan added the needs review [Status] The PR/issue is awaiting review from the maintainer label May 18, 2026
@rohityan rohityan requested a review from sasha-gitg May 18, 2026 20:37
@rohityan
Copy link
Copy Markdown
Collaborator

rohityan commented May 18, 2026

Hi @sasha-gitg , can you please review this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sasha-gitg sasha-gitg Awaiting requested review from sasha-gitg

At least 1 approving review is required to merge this pull request.

Assignees

@rohityan rohityan

Labels

agent config [Component] This issue is related to the Agent Config interface and implementation needs review [Status] The PR/issue is awaiting review from the maintainer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth Flow prompt Parameter Should Be Configurable

2 participants

@akshay-kumar-bm @rohityan