Skip to content

fix(auth): Make OAuth prompt parameter configurable #5717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
akshay-kumar-bm wants to merge 2 commits into
base: main
Choose a base branch
from
+81 −1
Open

fix(auth): Make OAuth prompt parameter configurable #5717

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8b7acf1
fix: Make OAuth prompt parameter configurable (#3046)
akshay-kumar-bm May 16, 2026
ea3f7e7
Merge branch 'main' into fix/oauth-configurable-prompt-3046
rohityan May 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions src/google/adk/auth/auth_credential.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,15 @@ class OAuth2Auth(BaseModelWithConfig):
]
| None
) = "client_secret_basic"
# The OAuth2 ``prompt`` parameter forwarded to the authorization endpoint.
# When ``None`` (default), ``"consent"`` is sent to preserve existing
# behavior. Standard values per RFC 6749 / OIDC: ``"none"``, ``"login"``,
# ``"consent"``, ``"select_account"``. ``str`` is also allowed so that
# IdP-specific values (e.g. Azure's ``"admin_consent"``) can be passed
# through unchanged.
prompt: Literal["none", "login", "consent", "select_account"] | str | None = (
None
)


class ServiceAccountCredential(BaseModelWithConfig):
Expand Down
2 changes: 1 addition & 1 deletion src/google/adk/auth/auth_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ def generate_auth_uri(
)
params = {
"access_type": "offline",
"prompt": "consent",
"prompt": auth_credential.oauth2.prompt or "consent",
}
if auth_credential.oauth2.audience:
params["audience"] = auth_credential.oauth2.audience
Expand Down
71 changes: 71 additions & 0 deletions tests/unittests/auth/test_auth_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@ def create_authorization_url(self, url, **kwargs):
params = f"client_id={self.client_id}&scope={self.scope}"
if kwargs.get("audience"):
params += f"&audience={kwargs.get('audience')}"
if kwargs.get("prompt"):
params += f"&prompt={kwargs.get('prompt')}"
return f"{url}?{params}", "mock_state"

def fetch_token(
Expand Down Expand Up @@ -250,6 +252,75 @@ def test_generate_auth_uri_with_audience_and_prompt(
result = handler.generate_auth_uri()

assert "audience=test_audience" in result.oauth2.auth_uri
# When prompt is unset, the default "consent" must be forwarded.
assert "prompt=consent" in result.oauth2.auth_uri

@patch("google.adk.auth.auth_handler.OAuth2Session", MockOAuth2Session)
def test_generate_auth_uri_default_prompt_is_consent(self, auth_config):
"""When OAuth2Auth.prompt is unset, the auth URI must send prompt=consent.

Locks in backward-compatible behavior — existing callers that never set
a prompt continue to get the consent screen.
"""
handler = AuthHandler(auth_config)
result = handler.generate_auth_uri()

assert "prompt=consent" in result.oauth2.auth_uri

@patch("google.adk.auth.auth_handler.OAuth2Session", MockOAuth2Session)
def test_generate_auth_uri_with_custom_prompt_none(
self, openid_auth_scheme, oauth2_credentials
):
"""A caller-supplied prompt value must override the default."""
oauth2_credentials.oauth2.prompt = "none"
exchanged = oauth2_credentials.model_copy(deep=True)

config = AuthConfig(
auth_scheme=openid_auth_scheme,
raw_auth_credential=oauth2_credentials,
exchanged_auth_credential=exchanged,
)
handler = AuthHandler(config)
result = handler.generate_auth_uri()

assert "prompt=none" in result.oauth2.auth_uri
assert "prompt=consent" not in result.oauth2.auth_uri

@patch("google.adk.auth.auth_handler.OAuth2Session", MockOAuth2Session)
def test_generate_auth_uri_with_custom_prompt_select_account(
self, openid_auth_scheme, oauth2_credentials
):
"""Standard OIDC prompt values other than 'consent' must pass through."""
oauth2_credentials.oauth2.prompt = "select_account"
exchanged = oauth2_credentials.model_copy(deep=True)

config = AuthConfig(
auth_scheme=openid_auth_scheme,
raw_auth_credential=oauth2_credentials,
exchanged_auth_credential=exchanged,
)
handler = AuthHandler(config)
result = handler.generate_auth_uri()

assert "prompt=select_account" in result.oauth2.auth_uri

@patch("google.adk.auth.auth_handler.OAuth2Session", MockOAuth2Session)
def test_generate_auth_uri_with_idp_specific_prompt(
self, openid_auth_scheme, oauth2_credentials
):
"""IdP-specific prompt values (e.g. Azure's admin_consent) pass through."""
oauth2_credentials.oauth2.prompt = "admin_consent"
exchanged = oauth2_credentials.model_copy(deep=True)

config = AuthConfig(
auth_scheme=openid_auth_scheme,
raw_auth_credential=oauth2_credentials,
exchanged_auth_credential=exchanged,
)
handler = AuthHandler(config)
result = handler.generate_auth_uri()

assert "prompt=admin_consent" in result.oauth2.auth_uri

@patch("google.adk.auth.auth_handler.OAuth2Session", MockOAuth2Session)
def test_generate_auth_uri_openid(
Expand Down
Loading