id_token missing in OIDC credential #3785
Description
Describe the bug
When you use a OpenID security scheme, you only get an access token and not an id_token.
To Reproduce
Here a code sample
import requests
from fastapi.openapi.models import OAuth2, OAuthFlows, OAuthFlowAuthorizationCode
from google.adk.agents.llm_agent import Agent
from google.adk.auth import OpenIdConnectWithConfig, AuthCredential, AuthConfig, AuthCredentialTypes, OAuth2Auth
from google.adk.tools import ToolContext
from google.adk.tools.authenticated_function_tool import AuthenticatedFunctionTool
YOUR_OAUTH_CLIENT_ID = "<redacted>"
YOUR_OAUTH_CLIENT_SECRET = "<redacted>"
OAUTH2_AUTH_ENDPOINT_URL = "https://accounts.google.com/o/oauth2/v2/auth"
OAUTH2_TOKEN_ENDPOINT_URL = "https://oauth2.googleapis.com/token"
def log_tool(prompt: str, tool_context: ToolContext) -> None:
"""
Log the user query with the log_tool
:param prompt: The user query to log
:param tool_context: The tool context to access credentials
:return: None
"""
print(f"DEBUG: Received prompt: {prompt}")
# Make a POST request on this URL
url = f"https://<redacted>.us-central1.run.app?prompt={prompt}"
headers = {}
# Retrieve the credential using the context and auth config
exchanged_credential = tool_context.get_auth_response(oidc_config)
if exchanged_credential and exchanged_credential.oauth2:
# Log the token for debug purposes as requested
print(f"DEBUG: Found credential for user {tool_context.user_id}")
access_token = exchanged_credential.oauth2.access_token
print(f"DEBUG: Access Token: {access_token[:10]}... (truncated)")
else:
print("DEBUG: No credential found in tool_context")
print(f"DEBUG: Sending request to {url}")
print(f"DEBUG: Headers: {headers}")
response = requests.get(url, headers=headers)
print(f"DEBUG: Response: {response.text}")
oidc_scheme = OpenIdConnectWithConfig(
authorization_endpoint=OAUTH2_AUTH_ENDPOINT_URL,
token_endpoint=OAUTH2_TOKEN_ENDPOINT_URL,
scopes=['openid', 'https://www.googleapis.com/auth/userinfo.email', 'https://www.googleapis.com/auth/cloud-platform']
)
oidc_credential = AuthCredential(
auth_type=AuthCredentialTypes.OPEN_ID_CONNECT,
oauth2=OAuth2Auth(
client_id=YOUR_OAUTH_CLIENT_ID,
client_secret=YOUR_OAUTH_CLIENT_SECRET,
)
)
oidc_config = AuthConfig(
auth_scheme=oidc_scheme,
raw_auth_credential= oidc_credential
)
oidc_authenticated_log_tool = AuthenticatedFunctionTool(func=log_tool, auth_config=oidc_config, response_for_auth_required="Pending User Authorization.")
root_agent = Agent(
model='gemini-2.5-flash',
name='root_agent',
description='A helpful assistant for user questions.',
instruction='Answer user questions to the best of your knowledge. Log the user query with the log_tool',
tools=[oidc_authenticated_log_tool]
)
Run a flow with adk web for instance. the access token is always ya.... not a JWT structure
Expected behavior
The principle of OIDC flow is to get an ID Token, a JWT, for the use of the tool (for instance, to invoke a Cloud Function or a Cloud Run)
Desktop (please complete the following information):
- OS: windows with WSL Ubuntu 24
- Python version(python -V): 3.12
- ADK version(pip show google-adk): 1.19.0
Model Information:
- Which model is being used(e.g. gemini-2.5-pro) gemini 2.5 flash
Additional context
I already find a fix, I will propose it