ContextQMD
Back to Adk Python

ADK Workflow Auth Config Sample

contributing/workflow_samples/auth_api_key/README.md

2.0.0b13.7 KB
Original Source

ADK Workflow Auth Config Sample

Overview

This sample demonstrates how to use auth_config on a FunctionNode to require user authentication before the node runs.

When a node has auth_config, the workflow automatically:

  1. Pauses the node and emits an adk_request_credential FunctionCall event
  2. The invocation ends — the node is marked as waiting
  3. The client sends a new request with the credential as a FunctionResponse
  4. The workflow stores the credential in session state and re-runs the node

The ADK web UI (adk web) handles step 3 automatically — it recognizes auth requests and presents an auth dialog. If you use a custom client, you need to handle the adk_request_credential FunctionCall and respond with the credential yourself.

This sample uses API key authentication (the simplest credential type).

No External Setup Required

This sample uses a mock weather lookup. No external API key or server is needed. When the auth UI prompts for a key, you can enter any value (e.g., my-test-key-123).

Sample Inputs

Send any message (e.g., go) to start the workflow.

Graph

text
     [ START ]
         |
         v
  [fetch_weather]  <-- pauses for auth on first run
         |
         v
    [summarize]

How To

  1. Define an AuthConfig with the auth scheme and credential type:

    python
    from google.adk.auth.auth_tool import AuthConfig
from google.adk.auth.auth_credential import AuthCredential, AuthCredentialTypes

auth_config = AuthConfig(
    auth_scheme=APIKey(**{'in': APIKeyIn.header, 'name': 'X-Api-Key'}),
    raw_auth_credential=AuthCredential(
        auth_type=AuthCredentialTypes.API_KEY,
        api_key='placeholder',
    ),
    credential_key='weather_api_key',
)

  2. Use the @node decorator with auth_config and rerun_on_resume=True:

    python
    @node(auth_config=auth_config, rerun_on_resume=True)
def fetch_weather(ctx: Context):
    ...

  3. Inside the function, retrieve the credential from ctx:

    python
    def fetch_weather(ctx: Context):
    cred = ctx.get_auth_response(auth_config)
    api_key = cred.api_key
    # Use api_key to call your API...

OAuth2

The same auth_config pattern works with OAuth2 and OpenID Connect. The key differences:

  • Auth scheme: Use OAuth2 (from fastapi.openapi.models) instead of APIKey. Configure the authorization and token URLs in the OAuth2 flows.
  • Raw credential: Set auth_type=AuthCredentialTypes.OAUTH2 and provide client_id, client_secret, and redirect_uri in the oauth2 field.
  • Web UI flow: The ADK web UI recognizes OAuth2 auth requests and opens an authorization popup automatically. The user authenticates with the provider, and the UI sends the full AuthConfig response back. No special handling is needed in the node.
  • Token exchange: The framework automatically exchanges the authorization code for an access token via AuthHandler.exchange_auth_token().
python
from fastapi.openapi.models import OAuth2, OAuthFlowAuthorizationCode, OAuthFlows

auth_config = AuthConfig(
    auth_scheme=OAuth2(
        flows=OAuthFlows(
            authorizationCode=OAuthFlowAuthorizationCode(
                authorizationUrl='https://provider.com/authorize',
                tokenUrl='https://provider.com/token',
                scopes={'read': 'Read access'},
            )
        )
    ),
    raw_auth_credential=AuthCredential(
        auth_type=AuthCredentialTypes.OAUTH2,
        oauth2=OAuth2Auth(
            client_id='YOUR_CLIENT_ID',
            client_secret='YOUR_CLIENT_SECRET',
            redirect_uri='http://localhost:8000/callback',
        ),
    ),
    credential_key='my_oauth_credential',
)