Skip to content

feat: oauth support: add oauth2 related classes#225

Merged
kalenkevich merged 7 commits intomainfrom
feat/oauth_part2
Apr 1, 2026
Merged

feat: oauth support: add oauth2 related classes#225
kalenkevich merged 7 commits intomainfrom
feat/oauth_part2

Conversation

@kalenkevich
Copy link
Copy Markdown
Collaborator

@kalenkevich kalenkevich commented Mar 31, 2026

Summary

This PR introduces the core infrastructure for OAuth2 support in the TypeScript ADK. It implements metadata discovery (RFC 8414 and RFC 9728), credential exchange, and token refreshing, along with comprehensive unit tests for each component.

These additions lay the groundwork for full OAuth2 authentication flows within the ADK.

Changes Made

Core Components

oauth2_discovery.ts

  • OAuth2DiscoveryManager: Implements OAuth 2.0 Authorization Server Metadata (RFC 8414) and OAuth 2.0 Protected Resource Metadata (RFC 9728) discovery.
  • Dynamically resolves .well-known endpoints for both Authorization Servers and Protected Resources.
  • Includes validation to ensure the metadata issuer or resource matches the target URL, defending against mix-up attacks.

oauth2_credential_exchanger.ts

  • OAuth2CredentialExchanger: Handles exchanging client_credentials and authorization_code for access tokens.
  • Parses and transforms authentication responses into structured AuthCredential objects.

oauth2_credential_refresher.ts

  • OAuth2CredentialRefresher: Automatically checks for token expiration and refreshes OAuth2 credentials using refresh tokens.

oauth2_utils.ts

  • Shared utility functions for fetching tokens, parsing authorization codes, and constructing request bodies (supporting both standard form-urlencoded and JSON formats).

@kalenkevich kalenkevich self-assigned this Mar 31, 2026
ScottMansfield
ScottMansfield approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ScottMansfield ScottMansfield left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with some comments

Base automatically changed from feat/oauth_part1 to main April 1, 2026 18:04
@kalenkevich
fix docs check
7bbd979
@kalenkevich
fix pr comments
5514b26
@kalenkevich
update imports in tests
528c2c3
@kalenkevich
fix test imports
6ad5480
@kalenkevich
add defence for verity oauth2 flow attacks:
9373f2c 
- PKCE (Proof Key for Code Exchange)
- CSRF (State Parameter)
- Mix-Up attacks
- SSRF via Discovery
- Token Storage (XSS)
@kalenkevich
fix type doc check
d9f608e
@kalenkevich kalenkevich merged commit d2b7dcb into main Apr 1, 2026
7 checks passed
@kalenkevich kalenkevich deleted the feat/oauth_part2 branch April 1, 2026 21:25
@kalenkevich kalenkevich mentioned this pull request Apr 1, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ScottMansfield ScottMansfield ScottMansfield approved these changes

Assignees

@kalenkevich kalenkevich

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kalenkevich @ScottMansfield @Varun-S10