Skip to content

Commit ea921e0

Browse files
prashantpatareprashantpatare-engkoverholtjoefernandez
committed
docs: add integration guide for Agent Identity Auth Manager (#1755)
* docs: add integration guide for Agent Identity Auth Manager * docs: reformat agent-identity.md to match integration guidelines * docs: update agent-identity.md based on review * docs: add icon for agent identity integration * docs: fix icon format for agent identity integration * Edits to Agent Identity integration page for docs conventions * Revise agent-identity.md for clarity and updates Updated the documentation for the Agent Identity Auth Manager to clarify features and improve readability. * Revise Agent Identity documentation for OAuth flow Updated the Agent Identity documentation for clarity and added details on OAuth consent flow handling. * Refactor agent-identity.md for clarity and formatting Updated formatting and improved clarity in the documentation for the Agent Identity Auth Manager. * Clarify OAuth consent flow and credential handling Updated the OAuth consent flow section for clarity and added details on handling the continue URI and credential finalization. * Refine text for clarity in agent-identity.md Clarify language and improve readability in the Agent Identity documentation. * Update Agent Identity auth provider configuration details Revised instructions for configuring the Agent Identity auth provider and handling user consent flow, including code examples and clarifications. * add proper spacing * Updated card title and formatting * Update agent-identity.md --------- Co-authored-by: Prashant Patare <prashantpatare@google.com> Co-authored-by: Kristopher Overholt <koverholt@google.com> Co-authored-by: Joe Fernandez <joefernandez@users.noreply.github.com>
1 parent 4b0a846 commit ea921e0

2 files changed

Lines changed: 141 additions & 0 deletions

File tree

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
---
2+
catalog_title: Google Cloud Agent Identity
3+
catalog_description: Manage OAuth tokens and API keys for your agents
4+
catalog_icon: /integrations/assets/agent-identity.svg
5+
catalog_tags: ["google"]
6+
---
7+
8+
# Agent Identity Auth Manager for ADK
9+
10+
<div class="language-support-tag">
11+
<span class="lst-supported">Supported in ADK</span><span class="lst-python">Python v1.30.0</span><span class="lst-preview">Preview</span>
12+
</div>
13+
14+
The [Google Cloud Agent
15+
Identity](https://docs.cloud.google.com/iam/docs/agent-identity-overview)
16+
service provides a streamlined, Google-managed solution for managing the
17+
complete lifecycle of auth credentials, including storing credential
18+
configurations, generating and storing tokens, and auditing access. This
19+
approach allows for a secure and simplified agent development experience.
20+
21+
!!! example "Preview release"
22+
23+
The Agent Identity Auth Manager feature is a Preview release. For more
24+
information, see the [launch stage
25+
descriptions](https://cloud.google.com/products#product-launch-stages).
26+
27+
## Use cases
28+
29+
- **Simplified OAuth Flow**: Manage the complete lifecycle of auth credentials
30+
without building custom infrastructure.
31+
- **Secure Exchange and Storage of Tokens**: Securely store credential
32+
configurations and exchange tokens.
33+
- **Audit Logging**: View and audit access to stored credentials.
34+
35+
## Prerequisites
36+
37+
- A [Google Cloud
38+
project](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
39+
- One or more Agent Identity [auth
40+
providers](https://cloud.google.com/iam/docs/manage-auth-providers) created in
41+
your project
42+
- The caller identity must have the
43+
[`iamconnectors.user`](https://docs.cloud.google.com/iam/docs/roles-permissions/iamconnectors#iamconnectors.user)
44+
role or equivalent permissions
45+
- Authentication configured via [Application Default
46+
Credentials](https://docs.cloud.google.com/docs/authentication/application-default-credentials)
47+
(`gcloud auth application-default login`)
48+
49+
## Installation
50+
51+
Install the `agent-identity` extra package group to download the necessary
52+
client libraries.
53+
54+
```bash
55+
pip install "google-adk[agent-identity]"
56+
```
57+
58+
## Use with agent
59+
60+
Follow these steps to use the Agent Identity Auth Manager within ADK:
61+
62+
### Register auth provider
63+
64+
To enable ADK to determine which `BaseAuthProvider` to use for a given
65+
`CustomAuthScheme`, register the `GcpAuthProvider` instance with the
66+
`CredentialManager`. This needs to be done only once in the agent code.
67+
68+
```python
69+
from google.adk.auth.credential_manager import CredentialManager
70+
from google.adk.integrations.agent_identity import GcpAuthProvider
71+
72+
CredentialManager.register_auth_provider(GcpAuthProvider())
73+
```
74+
75+
### Configure tools
76+
77+
Configure the Agent Identity auth provider using a `GcpAuthProviderScheme`
78+
object, then pass it to the `auth_scheme` parameter of any supported `Tool` or
79+
`Toolset`. The following example shows usage with `McpToolset`, but
80+
`GcpAuthProviderScheme` also works with other tools like
81+
`AuthenticatedFunctionTool`. See the [GCP Auth
82+
sample](https://github.com/google/adk-python/tree/main/contributing/samples/gcp_auth)
83+
for a complete example.
84+
85+
```python
86+
from google.adk.integrations.agent_identity import GcpAuthProviderScheme
87+
from google.adk.tools.mcp import McpToolset
88+
89+
auth_scheme = GcpAuthProviderScheme(
90+
name="projects/PROJECT_ID/locations/LOCATION/connectors/AUTH_PROVIDER_NAME",
91+
# continue_uri is only needed for 3-legged OAuth flows. This URI receives
92+
# the redirect after user consent and must be hosted by your application.
93+
continue_uri=CONTINUE_URI
94+
)
95+
96+
toolset = McpToolset(
97+
connection_params=StreamableHTTPConnectionParams(url="https://YOUR_MCP_SERVER_URL"),
98+
auth_scheme=auth_scheme,
99+
)
100+
```
101+
102+
### Handle OAuth consent
103+
104+
- **Detecting the Auth Request**: Similar to the existing flow, whenever user
105+
consent is required, a `FunctionCall` event named `adk-request-credential`
106+
is generated containing the `auth_uri` field. The user app should open
107+
the `auth_uri` in a popup window to continue the user consent flow.
108+
- **Continue URI Handler**:
109+
- Once the user completes the OAuth consent flow on the third-party
110+
provider's website, the system redirects to the `continue_uri`
111+
callback defined earlier in the `GcpAuthProviderScheme`. The agent
112+
application service must implement this redirect. To finalize issuance,
113+
your handler must submit a POST request to the credentials endpoint:
114+
`https://iamconnectorcredentials.googleapis.com/v1alpha/{connector_name}/credentials:finalize`.
115+
- After credentials are successfully finalized, the web application should
116+
resume the agent by sending a FunctionResponse. For a sample
117+
implementation, refer to the [sample
118+
code](https://docs.cloud.google.com/iam/docs/auth-with-3lo#resume-conversation).
119+
Unlike the native user consent flow, no authorization code is required to
120+
resume the agent.
121+
- For more details, refer to the [sample handler
122+
implementation](https://docs.cloud.google.com/iam/docs/auth-with-3lo#validation-endpoint).
123+
- **Resume the conversation**: Irrespective of the status of the consent flow
124+
(successful or unsuccessful), the agent app should resume the agent to
125+
complete the conversation turn. The ADK automatically determines whether
126+
consent was successfully completed and raise an error if it was not.
127+
128+
## Resources
129+
130+
- [Google Cloud Agent Identity Overview](https://docs.cloud.google.com/iam/docs/agent-identity-overview)
131+
- [Sample agent code](https://github.com/google/adk-python/tree/main/contributing/samples/gcp_auth)
Lines changed: 10 additions & 0 deletions
Loading

0 commit comments

Comments
 (0)