fix(auth): migrate credential storage to secret: scope (Phase 2)

caohy1988 · claude · caohy1988 · commit 2b46204d9b64 · 2026-04-03T22:28:46.000-07:00
Migrate existing credential writers to use the `secret:` prefix so that OAuth tokens and credentials are never persisted to session storage backends. - Change BIGQUERY_TOKEN_CACHE_KEY to "secret:bigquery_token_cache" - Update SessionStateCredentialService.save_credential and load_credential to prefix credential_key with State.SECRET_PREFIX - Update tests to expect secret-prefixed state keys This is a breaking change for existing sessions: cached credentials under the old unprefixed keys will not be found, requiring re-authentication. This is intentional — the old behavior stored credentials in plaintext in session backends. Depends on #5132 (Phase 1: secret: scope infrastructure) Closes #5112 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/src/google/adk/auth/credential_service/session_state_credential_service.py b/src/google/adk/auth/credential_service/session_state_credential_service.py
@@ -19,6 +19,7 @@
 from typing_extensions import override
 
 from ...agents.callback_context import CallbackContext
+from ...sessions.state import State
 from ...utils.feature_decorator import experimental
 from ..auth_credential import AuthCredential
 from ..auth_tool import AuthConfig
@@ -54,7 +55,9 @@ async def load_credential(
         Optional[AuthCredential]: the credential saved in the store.
 
     """
-    return callback_context.state.get(auth_config.credential_key)
+    return callback_context.state.get(
+        State.SECRET_PREFIX + auth_config.credential_key
+    )
 
   @override
   async def save_credential(
@@ -78,6 +81,6 @@ async def save_credential(
         None
     """
 
-    callback_context.state[auth_config.credential_key] = (
+    callback_context.state[State.SECRET_PREFIX + auth_config.credential_key] = (
         auth_config.exchanged_auth_credential
     )
diff --git a/src/google/adk/tools/bigquery/bigquery_credentials.py b/src/google/adk/tools/bigquery/bigquery_credentials.py
@@ -18,7 +18,7 @@
 from ...features import FeatureName
 from .._google_credentials import BaseGoogleCredentialsConfig
 
-BIGQUERY_TOKEN_CACHE_KEY = "bigquery_token_cache"
+BIGQUERY_TOKEN_CACHE_KEY = "secret:bigquery_token_cache"
 BIGQUERY_SCOPES = [
     "https://www.googleapis.com/auth/bigquery",
     "https://www.googleapis.com/auth/dataplex.read-write",
diff --git a/tests/unittests/auth/credential_service/test_session_state_credential_service.py b/tests/unittests/auth/credential_service/test_session_state_credential_service.py
@@ -23,6 +23,7 @@
 from google.adk.auth.auth_credential import OAuth2Auth
 from google.adk.auth.auth_tool import AuthConfig
 from google.adk.auth.credential_service.session_state_credential_service import SessionStateCredentialService
+from google.adk.sessions.state import State
 import pytest
 
 
@@ -265,10 +266,11 @@ async def test_state_persistence_across_operations(
     # Save credential
     await credential_service.save_credential(auth_config, callback_context)
 
-    # Verify state contains the credential
-    assert auth_config.credential_key in callback_context.state
+    # Verify state contains the credential under secret: prefix
+    secret_key = State.SECRET_PREFIX + auth_config.credential_key
+    assert secret_key in callback_context.state
     assert (
-        callback_context.state[auth_config.credential_key]
+        callback_context.state[secret_key]
         == auth_config.exchanged_auth_credential
     )
 
@@ -279,9 +281,9 @@ async def test_state_persistence_across_operations(
     assert result is not None
 
     # Verify state still contains the credential
-    assert auth_config.credential_key in callback_context.state
+    assert secret_key in callback_context.state
     assert (
-        callback_context.state[auth_config.credential_key]
+        callback_context.state[secret_key]
         == auth_config.exchanged_auth_credential
     )
 
@@ -300,7 +302,7 @@ async def test_state_persistence_across_operations(
     await credential_service.save_credential(auth_config, callback_context)
 
     # Verify state was updated
-    assert callback_context.state[auth_config.credential_key] == new_credential
+    assert callback_context.state[secret_key] == new_credential
 
   @pytest.mark.asyncio
   async def test_credential_key_uniqueness(
@@ -344,13 +346,12 @@ async def test_credential_key_uniqueness(
     await credential_service.save_credential(auth_config1, callback_context)
     await credential_service.save_credential(auth_config2, callback_context)
 
-    # Verify both exist in state with different keys
-    assert "unique_key_1" in callback_context.state
-    assert "unique_key_2" in callback_context.state
-    assert (
-        callback_context.state["unique_key_1"]
-        != callback_context.state["unique_key_2"]
-    )
+    # Verify both exist in state with secret-prefixed keys
+    sk1 = State.SECRET_PREFIX + "unique_key_1"
+    sk2 = State.SECRET_PREFIX + "unique_key_2"
+    assert sk1 in callback_context.state
+    assert sk2 in callback_context.state
+    assert callback_context.state[sk1] != callback_context.state[sk2]
 
     # Load and verify both credentials
     result1 = await credential_service.load_credential(
@@ -379,7 +380,9 @@ async def test_direct_state_access(
             redirect_uri="https://direct.com/callback",
         ),
     )
-    callback_context.state[auth_config.credential_key] = test_credential
+    callback_context.state[State.SECRET_PREFIX + auth_config.credential_key] = (
+        test_credential
+    )
 
     # Load using the service
     result = await credential_service.load_credential(
