Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Response from ADK Triaging Agent

Hello @polar3130, thank you for your contribution!

It looks like the Contributor License Agreement (CLA) check has failed. Before we can merge this PR, you'll need to sign the CLA. You can find more information in the "checks" section at the bottom of the pull request.

Thanks!

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the ApigeeLlm client's authentication mechanism by explicitly requesting the userinfo.email scope alongside cloud-platform. This ensures that the Apigee Gateway can properly identify users through Google's tokeninfo API when service account key authentication is in use, improving security and traceability for API calls originating from Apigee. The change is isolated to the Apigee-specific LLM implementation, maintaining compatibility with other components.

Highlights

• Authentication Scope Update: The ApigeeLlm.api_client method now explicitly requests cloud-platform and userinfo.email scopes when calling google.auth.default().
• Credential Passing: The credentials obtained with the specified scopes are now passed to the genai.Client constructor.
• Apigee Gateway User Identification: This change enables the Apigee Gateway to identify callers via Google's tokeninfo API when using Service Account key authentication, addressing issue ApigeeLlm: Add userinfo.email scope for Apigee Gateway tokeninfo user identification #4721.
• Scope of Change: The modifications are limited to the ApigeeLlm class and do not affect the base Gemini class or the genai SDK.
• New Unit Test: A new unit test, test_api_client_requests_userinfo_email_scope, was added to verify the correct scope usage and credential passing.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Hi @polar3130 , Thank you for your contribution through this pull request! This PR has merge conflicts that require changes from your end. Could you please rebase your branch with the latest main branch to address these? Once this is complete, please let us know so we can proceed with the review.

Hi @rohityan , Thanks for letting me know! I've rebased onto the latest main and resolved the conflict. Also addressed the review comment about redundant assertions in the test. Ready for review.

Hi @polar3130 , please fix formatting errors. You can use autoformat.sh

Hi @rohityan , Thanks for the feedback! Fixed the formatting errors using autoformat.sh.

Hi @polar3130 , can you fix the failing unit tests

Hi @rohityan, I've fixed the failing unit tests. The issue was that google.auth.default() was not mocked in the existing tests, causing DefaultCredentialsError in CI environments without Application Default Credentials.

I added an autouse fixture to mock google.auth.default across all tests in the file. All 53 tests pass locally.

Could you approve the CI workflow run so the tests can be verified on CI as well? Thanks!

Hi @rohityan, friendly ping on this PR.
I believe all the requested changes have been addressed — fixed formatting via autoformat.sh and fixed failing unit tests with the autouse fixture. All 53 tests pass locally.
Could you approve the CI workflow run and proceed with the review when you get a chance?
Thanks for your time!

Hi @mdomingo22, thanks for the feedback! I've updated the PR per your suggestion.

Changes

• Removed the internal google.auth.default() call and _APIGEE_SCOPES constant — no more changes to the default auth flow.
• Added a new credentials: google.auth.credentials.Credentials | None = None parameter to ApigeeLlm.__init__. When provided, it is passed through to genai.Client; when omitted, the credentials kwarg is not forwarded at all (so the default genai.Client auth path is fully preserved, and Gemini Developer API users won't see the credentials warning).
• Updated tests:
  • Added test_api_client_passes_credentials_when_provided — verifies pass-through.
  • Added test_api_client_omits_credentials_when_not_provided — verifies the kwarg is not forwarded when unset.
  • Removed the previous google.auth.default autouse mock since the SDK no longer calls it.

Users who need additional scopes (e.g., userinfo.email for Apigee tokeninfo, the original #4721 use case) can now construct credentials with their preferred scopes and inject them.

All 57 unit tests pass locally. Please take another look when you have a chance.