google
diff --git a/‎src/google/adk/agents/invocation_context.py
Lines changed: 2 additions & 0 deletions b/‎src/google/adk/agents/invocation_context.py
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/google/adk/auth/auth_handler.py
Lines changed: 5 additions & 4 deletions b/‎src/google/adk/auth/auth_handler.py
Lines changed: 5 additions & 4 deletions
diff --git a/‎src/google/adk/auth/credential_service/base_credential_service.py
Lines changed: 2 additions & 2 deletions b/‎src/google/adk/auth/credential_service/base_credential_service.py
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/google/adk/auth/credential_service/in_memory_credential_service.py
Lines changed: 93 additions & 0 deletions b/‎src/google/adk/auth/credential_service/in_memory_credential_service.py
Lines changed: 93 additions & 0 deletions
diff --git a/‎src/google/adk/auth/exchanger/__init__.py
Lines changed: 23 additions & 0 deletions b/‎src/google/adk/auth/exchanger/__init__.py
Lines changed: 23 additions & 0 deletions
diff --git a/‎src/google/adk/auth/exchanger/base_credential_exchanger.py
Lines changed: 49 additions & 0 deletions b/‎src/google/adk/auth/exchanger/base_credential_exchanger.py
Lines changed: 49 additions & 0 deletions
diff --git a/‎src/google/adk/auth/exchanger/credential_exchanger_registry.py
Lines changed: 58 additions & 0 deletions b/‎src/google/adk/auth/exchanger/credential_exchanger_registry.py
Lines changed: 58 additions & 0 deletions
diff --git a/‎src/google/adk/auth/exchanger/oauth2_credential_exchanger.py
Copy file name to clipboard
Lines changed: 90 additions & 0 deletions b/‎src/google/adk/auth/exchanger/oauth2_credential_exchanger.py
Copy file name to clipboard
Lines changed: 90 additions & 0 deletions
@@ -22,6 +22,7 @@
 from pydantic import ConfigDict
 
 from ..artifacts.base_artifact_service import BaseArtifactService
+from ..auth.credential_service.base_credential_service import BaseCredentialService
 from ..memory.base_memory_service import BaseMemoryService
 from ..sessions.base_session_service import BaseSessionService
 from ..sessions.session import Session
@@ -115,6 +116,7 @@ class InvocationContext(BaseModel):
   artifact_service: Optional[BaseArtifactService] = None
   session_service: BaseSessionService
   memory_service: Optional[BaseMemoryService] = None
+  credential_service: Optional[BaseCredentialService] = None
 
   invocation_id: str
   """The id of this invocation context. Readonly."""
 
@@ -22,7 +22,7 @@
 from .auth_schemes import AuthSchemeType
 from .auth_schemes import OpenIdConnectWithConfig
 from .auth_tool import AuthConfig
-from .oauth2_credential_fetcher import OAuth2CredentialFetcher
+from .exchanger.oauth2_credential_exchanger import OAuth2CredentialExchanger
 
 if TYPE_CHECKING:
   from ..sessions.state import State
@@ -43,9 +43,10 @@ def __init__(self, auth_config: AuthConfig):
   def exchange_auth_token(
       self,
   ) -> AuthCredential:
-    return OAuth2CredentialFetcher(
-        self.auth_config.auth_scheme, self.auth_config.exchanged_auth_credential
-    ).exchange()
+    exchanger = OAuth2CredentialExchanger()
+    return exchanger.exchange(
+        self.auth_config.exchanged_auth_credential, self.auth_config.auth_scheme
+    )
 
   def parse_and_store_auth_response(self, state: State) -> None:
 
 
@@ -19,12 +19,12 @@
 from typing import Optional
 
 from ...tools.tool_context import ToolContext
-from ...utils.feature_decorator import working_in_progress
+from ...utils.feature_decorator import experimental
 from ..auth_credential import AuthCredential
 from ..auth_tool import AuthConfig
 
 
-@working_in_progress("Implementation are in progress. Don't use it for now.")
+@experimental
 class BaseCredentialService(ABC):
   """Abstract class for Service that loads / saves tool credentials from / to
   the backend credential store."""
 
@@ -0,0 +1,93 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import annotations
+
+from typing import Optional
+
+from typing_extensions import override
+
+from ...tools.tool_context import ToolContext
+from ...utils.feature_decorator import experimental
+from ..auth_credential import AuthCredential
+from ..auth_tool import AuthConfig
+from .base_credential_service import BaseCredentialService
+
+
+@experimental
+class InMemoryCredentialService(BaseCredentialService):
+  """Class for in memory implementation of credential service(Experimental)"""
+
+  def __init__(self):
+    super().__init__()
+    self._store: dict[str, AuthCredential] = {}
+
+  @override
+  async def load_credential(
+      self,
+      auth_config: AuthConfig,
+      tool_context: ToolContext,
+  ) -> Optional[AuthCredential]:
+    """
+    Loads the credential by auth config and current tool context from the
+    backend credential store.
+
+    Args:
+        auth_config: The auth config which contains the auth scheme and auth
+        credential information. auth_config.get_credential_key will be used to
+        build the key to load the credential.
+
+        tool_context: The context of the current invocation when the tool is
+        trying to load the credential.
+
+    Returns:
+        Optional[AuthCredential]: the credential saved in the store.
+
+    """
+    storage = self._get_storage_for_current_context(tool_context)
+    return storage.get(auth_config.credential_key)
+
+  @override
+  async def save_credential(
+      self,
+      auth_config: AuthConfig,
+      tool_context: ToolContext,
+  ) -> None:
+    """
+    Saves the exchanged_auth_credential in auth config to the backend credential
+    store.
+
+    Args:
+        auth_config: The auth config which contains the auth scheme and auth
+        credential information. auth_config.get_credential_key will be used to
+        build the key to save the credential.
+
+        tool_context: The context of the current invocation when the tool is
+        trying to save the credential.
+
+    Returns:
+        None
+    """
+    storage = self._get_storage_for_current_context(tool_context)
+    storage[auth_config.credential_key] = auth_config.exchanged_auth_credential
+
+  def _get_storage_for_current_context(self, tool_context: ToolContext) -> str:
+    app_name = tool_context._invocation_context.app_name
+    user_id = tool_context._invocation_context.user_id
+
+    if app_name not in self._store:
+      self._store[app_name] = {}
+    if user_id not in self._store[app_name]:
+      self._store[app_name][user_id] = {}
+    return self._store[app_name][user_id]
@@ -0,0 +1,23 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Credential exchanger module."""
+
+from .base_credential_exchanger import BaseCredentialExchanger
+from .service_account_credential_exchanger import ServiceAccountCredentialExchanger
+
+__all__ = [
+    "BaseCredentialExchanger",
+    "ServiceAccountCredentialExchanger",
+]
@@ -0,0 +1,49 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Base credential exchanger interface."""
+
+from __future__ import annotations
+
+import abc
+from typing import Optional
+
+from ...utils.feature_decorator import experimental
+from ..auth_credential import AuthCredential
+from ..auth_schemes import AuthScheme
+
+
+@experimental
+class BaseCredentialExchanger(abc.ABC):
+  """Base interface for credential exchangers."""
+
+  @abc.abstractmethod
+  def exchange(
+      self,
+      auth_credential: AuthCredential,
+      auth_scheme: Optional[AuthScheme] = None,
+  ) -> AuthCredential:
+    """Exchange credential if needed.
+
+    Args:
+        auth_credential: The credential to exchange.
+        auth_scheme: The authentication scheme (optional, some exchangers don't need it).
+
+    Returns:
+        The exchanged credential.
+
+    Raises:
+        ValueError: If credential exchange fails.
+    """
+    pass
@@ -0,0 +1,58 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Credential exchanger registry."""
+
+from __future__ import annotations
+
+from typing import Dict
+from typing import Optional
+
+from ...utils.feature_decorator import experimental
+from ..auth_credential import AuthCredentialTypes
+from .base_credential_exchanger import BaseCredentialExchanger
+
+
+@experimental
+class CredentialExchangerRegistry:
+  """Registry for credential exchanger instances."""
+
+  def __init__(self):
+    self._exchangers: Dict[AuthCredentialTypes, BaseCredentialExchanger] = {}
+
+  def register(
+      self,
+      credential_type: AuthCredentialTypes,
+      exchanger_instance: BaseCredentialExchanger,
+  ) -> None:
+    """Register an exchanger instance for a credential type.
+
+    Args:
+        credential_type: The credential type to register for.
+        exchanger_instance: The exchanger instance to register.
+    """
+    self._exchangers[credential_type] = exchanger_instance
+
+  def get_exchanger(
+      self, credential_type: AuthCredentialTypes
+  ) -> Optional[BaseCredentialExchanger]:
+    """Get the exchanger instance for a credential type.
+
+    Args:
+        credential_type: The credential type to get exchanger for.
+
+    Returns:
+        The exchanger instance if registered, None otherwise.
+    """
+    return self._exchangers.get(credential_type)
@@ -0,0 +1,90 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""OAuth2 credential exchanger implementation."""
+
+from __future__ import annotations
+
+import logging
+from typing import Optional
+
+from google.adk.auth.auth_credential import AuthCredential
+from google.adk.auth.auth_schemes import AuthScheme
+from google.adk.auth.auth_schemes import OAuthGrantType
+from google.adk.auth.oauth2_session_helper import OAuth2SessionHelper
+from google.adk.utils.feature_decorator import experimental
+
+from .base_credential_exchanger import BaseCredentialExchanger
+
+try:
+  from authlib.integrations.requests_client import OAuth2Session
+
+  AUTHLIB_AVIALABLE = True
+except ImportError:
+  AUTHLIB_AVIALABLE = False
+
+logger = logging.getLogger("google_adk." + __name__)
+
+
+@experimental
+class OAuth2CredentialExchanger(BaseCredentialExchanger):
+  """Exchanges OAuth2 credentials from authorization responses."""
+
+  def exchange(
+      self,
+      auth_credential: AuthCredential,
+      auth_scheme: Optional[AuthScheme] = None,
+  ) -> AuthCredential:
+    """Exchange OAuth2 credential from authorization response.
+
+    Args:
+        auth_credential: The OAuth2 credential to exchange.
+        auth_scheme: The OAuth2 authentication scheme.
+
+    Returns:
+        The exchanged credential with access token.
+
+    Raises:
+        ValueError: If credential exchange fails or auth_scheme is missing.
+    """
+    if not auth_scheme:
+      raise ValueError("auth_scheme is required for OAuth2 credential exchange")
+
+    if not AUTHLIB_AVIALABLE:
+      return auth_credential
+
+    if auth_credential.oauth2 and auth_credential.oauth2.access_token:
+      return auth_credential
+
+    helper = OAuth2SessionHelper(auth_scheme, auth_credential)
+    client, token_endpoint = helper.create_oauth2_session()
+    if not client:
+      logger.warning("Could not create OAuth2 session for token exchange")
+      return auth_credential
+
+    try:
+      tokens = client.fetch_token(
+          token_endpoint,
+          authorization_response=auth_credential.oauth2.auth_response_uri,
+          code=auth_credential.oauth2.auth_code,
+          grant_type=OAuthGrantType.AUTHORIZATION_CODE,
+      )
+      helper.update_credential_with_tokens(tokens)
+      logger.info("Successfully exchanged OAuth2 tokens")
+    except Exception as e:
+      logger.error("Failed to exchange OAuth2 tokens: %s", e)
+      # Return original credential on failure
+      return auth_credential
+
+    return auth_credential