fix(oauth): remove redundant client_id from token exchange request body

joar · joar · commit d2f5b6040648 · 2026-03-10T17:39:31.000+01:00
Authlib's OAuth2Session already handles client_id placement for all token_endpoint_auth_method values (client_secret_basic puts it in the Authorization header, client_secret_post and none put it in the body). Passing client_id as a kwarg to fetch_token causes it to be added to the POST body unconditionally via prepare_token_request, in addition to whatever the auth method does. This breaks providers like Slack that infer auth method from the presence of client_id in the body, and causes duplicate client_id for client_secret_post. Partially reverts f273517 (PR #2805), which was based on a misreading of RFC 6749 §4.1.3 — client_id in the body is only REQUIRED "if the client is not authenticating with the authorization server as described in Section 3.2.1." Made-with: Cursor
diff --git a/src/google/adk/auth/exchanger/oauth2_credential_exchanger.py b/src/google/adk/auth/exchanger/oauth2_credential_exchanger.py
@@ -193,14 +193,17 @@ async def _exchange_authorization_code(
       return ExchangeResult(auth_credential, False)
 
     try:
+      # Do not pass client_id here; the OAuth2Session already handles its
+      # placement based on token_endpoint_auth_method (e.g. in the
+      # Authorization header for client_secret_basic, or in the body for
+      # client_secret_post and public clients).
       tokens = client.fetch_token(
           token_endpoint,
           authorization_response=self._normalize_auth_uri(
               auth_credential.oauth2.auth_response_uri
           ),
           code=auth_credential.oauth2.auth_code,
           grant_type=OAuthGrantType.AUTHORIZATION_CODE,
-          client_id=auth_credential.oauth2.client_id,
       )
       update_credential_with_tokens(auth_credential, tokens)
       logger.debug("Successfully exchanged authorization code for access token")
diff --git a/tests/unittests/auth/exchanger/test_oauth2_credential_exchanger.py b/tests/unittests/auth/exchanger/test_oauth2_credential_exchanger.py
@@ -343,7 +343,6 @@ async def test_exchange_normalize_uri(self, mock_oauth2_session):
         authorization_response="https://example.com/callback?code=auth_code",  # Normalized URI
         code="auth_code",
         grant_type=OAuthGrantType.AUTHORIZATION_CODE,
-        client_id="test_client_id",
     )
 
   async def test_determine_grant_type_client_credentials(self):

Original file line number	Diff line number	Diff line change
`@@ -343,7 +343,6 @@ async def test_exchange_normalize_uri(self, mock_oauth2_session):`
`343`	`343`	`authorization_response="https://example.com/callback?code=auth_code", # Normalized URI`
`344`	`344`	`code="auth_code",`
`345`	`345`	`grant_type=OAuthGrantType.AUTHORIZATION_CODE,`
`346`		`- client_id="test_client_id",`
`347`	`346`	`)`
`348`	`347`
`349`	`348`	`async def test_determine_grant_type_client_credentials(self):`