How to keep user credential across different session?

[hsuyuming]

Hi All,
When I use OAUTH2 credentials with OpenAPITool, it seems the credentials are stored in the Session's State and the credential store within ToolContext. This means that if the same user creates a new session, they need to go through the Oauth flow again. Is there a way to prevent this?

[adk-bot]

Response from ADK Answering Agent (experimental, answer may be inaccurate)

TLDR: To persist user credentials across different sessions, you should store the OAuth2 credentials in the tool_context.state using the user: prefix. This makes the credentials available for that specific user in any new session they start.

---

Hi @hsuyuming,

That's a great question. You can definitely persist user credentials across sessions in the ADK. Here's a breakdown of how it works and how you can implement it:

Using Session State for Credential Caching

The Agent Development Kit (ADK) provides a tool_context.state dictionary that allows you to store and retrieve information within and across sessions. [2] To make data persist for a specific user across all of their sessions, you need to use the user: prefix in your state key. [2]

Here is the recommended flow to manage credentials in your tool:

1. Check for Cached Credentials: Before initiating a new OAuth flow, check if the credentials already exist in the session state. Use a unique key with the user: prefix, for example, user:my_api_credential. [4]

2. Initiate OAuth Flow if Necessary: If the credentials are not found in the state, then you should proceed with the regular OAuth flow to get new credentials by using tool_context.request_credential(). [4]

3. Cache the New Credentials: Once the user has authenticated and you've received the new credentials, you should save them to the tool_context.state with the user: prefix. This will ensure they are available for the next session. [4]

Example Implementation

Here’s a simplified code example of how you might implement this logic within your tool:

import json
from google.adk.tools import ToolContext
from google.oauth2.credentials import Credentials

TOKEN_CACHE_KEY = "user:my_api_credential"  # Use the 'user:' prefix

def my_tool_function(tool_context: ToolContext):
    cached_creds_json = tool_context.state.get(TOKEN_CACHE_KEY)

    if cached_creds_json:
        creds = Credentials.from_authorized_user_info(json.loads(cached_creds_json))
        # You might want to add logic here to check if the token is expired and refresh it
        # ... use the credentials ...
        return {"status": "Success using cached credentials"}
    else:
        # Credentials not found, so we need to start the auth flow
        # This part of the logic will depend on how you've set up your AuthConfig
        # For example:
        # tool_context.request_credential(MY_API_AUTH_CONFIG)
        # After the flow, you would get the credentials and cache them.
        
        # Example of caching after getting new credentials:
        # new_creds = ... # get new credentials from the auth flow
        # tool_context.state[TOKEN_CACHE_KEY] = new_creds.to_json()
        return {"status": "Authentication required"}

By following this pattern, you can avoid asking the user to re-authenticate every time they start a new session, creating a much smoother user experience.

Let me know if you have any other questions!

[hsuyuming]

The answer from bot is not what i am looking for, I am looking for OpenAPITool with OAuth schema & credential's use case solution

[hsuyuming]

I believe I’ve found the answer. There is a new component called InMemoryCredentialService [1] , which stores credentials by user instead of by session.

{
        <app_name> : {
            <user_id>: {
              "credential1": "foo",
              "credential2": "bar"
            }
        }
    }

[1]

adk-python/src/google/adk/auth/credential_service/in_memory_credential_service.py

Line 29 in 7975e8e

class InMemoryCredentialService(BaseCredentialService):