Fix inventory sync to support service account authentication #570
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The inventory sync endpoint was hardcoded to only accept OAuth refresh tokens, causing failures for tenants configured with service account authentication. **Problem:** - `sync_inventory()` endpoint checked for `gam_refresh_token` only - Weather tenant has valid service account credentials but sync failed - Error: "GAM not configured for this tenant" **Solution:** - Detect auth method from `adapter_config.gam_auth_method` field - Support both OAuth and service account authentication paths - Decrypt and use `gam_service_account_json` for service accounts - Fall back to inferring auth method for backward compatibility **Changes:** - Modified `src/admin/blueprints/inventory.py:405-472` - Added service account credential handling - Removed hard requirement for refresh token - Uses `decrypt_api_key()` to decrypt service account JSON **Tested:** - Weather tenant has service account properly configured - Fix enables inventory sync for service account tenants 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…ith better error message
kmoegling-scope3
added a commit
to kmoegling-scope3/salesagent
that referenced
this pull request
Oct 23, 2025
PR adcontextprotocol#570 was merged but inventory sync still fails for service account authentication with error: 'Credentials' object has no attribute 'CreateHttpHeader' Root Cause: - google.oauth2.service_account.Credentials lacks CreateHttpHeader method - AdManagerClient requires 2-arg signature: (credentials, network_code) - OAuth clients use 3-arg signature: (oauth_client, app_name, network_code=...) Solution: - Service account path (line 576): Use 2-argument signature - OAuth path (line 596): Unchanged, uses 3-argument signature - Matches GAM health check pattern (src/adapters/gam/utils/health_check.py:86) Testing: - Service account tenants: inventory sync now works - OAuth tenants: unchanged, continues to work Fixes adcontextprotocol#570
bokelley
pushed a commit
that referenced
this pull request
Oct 23, 2025
PR #570 was merged but inventory sync still fails for service account authentication with error: 'Credentials' object has no attribute 'CreateHttpHeader' Root Cause: - google.oauth2.service_account.Credentials lacks CreateHttpHeader method - AdManagerClient requires 2-arg signature: (credentials, network_code) - OAuth clients use 3-arg signature: (oauth_client, app_name, network_code=...) Solution: - Service account path (line 576): Use 2-argument signature - OAuth path (line 596): Unchanged, uses 3-argument signature - Matches GAM health check pattern (src/adapters/gam/utils/health_check.py:86) Testing: - Service account tenants: inventory sync now works - OAuth tenants: unchanged, continues to work Fixes #570
EmmaLouise2018
pushed a commit
that referenced
this pull request
Oct 24, 2025
EmmaLouise2018
pushed a commit
that referenced
this pull request
Oct 24, 2025
PR #570 was merged but inventory sync still fails for service account authentication with error: 'Credentials' object has no attribute 'CreateHttpHeader' Root Cause: - google.oauth2.service_account.Credentials lacks CreateHttpHeader method - AdManagerClient requires 2-arg signature: (credentials, network_code) - OAuth clients use 3-arg signature: (oauth_client, app_name, network_code=...) Solution: - Service account path (line 576): Use 2-argument signature - OAuth path (line 596): Unchanged, uses 3-argument signature - Matches GAM health check pattern (src/adapters/gam/utils/health_check.py:86) Testing: - Service account tenants: inventory sync now works - OAuth tenants: unchanged, continues to work Fixes #570
danf-newton
pushed a commit
to Newton-Research-Inc/salesagent
that referenced
this pull request
Nov 24, 2025
danf-newton
pushed a commit
to Newton-Research-Inc/salesagent
that referenced
this pull request
Nov 24, 2025
…ntextprotocol#571) PR adcontextprotocol#570 was merged but inventory sync still fails for service account authentication with error: 'Credentials' object has no attribute 'CreateHttpHeader' Root Cause: - google.oauth2.service_account.Credentials lacks CreateHttpHeader method - AdManagerClient requires 2-arg signature: (credentials, network_code) - OAuth clients use 3-arg signature: (oauth_client, app_name, network_code=...) Solution: - Service account path (line 576): Use 2-argument signature - OAuth path (line 596): Unchanged, uses 3-argument signature - Matches GAM health check pattern (src/adapters/gam/utils/health_check.py:86) Testing: - Service account tenants: inventory sync now works - OAuth tenants: unchanged, continues to work Fixes adcontextprotocol#570
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
The inventory sync endpoint was failing for tenants configured with service account authentication (like the
weathertenant). The endpoint was hardcoded to only accept OAuth refresh tokens.Error seen:
Root cause:
sync_inventory()endpoint atsrc/admin/blueprints/inventory.py:405checked forgam_refresh_tokenonlyadapter_config.gam_service_account_jsonSolution
Modified the inventory sync endpoint to support both OAuth and service account authentication:
adapter_config.gam_auth_methodfield (or infer from available credentials)gam_service_account_jsonand create service account credentialsChanges
src/admin/blueprints/inventory.py:405-472decrypt_api_key()gam_refresh_tokenTesting
gam_service_account_jsonfield is populated and encryptedgam_auth_methodfield is set toservice_accountRelates to
🤖 Generated with Claude Code