Clarification Needed: OAuth2 Authorization Code Flow Requirements for MCP Server Integration

[priyayarrabolu-boop]

Hi team,

I’m working on integrating a third-party MCP server with the Google Agent Development Kit (ADK) and would like clarification on the exact OAuth2 setup required for Authorization Code flow.

Project Setup

• ADK agent integration with MCP server
• ADK agent deployed in Vertex AI Agent Engine
• Agent registered in Gemini Enterprise
• Tools config includes auth.oauth2 with authorization and token URLs

Problem

It’s unclear from the current documentation and GitHub discussions whether ADK supports fully automatic OAuth2 authorization-code handling, or if developers must still implement the full client-side OAuth2 callback flow in their MCP servers.

The following discussions/PRs suggest that ADK handles OAuth2 partially, but do not confirm end-to-end support for the Authorization Code flow:

• [Question] MCP tools with auth #2184
• Oauth2 Flow conflict with MCPToolSet discovery of tools #2116
• [Question] MCP tools with auth #2192
• PR MCPToolset: Add OAuth2 Client Credentials Flow with RFC 8414 Compliant Discovery #2061

From my testing:

• ADK can detect that a tool requires OAuth2
• ADK does not present an authorization URL in the ADK Web UI
• No redirect flow is initiated
• No access token is received
• It appears that ADK still expects a client-side redirect URL (/oauth/callback) and code→token exchange to be implemented manually

Key Questions

Could you please clarify:

1. Does ADK support fully automatic OAuth2 Authorization Code flow?

   • i.e., generating the authorization URL, handling the redirect, and exchanging the code for tokens without requiring a custom callback endpoint?

2. Or must developers still implement the full client-side OAuth2 callback flow
   including:

   • hosting the redirect URL
   • building /oauth/callback
   • doing the code→token exchange
   • passing the resulting token into ADK?

3. If the client-side callback is required, could you provide or point to an official end-to-end example that shows how this should be implemented for use with ADK + Vertex AI Agent Engine + Gemini Enterprise?

Any concrete guidance would be greatly appreciated.

Thank you!

[seanzhou1023]

ADK web already supports the callback.

if you want to implement the callback yourself, please follow https://google.github.io/adk-docs/tools-custom/authentication/#2-handling-the-interactive-oauthoidc-flow-client-side

[seanzhou1023]

I think Agent Engine doesn't support ADK web yet, so you have to handle the callback yourself.

[hasanali-aa]

Agent engine doesn't support the callback, but what about Gemini Enterprise? It seems to have some kind of Authorization implementation with popups for users, but it's unclear how to handle this. My attempts to implement the callback in code cause crashes from various sources

[guilmour]

I think Agent Engine doesn't support ADK web yet, so you have to handle the callback yourself.

How can I create the callback using the adk web?

I did try to follow https://google.github.io/adk-docs/tools-custom/authentication/#2-handling-the-interactive-oauthoidc-flow-client-side, but i can't access the event loop of ADK Web...

Am I missing something?