feat(core): add google credentials provider for remote agents

[adamfweidman]

Summary

Adds a GoogleCredentialsAuthProvider for remote agent authentication using Google Application Default Credentials (ADC). Supports both access tokens (for *.googleapis.com) and identity tokens (for *.run.app).

Details

• Implements GoogleCredentialsAuthProvider using google-auth-library to automatically discover and use ADC.
• Automatically selects access tokens vs identity tokens based on the target endpoint hostname.
• Adds google-credentials auth type to the frontmatter Zod schema and discriminated union.
• Replaces the ad-hoc ADCHandler in remote-invocation.ts with the new provider via the auth factory pattern.
• Caches both access tokens and ID tokens consistently, with proper cache invalidation on 401/403 retries.
• Adds targetUrl to CreateAuthProviderOptions for hostname-based token type decisions.

Related Issues

Fixes #17664

How to Validate

Run unit tests for the core package:

npm test -w @google/gemini-cli-core -- src/agents/auth-provider/google-credentials-provider.test.ts

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run

[gemini-cli]

Hi there! Thank you for your contribution to Gemini CLI.

To improve our contribution process and better track changes, we now require all pull requests to be associated with an existing issue, as announced in our recent discussion and as detailed in our CONTRIBUTING.md.

This pull request is being closed because it is not currently linked to an issue. Once you have updated the description of this PR to link an issue (e.g., by adding Fixes #123 or Related to #123), it will be automatically reopened.

How to link an issue:
Add a keyword followed by the issue number (e.g., Fixes #123) in the description of your pull request. For more details on supported keywords and how linking works, please refer to the GitHub Documentation on linking pull requests to issues.

Thank you for your understanding and for being a part of our community!

[gemini-cli]

Hi @adamfweidman, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[github-actions]

Size Change: +4.76 kB (+0.02%)

Total Size: 26.6 MB

Filename	Size	Change
./bundle/gemini.js	26.1 MB	+4.76 kB (+0.02%)

ℹ️ View Unchanged

Filename	Size
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB

_{compressed-size-action}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the authentication capabilities for remote agents by introducing a dedicated Google Credentials provider. This change allows agents to leverage Google Application Default Credentials for seamless authentication, automatically handling the complexities of obtaining both access and identity tokens based on the target service. The integration into the existing authentication factory and schema ensures a consistent and extensible approach to securing remote agent interactions.

Highlights

• New Google Credentials Provider: Introduced a GoogleCredentialsAuthProvider to enable remote agent authentication using Google Application Default Credentials (ADC).
• Flexible Token Handling: The new provider automatically determines whether to fetch Google Access Tokens (for *.googleapis.com) or Identity Tokens (for *.run.app and *.luci.app) based on the target endpoint's hostname.
• Schema Integration: Added google-credentials as a new authentication type to the frontmatter Zod schema, allowing agents to declare this authentication method.
• Refactored Authentication: Replaced the ad-hoc ADCHandler in remote-invocation.ts with the new GoogleCredentialsAuthProvider via the existing authentication factory pattern, centralizing authentication logic.
• Robust Token Caching: Implemented consistent caching for both access and identity tokens, with automatic invalidation and re-fetching upon receiving 401/403 authentication errors.
• Target URL for Token Audience: Added a targetUrl option to CreateAuthProviderOptions to provide the necessary context for the GoogleCredentialsAuthProvider to decide the appropriate token type and audience.

Changelog

• packages/core/src/agents/agentLoader.ts
  • Updated agent authentication configuration to include 'google-credentials' type and its schema, and adjusted scope property placement.
  • Added a new Zod schema for Google Credentials authentication.
  • Integrated the new Google Credentials schema into the main authentication configuration union.
  • Implemented conversion logic for the new 'google-credentials' authentication type.
• packages/core/src/agents/auth-provider/factory.ts
  • Introduced GoogleCredentialsAuthProvider to the authentication factory.
  • Added targetUrl to CreateAuthProviderOptions to support hostname-based token type decisions.
  • Implemented the creation and initialization logic for the google-credentials authentication provider.
• packages/core/src/agents/auth-provider/google-credentials-provider.test.ts
  • Added unit tests for the new GoogleCredentialsAuthProvider covering initialization, token fetching, caching, and retry logic.
• packages/core/src/agents/auth-provider/google-credentials-provider.ts
  • Implemented the GoogleCredentialsAuthProvider class, providing logic for Google Application Default Credentials, token type selection, caching, and retry mechanisms.
• packages/core/src/agents/registry.test.ts
  • Updated agent registry tests to pass targetUrl when creating authentication providers.
• packages/core/src/agents/registry.ts
  • Modified agent registry to pass agentCardUrl as targetUrl when creating authentication providers.
• packages/core/src/agents/remote-invocation.test.ts
  • Updated remote invocation tests to pass targetUrl when creating authentication providers.
• packages/core/src/agents/remote-invocation.ts
  • Removed the deprecated ADCHandler class.
  • Removed the GoogleAuth import no longer needed in this file.
  • Updated remote invocation to use the new authentication factory with targetUrl.

Activity

• The author, adamfweidman, has added/updated tests for the changes.
• The changes have been validated on MacOS.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[adamfweidman]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a GoogleCredentialsAuthProvider to handle authentication for remote agents using Google's Application Default Credentials (ADC). This new provider replaces the existing ADCHandler and adds support for automatically selecting between access tokens and identity tokens based on the target service's hostname. The implementation includes token caching with expiry and a retry mechanism for authentication failures. The necessary changes to the agent definition schemas, auth provider factory, and agent loading logic have been made to integrate this new provider. The changes are accompanied by a comprehensive set of unit tests for the new provider. I have reviewed the changes and found no issues of high or critical severity.

[gemini-code-assist]

Code Review

The pull request successfully introduces the GoogleCredentialsAuthProvider to handle authentication for remote agents using Google Application Default Credentials (ADC). The implementation correctly distinguishes between access tokens and identity tokens based on the target URL, incorporates caching with proper invalidation, and includes retry logic for authentication failures. The refactoring to replace the ad-hoc ADCHandler with the new provider via the authentication factory pattern is a positive change, centralizing authentication logic. The new test file google-credentials-provider.test.ts provides good coverage for the added functionality. Overall, the changes enhance the authentication capabilities for remote agents in a robust and maintainable way.