Need help creating ApplicationIntegrationToolset with OAuth2.0

[maheshwaritanay]

We want to create an agent that can fetch issues from JIRA but before calling the tool user needs to authenticate/authorize. Once the access token is received it should be refreshed with a TTL of 8hours.

We have setup integration connector but are facing issue when using OAuth. Steps followed so far-

1. created a JIRA app in atlassian developer console
2. Collected clientID and secret
3. Configured redirect uri to http://127.0.0.1:8000/dev-ui/ since we are testing on ADK web UI currently
4. Following is the code as per https://google.github.io/adk-docs/tools/google-cloud/application-integration/#create-an-application-integration-toolset -

connection_name = os.getenv("CONNECTION_NAME", "agent-connector-jira")
connection_project = os.getenv("CONNECTION_PROJECT", "")
connection_location = os.getenv("CONNECTION_LOCATION", "us-east4")

jira_oauth2_config = {
    "type": "oauth2",
    "flows": {
        "authorizationCode": {
            "authorizationUrl": "https://auth.atlassian.com/authorize",
            "tokenUrl": "https://auth.atlassian.com/oauth/token",
            "scopes": {
                "read:jira-work": "Read Jira project and issue data",
                "write:jira-work": "Create and edit Jira issues",
                "read:jira-user": "Read user information",
                "offline_access": "Maintain access to data"
            },
        }
    },
}

# Convert to auth scheme
oauth_scheme = dict_to_auth_scheme(jira_oauth2_config)

# Create auth credential with your Jira OAuth app credentials
auth_credential = AuthCredential(
    auth_type=AuthCredentialTypes.OAUTH2,
    oauth2=OAuth2Auth(
        client_id="",      # From Atlassian Developer Console
        client_secret="", # From Atlassian Developer Console
    ),
)

jira_toolset = ApplicationIntegrationToolset(
    project=connection_project,
    location=connection_location,
    connection=connection_name,
    entity_operations={"Issues": [], "Projects": []},
    tool_name_prefix="jira_issue_manager",
    auth_scheme=oauth_scheme,
    auth_credential=auth_credential
)

root_agent = LlmAgent(
    model="gemini-2.5-pro",
    name="Issue_Management_Agent",
    instruction="""
    You are an agent that helps manage issues in a Jira.
    """,
    tools=[jira_toolset],
)

app = App(
    name="poc_agent_connectors",
    root_agent=root_agent
)

Behavior observed

1. When first request to access tool goes we get an agent message saying "I am sorry, but I need your authorization to access your data. Please authorize me to proceed."
2. Events chain is as follows - UserQuery -> call JiraTool -> adk_request_credential(long running) -> response jiraTool
3. At this point it was not clear how to proceed but after digging around I found authUri in functionCall.args.authConfig.exchangedAuthCredential.oauth2.authUri
4. I just opened it in a separate tab, it prompted me for consent.
5. After granting consent i got an error page
6. But the subsequent query to the Jira tool in adk web UI worked. I could still see the long running tool call for request credential
7. However, when I tried to query next time the tool call got stuck.

Questions

1. I dont think the behavior I observed was intended but I am also not able to find a way to make it work. It would be great if someone could tell me what needs to be fixed in my workflow
2. Need help understanding how to refresh tokens lets say the above works
3. Finally, we are using agent engine for deployment. How would this credential exchange work there

adk version - 1.21.0
WebUI- adk-web
OAuth provider- Atlassian with microsoft login

[wuliang229]

@seanzhougoogle can you take a look and provide some guidance?