fix(toolbox-adk): prevent swallowed exceptions in auth flows

anubhav756 · anubhav756 · commit 4f5cedb999f4 · 2025-12-12T21:16:21.000+05:30
Adds warnings with stack traces when ADC or 3LO auth fails unpredictably. Enforces strict exception checking in integration tests.
diff --git a/packages/toolbox-adk/src/toolbox_adk/client.py b/packages/toolbox-adk/src/toolbox_adk/client.py
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import logging
 from contextvars import ContextVar
 from typing import Any, Awaitable, Callable, Dict, Optional, Union
 
@@ -118,8 +119,12 @@ def get_token() -> str:
             try:
                 token = id_token.fetch_id_token(request, audience)
                 return f"Bearer {token}"
-            except Exception:
+            except Exception as e:
                 # Fallback to default credentials
+                logging.warning(
+                    f"Failed to fetch ID token for audience {audience} using ADC: {e}. "
+                    "Falling back to google.auth.default()."
+                )
                 creds, _ = google.auth.default()
                 if not creds.valid:
                     creds.refresh(request)
diff --git a/packages/toolbox-adk/src/toolbox_adk/tool.py b/packages/toolbox-adk/src/toolbox_adk/tool.py
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import logging
 from typing import Any, Awaitable, Callable, Dict, Optional, cast
 
 import toolbox_core
@@ -146,6 +147,12 @@ async def run_async(
                 ctx.error = e
                 if "credential" in str(e).lower() or isinstance(e, ValueError):
                     raise e
+                
+                logging.warning(
+                    f"Unexpected error in get_auth_response during 3LO retrieval: {e}. "
+                    "Falling back to request_credential.",
+                    exc_info=True
+                )
                 # Fallback to request logic
                 ctx_any = cast(Any, tool_context)
                 ctx_any.request_credential(auth_config_adk)
diff --git a/packages/toolbox-adk/tests/integration/test_integration.py b/packages/toolbox-adk/tests/integration/test_integration.py
@@ -159,6 +159,8 @@ async def test_3lo_flow_simulation(self):
                 # If it fails, strictly it's likely a 401 or similar from the backend interactions.
                 # This confirms the wrapper proceeded to call the backend and did NOT request credentials again.
                 mock_ctx_second.request_credential.assert_not_called()
+                err_msg = str(e).lower()
+                assert any(x in err_msg for x in ["401", "403", "unauthorized", "forbidden"]), f"Caught UNEXPECTED exception: {type(e).__name__}: {e}"
                 print(f"Caught expected server exception with fake token: {e}")
 
         finally:
