Skip to content

feat(openapitoolset): add OpenAPI specification toolset #451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cpunion wants to merge 13 commits into
base: main
Choose a base branch
from
Open

feat(openapitoolset): add OpenAPI specification toolset #451

cpunion wants to merge 13 commits into from
+6,891 −11

Conversation

@cpunion
Copy link

@cpunion cpunion commented Dec 31, 2025
edited
Loading

Base on:
#455 feat(auth): add OAuth2/OIDC authentication package
#457 Feature/auth flow

  • Add openapitoolset package for generating tools from OpenAPI specs
  • Support JSON and YAML spec formats
  • Add RestApiTool with OAuth2, API key, and HTTP auth support
  • Add parser for operations, parameters, and request bodies
  • Add unit tests for parser, toolset, and rest_api_tool

@cpunion
feat(auth): add OAuth2/OIDC authentication package
ad17675 
- Add AuthConfig, AuthCredential, AuthScheme types
- Add AuthHandler for OAuth2 flow orchestration
- Add CredentialManager and CredentialService for token management
- Add OAuth2 token exchange helpers
- Add unit tests for auth package
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Dec 31, 2025

Summary of Changes

Hello @cpunion, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the system's ability to interact with external APIs by introducing a dedicated toolset for OpenAPI specifications. It allows developers to define API interactions using standard OpenAPI documents, which are then automatically converted into executable tools. This streamlines the process of integrating new services and ensures consistent API consumption patterns, complete with flexible authentication mechanisms.

Highlights

  • New OpenAPI Toolset Package: Introduces a new openapitoolset package for generating tools directly from OpenAPI specifications.
  • OpenAPI Specification Parsing: Adds robust parsing capabilities for OpenAPI specifications, supporting both JSON and YAML formats to extract API operations, parameters, request bodies, and responses.
  • RestApiTool Implementation: Includes a RestApiTool that can execute REST API calls based on parsed OpenAPI operations, handling URL construction, request bodies, and response processing.
  • Authentication Support: The RestApiTool supports various authentication schemes including OAuth2, API Key, and HTTP Basic/Bearer authentication, with a shared credential service for persistent token storage.
  • Comprehensive Unit Tests: New unit tests have been added for the parser, the RestApiTool, and the overall toolset creation and configuration, ensuring reliability and correctness.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 31, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new toolset for generating tools from OpenAPI specifications. The implementation covers parsing the spec, creating RestApiTool instances, and handling various authentication schemes. The code is well-structured and includes a good set of unit tests. I've identified a few areas for improvement, including a correctness issue in parameter parsing, a missing feature in authentication handling, and a misleading function signature. Overall, this is a great addition.

tool/openapitoolset/parser.go
Comment on lines +172 to +182
var params []Parameter

// Parse path-level parameters
if pathParams, ok := pathItem["parameters"].([]any); ok {
params = append(params, parseParameterList(pathParams)...)
}

// Parse operation-level parameters (override path-level)
if opParams, ok := op["parameters"].([]any); ok {
params = append(params, parseParameterList(opParams)...)
}
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The current implementation appends both path-level and operation-level parameters. According to the OpenAPI specification, parameters defined at the operation level should override any parameters with the same name and location (in) defined at the path level. Simply appending them can lead to duplicate parameters and incorrect API requests.

To fix this, you can use a map to collect parameters, which will naturally handle the overriding, and then convert the map back to a slice.

paramMap := make(map[string]Parameter)

	// Parse path-level parameters
	if pathParams, ok := pathItem["parameters"].([]any); ok {
		for _, p := range parseParameterList(pathParams) {
			paramMap[p.Name+":"+p.In] = p
		}
	}

	// Parse operation-level parameters (overrides path-level)
	if opParams, ok := op["parameters"].([]any); ok {
		for _, p := range parseParameterList(opParams) {
			paramMap[p.Name+":"+p.In] = p
		}
	}

	params := make([]Parameter, 0, len(paramMap))
	for _, p := range paramMap {
		params = append(params, p)
	}

tool/openapitoolset/parser.go
Comment on lines +107 to +110
parsed, err := parseOperation(path, method, op, baseURL, pathItemMap)
if err != nil {
continue // Skip invalid operations
}
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The parseOperation function is declared to return an error, but it never actually returns one. This makes the error handling here redundant and the function's signature misleading. Since the parsing logic is very lenient and designed to skip invalid parts rather than fail, it would be clearer to remove the error return type from parseOperation altogether.

This would also require changing the signature of parseOperation on line 121 and its return statement on line 156.

Suggested change
parsed, err := parseOperation(path, method, op, baseURL, pathItemMap)
if err != nil {
continue // Skip invalid operations
}
parsed := parseOperation(path, method, op, baseURL, pathItemMap)

tool/openapitoolset/rest_api_tool.go
Comment on lines +316 to +331
case auth.AuthCredentialTypeAPIKey:
if t.authCredential.APIKey != "" && t.authScheme != nil {
if apiKeyScheme, ok := t.authScheme.(*auth.APIKeyScheme); ok {
switch apiKeyScheme.In {
case auth.APIKeyInHeader:
headers[apiKeyScheme.Name] = t.authCredential.APIKey
}
}
}
}
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The current implementation for API key authentication only supports placing the key in the request header. The OpenAPI specification also allows API keys to be passed in query parameters (in: query). This functionality is missing.

To add support for this, you would need to:

  1. Update buildURL to check if the auth scheme is an API key in a query parameter, and if so, add it to the query values.
  2. Ensure this function, getAuthHeaders, only handles the in: header case for API keys.

@cpunion cpunion mentioned this pull request Dec 31, 2025
Closed
@cpunion cpunion force-pushed the feature/openapi-toolset branch from 9f2e0c9 to 22ebdb7 Compare January 1, 2026 04:01
cpunion added 4 commits January 1, 2026 12:40
@cpunion
Fix auth review issues and sync tests
7830a57
@cpunion
Make credential key deterministic and propagate state errors
02327e7
@cpunion
feat(auth): add tool authentication request flow
654e57b 
Add support for tools to request authentication credentials during execution:

- Add RequestedAuthConfigs field to EventActions for storing auth requests
- Implement GenerateAuthEvent to convert auth requests to adk_request_credential function calls
- Add RequestAuthConfig method to ToolContext for tools to request authentication
- Add AuthConfig field to Tool interface for tools to declare auth requirements
- Integrate auth event generation into the LLM base flow

Also fix test comparisons to ignore RequestedAuthConfigs field initialization
and add UTC timezone setup in database tests for consistent timestamp formatting.
@cpunion
Fix auth parsing and error handling
6fd1f72
@cpunion cpunion force-pushed the feature/openapi-toolset branch from 22ebdb7 to 4a3116a Compare January 1, 2026 13:37
@cpunion cpunion force-pushed the feature/openapi-toolset branch from 4a3116a to d6d4100 Compare January 1, 2026 14:59
cpunion added 2 commits January 1, 2026 23:02
@cpunion
feat(openapitoolset): add OpenAPI specification toolset
22dfd52 
Add a new toolset that automatically generates tools from OpenAPI/Swagger
specifications, enabling agents to interact with REST APIs.

Key components:
- OpenAPI spec parser supporting v3.0/v3.1 with JSON Schema conversion
- RestApiTool for executing HTTP requests with path/query/body parameters
- Toolset for loading specs from file/URL and generating tools
- OAuth2 authentication support with credential request flow
- Example demonstrating GitHub API integration with device auth flow
@cpunion
Fix auth response handling in REST API tool
3d1bdc7
@cpunion cpunion force-pushed the feature/openapi-toolset branch from d6d4100 to 3d1bdc7 Compare January 1, 2026 15:02
@cpunion
Copy link
Author

cpunion commented Jan 1, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 1, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a significant and well-structured feature: an OpenAPI toolset with comprehensive authentication support, including OAuth2. The new auth package is robust, with a clear separation of concerns for schemes, credentials, and lifecycle management. The use of registries for exchangers and refreshers is a good design choice for extensibility. The OpenAPI parser and the RestApiTool provide a powerful way to generate tools from specifications. I've identified a critical issue in the example's custom OAuth2 code exchange logic that should be refactored to use the standard library for better security and simplicity. Additionally, there are a couple of medium-severity issues related to parsing and key generation that could be improved for robustness and clarity. Overall, this is an excellent addition to the ADK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cpunion