@softactivate/adk 1.1.0

package/dist/web/auth/auth_preprocessor.js

@@ -0,0 +1,173 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+var __knownSymbol = (name, symbol) => (symbol = Symbol[name]) ? symbol : Symbol.for("Symbol." + name);
+var __await = function(promise, isYieldStar) {
+  this[0] = promise;
+  this[1] = isYieldStar;
+};
+var __asyncGenerator = (__this, __arguments, generator) => {
+  var resume = (k, v, yes, no) => {
+    try {
+      var x = generator[k](v), isAwait = (v = x.value) instanceof __await, done = x.done;
+      Promise.resolve(isAwait ? v[0] : v).then((y) => isAwait ? resume(k === "return" ? k : "next", v[1] ? { done: y.done, value: y.value } : y, yes, no) : yes({ value: y, done })).catch((e) => resume("throw", e, yes, no));
+    } catch (e) {
+      no(e);
+    }
+  }, method = (k) => it[k] = (x) => new Promise((yes, no) => resume(k, x, yes, no)), it = {};
+  return generator = generator.apply(__this, __arguments), it[__knownSymbol("asyncIterator")] = () => it, method("next"), method("throw"), method("return"), it;
+};
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import {
+  REQUEST_EUC_FUNCTION_CALL_NAME,
+  handleFunctionCallsAsync
+} from "../agents/functions.js";
+import { isLlmAgent } from "../agents/llm_agent.js";
+import { BaseLlmRequestProcessor } from "../agents/processors/base_llm_processor.js";
+import { ReadonlyContext } from "../agents/readonly_context.js";
+import {
+  getFunctionCalls,
+  getFunctionResponses
+} from "../events/event.js";
+import { State } from "../sessions/state.js";
+import { AuthHandler } from "./auth_handler.js";
+const TOOLSET_AUTH_CREDENTIAL_ID_PREFIX = "_adk_toolset_auth_";
+async function storeAuthAndCollectResumeTargets(events, authFcIds, authResponses, state) {
+  const requestedAuthConfigById = {};
+  for (const event of events) {
+    const eventFunctionCalls = getFunctionCalls(event);
+    for (const functionCall of eventFunctionCalls) {
+      if (functionCall.id && authFcIds.has(functionCall.id) && functionCall.name === REQUEST_EUC_FUNCTION_CALL_NAME) {
+        const args = functionCall.args;
+        if (args && args.authConfig) {
+          requestedAuthConfigById[functionCall.id] = args.authConfig;
+        }
+      }
+    }
+  }
+  for (const fcId of authFcIds) {
+    if (!(fcId in authResponses)) {
+      continue;
+    }
+    const authConfig = authResponses[fcId];
+    const requestedAuthConfig = requestedAuthConfigById[fcId];
+    if (requestedAuthConfig && requestedAuthConfig.credentialKey) {
+      authConfig.credentialKey = requestedAuthConfig.credentialKey;
+    }
+    await new AuthHandler(authConfig).parseAndStoreAuthResponse(state);
+  }
+  const toolsToResume = /* @__PURE__ */ new Set();
+  for (const fcId of authFcIds) {
+    const requestedAuthConfig = requestedAuthConfigById[fcId];
+    if (!requestedAuthConfig) {
+      continue;
+    }
+    for (const event of events) {
+      const eventFunctionCalls = getFunctionCalls(event);
+      for (const functionCall of eventFunctionCalls) {
+        if (functionCall.id === fcId && functionCall.name === REQUEST_EUC_FUNCTION_CALL_NAME) {
+          const args = functionCall.args;
+          if (args && args.functionCallId) {
+            if (args.functionCallId.startsWith(TOOLSET_AUTH_CREDENTIAL_ID_PREFIX)) {
+              continue;
+            }
+            toolsToResume.add(args.functionCallId);
+          }
+        }
+      }
+    }
+  }
+  return toolsToResume;
+}
+class AuthPreprocessor extends BaseLlmRequestProcessor {
+  runAsync(invocationContext) {
+    return __asyncGenerator(this, null, function* () {
+      const agent = invocationContext.agent;
+      if (!isLlmAgent(agent)) {
+        return;
+      }
+      const events = invocationContext.session.events;
+      if (!events || events.length === 0) {
+        return;
+      }
+      let lastEventWithContent = null;
+      for (let i = events.length - 1; i >= 0; i--) {
+        const event = events[i];
+        if (event.content !== void 0) {
+          lastEventWithContent = event;
+          break;
+        }
+      }
+      if (!lastEventWithContent || lastEventWithContent.author !== "user") {
+        return;
+      }
+      const responses = getFunctionResponses(lastEventWithContent);
+      if (!responses || responses.length === 0) {
+        return;
+      }
+      const authFcIds = /* @__PURE__ */ new Set();
+      const authResponses = {};
+      for (const functionCallResponse of responses) {
+        if (functionCallResponse.name !== REQUEST_EUC_FUNCTION_CALL_NAME) {
+          continue;
+        }
+        if (functionCallResponse.id) {
+          authFcIds.add(functionCallResponse.id);
+          authResponses[functionCallResponse.id] = functionCallResponse.response;
+        }
+      }
+      if (authFcIds.size === 0) {
+        return;
+      }
+      const state = new State(invocationContext.session.state);
+      const toolsToResume = yield new __await(storeAuthAndCollectResumeTargets(
+        events,
+        authFcIds,
+        authResponses,
+        state
+      ));
+      if (toolsToResume.size === 0) {
+        return;
+      }
+      for (let i = events.length - 2; i >= 0; i--) {
+        const event = events[i];
+        const functionCalls = getFunctionCalls(event);
+        if (!functionCalls || functionCalls.length === 0) {
+          continue;
+        }
+        const hasMatchingCall = functionCalls.some(
+          (call) => call.id ? toolsToResume.has(call.id) : false
+        );
+        if (hasMatchingCall) {
+          const canonicalTools = yield new __await(agent.canonicalTools(
+            new ReadonlyContext(invocationContext)
+          ));
+          const toolsDict = {};
+          for (const tool of canonicalTools) {
+            toolsDict[tool.name] = tool;
+          }
+          const functionResponseEvent = yield new __await(handleFunctionCallsAsync({
+            invocationContext,
+            functionCallEvent: event,
+            toolsDict,
+            beforeToolCallbacks: agent.canonicalBeforeToolCallbacks,
+            afterToolCallbacks: agent.canonicalAfterToolCallbacks,
+            filters: toolsToResume
+          }));
+          if (functionResponseEvent) {
+            yield functionResponseEvent;
+          }
+          return;
+        }
+      }
+    });
+  }
+}
+const AUTH_PREPROCESSOR = new AuthPreprocessor();
+export {
+  AUTH_PREPROCESSOR,
+  AuthPreprocessor
+};

package/dist/web/auth/auth_provider_registry.js

@@ -0,0 +1,33 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+class AuthProviderRegistry {
+  constructor() {
+    this.providers = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Register a provider instance for an auth scheme type.
+   *
+   * @param authSchemeType The auth scheme type (e.g., 'oauth2', 'apiKey').
+   * @param providerInstance The provider instance to register.
+   */
+  register(authSchemeType, providerInstance) {
+    this.providers.set(authSchemeType, providerInstance);
+  }
+  /**
+   * Get the provider instance for an auth scheme.
+   *
+   * @param authScheme The auth scheme to get provider for.
+   * @returns The provider instance if registered, undefined otherwise.
+   */
+  getProvider(authScheme) {
+    return this.providers.get(authScheme.type);
+  }
+}
+export {
+  AuthProviderRegistry
+};

package/dist/web/auth/auth_schemes.js

@@ -0,0 +1,33 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+var OAuthGrantType = /* @__PURE__ */ ((OAuthGrantType2) => {
+  OAuthGrantType2["CLIENT_CREDENTIALS"] = "client_credentials";
+  OAuthGrantType2["AUTHORIZATION_CODE"] = "authorization_code";
+  OAuthGrantType2["IMPLICIT"] = "implicit";
+  OAuthGrantType2["PASSWORD"] = "password";
+  return OAuthGrantType2;
+})(OAuthGrantType || {});
+function getOAuthGrantTypeFromFlow(flow) {
+  if (flow.clientCredentials) {
+    return "client_credentials" /* CLIENT_CREDENTIALS */;
+  }
+  if (flow.authorizationCode) {
+    return "authorization_code" /* AUTHORIZATION_CODE */;
+  }
+  if (flow.implicit) {
+    return "implicit" /* IMPLICIT */;
+  }
+  if (flow.password) {
+    return "password" /* PASSWORD */;
+  }
+  return void 0;
+}
+export {
+  OAuthGrantType,
+  getOAuthGrantTypeFromFlow
+};

package/dist/web/auth/auth_tool.js

@@ -0,0 +1,7 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */

package/dist/web/auth/base_auth_provider.js

@@ -0,0 +1,7 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */

package/dist/web/auth/credential_service/base_credential_service.js

@@ -0,0 +1,7 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */

package/dist/web/auth/credential_service/in_memory_credential_service.js

@@ -0,0 +1,35 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+class InMemoryCredentialService {
+  constructor() {
+    this.credentials = {};
+  }
+  loadCredential(authConfig, toolContext) {
+    const credentialBucket = this.getBucketForCurrentContext(toolContext);
+    return Promise.resolve(credentialBucket[authConfig.credentialKey]);
+  }
+  async saveCredential(authConfig, toolContext) {
+    const credentialBucket = this.getBucketForCurrentContext(toolContext);
+    if (authConfig.exchangedAuthCredential) {
+      credentialBucket[authConfig.credentialKey] = authConfig.exchangedAuthCredential;
+    }
+  }
+  getBucketForCurrentContext(toolContext) {
+    const { appName, userId } = toolContext.invocationContext.session;
+    if (!this.credentials[appName]) {
+      this.credentials[appName] = {};
+    }
+    if (!this.credentials[appName][userId]) {
+      this.credentials[appName][userId] = {};
+    }
+    return this.credentials[appName][userId];
+  }
+}
+export {
+  InMemoryCredentialService
+};

package/dist/web/auth/credential_service/session_state_credential_service.js

@@ -0,0 +1,23 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+class SessionStateCredentialService {
+  loadCredential(authConfig, toolContext) {
+    return Promise.resolve(toolContext.state.get(authConfig.credentialKey));
+  }
+  async saveCredential(authConfig, toolContext) {
+    if (authConfig.exchangedAuthCredential) {
+      toolContext.state.set(
+        authConfig.credentialKey,
+        authConfig.exchangedAuthCredential
+      );
+    }
+  }
+}
+export {
+  SessionStateCredentialService
+};

package/dist/web/auth/exchanger/base_credential_exchanger.js

@@ -0,0 +1,12 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+class CredentialExchangeError extends Error {
+}
+export {
+  CredentialExchangeError
+};

package/dist/web/auth/exchanger/credential_exchanger_registry.js

@@ -0,0 +1,31 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+class CredentialExchangerRegistry {
+  constructor() {
+    this.exchangers = {};
+  }
+  /**
+   * Register an exchanger instance for a credential type.
+   * @param credentialType - The credential type to register for.
+   * @param exchangerInstance - The exchanger instance to register.
+   */
+  register(credentialType, exchangerInstance) {
+    this.exchangers[credentialType] = exchangerInstance;
+  }
+  /**
+   * Get the exchanger instance for a credential type.
+   * @param credentialType - The credential type to get exchanger for.
+   * @returns The exchanger instance if registered, undefined otherwise.
+   */
+  getExchanger(credentialType) {
+    return this.exchangers[credentialType];
+  }
+}
+export {
+  CredentialExchangerRegistry
+};

package/dist/web/auth/oauth2/oauth2_credential_exchanger.js

@@ -0,0 +1,188 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+var __defProp = Object.defineProperty;
+var __defProps = Object.defineProperties;
+var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
+var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { logger } from "../../utils/logger.js";
+import {
+  getOAuthGrantTypeFromFlow,
+  OAuthGrantType
+} from "../auth_schemes.js";
+import {
+  CredentialExchangeError
+} from "../exchanger/base_credential_exchanger.js";
+import {
+  createOAuth2TokenRequestBody,
+  fetchOAuth2Tokens,
+  getTokenEndpoint,
+  parseAuthorizationCode
+} from "./oauth2_utils.js";
+class OAuth2CredentialExchanger {
+  async exchange({
+    authCredential,
+    authScheme
+  }) {
+    var _a;
+    if (!authScheme) {
+      throw new CredentialExchangeError(
+        "authScheme is required for OAuth2 credential exchange"
+      );
+    }
+    if ((_a = authCredential.oauth2) == null ? void 0 : _a.accessToken) {
+      return {
+        credential: authCredential,
+        wasExchanged: false
+      };
+    }
+    const grantType = determineGrantType(authScheme);
+    if (grantType === OAuthGrantType.CLIENT_CREDENTIALS) {
+      return exchangeClientCredentials({ authCredential, authScheme });
+    }
+    if (grantType === OAuthGrantType.AUTHORIZATION_CODE) {
+      return exchangeAuthorizationCode({ authCredential, authScheme });
+    }
+    logger.warn("Unsupported OAuth2 grant type: ".concat(grantType));
+    return {
+      credential: authCredential,
+      wasExchanged: false
+    };
+  }
+}
+function determineGrantType(authScheme) {
+  var _a;
+  if ("flows" in authScheme && authScheme.flows) {
+    return getOAuthGrantTypeFromFlow(authScheme.flows);
+  }
+  if (authScheme.grantTypesSupported) {
+    const oidcScheme = authScheme;
+    if ((_a = oidcScheme.grantTypesSupported) == null ? void 0 : _a.includes("client_credentials")) {
+      return OAuthGrantType.CLIENT_CREDENTIALS;
+    }
+    return OAuthGrantType.AUTHORIZATION_CODE;
+  }
+  return void 0;
+}
+async function exchangeClientCredentials({
+  authCredential,
+  authScheme
+}) {
+  var _a, _b;
+  const tokenEndpoint = getTokenEndpoint(authScheme);
+  if (!tokenEndpoint) {
+    throw new CredentialExchangeError(
+      "Token endpoint not found in auth scheme."
+    );
+  }
+  if (!((_a = authCredential.oauth2) == null ? void 0 : _a.clientId) || !((_b = authCredential.oauth2) == null ? void 0 : _b.clientSecret)) {
+    throw new CredentialExchangeError(
+      "clientId and clientSecret are required for client credentials exchange."
+    );
+  }
+  const body = createOAuth2TokenRequestBody({
+    grantType: "client_credentials",
+    clientId: authCredential.oauth2.clientId,
+    clientSecret: authCredential.oauth2.clientSecret
+  });
+  try {
+    const oauth2Auth = await fetchOAuth2Tokens(tokenEndpoint, body);
+    return {
+      credential: __spreadProps(__spreadValues({}, authCredential), {
+        oauth2: __spreadValues(__spreadValues({}, authCredential.oauth2), oauth2Auth)
+      }),
+      wasExchanged: true
+    };
+  } catch (error) {
+    throw new CredentialExchangeError(
+      "Failed to exchange tokens: ".concat(error instanceof Error ? error.message : String(error))
+    );
+  }
+}
+async function exchangeAuthorizationCode({
+  authCredential,
+  authScheme
+}) {
+  var _a, _b, _c, _d;
+  const tokenEndpoint = getTokenEndpoint(authScheme);
+  if (!tokenEndpoint) {
+    throw new CredentialExchangeError(
+      "Token endpoint not found in auth scheme."
+    );
+  }
+  if (!((_a = authCredential.oauth2) == null ? void 0 : _a.clientId) || !((_b = authCredential.oauth2) == null ? void 0 : _b.clientSecret) || !((_c = authCredential.oauth2) == null ? void 0 : _c.authCode) && !((_d = authCredential.oauth2) == null ? void 0 : _d.authResponseUri)) {
+    throw new CredentialExchangeError(
+      "clientId, clientSecret, and either authCode or authResponseUri are required for authorization code exchange."
+    );
+  }
+  let code = authCredential.oauth2.authCode;
+  if (!code && authCredential.oauth2.authResponseUri) {
+    code = parseAuthorizationCode(authCredential.oauth2.authResponseUri);
+  }
+  if (authCredential.oauth2.authResponseUri && authCredential.oauth2.state) {
+    try {
+      const url = new URL(authCredential.oauth2.authResponseUri);
+      const receivedState = url.searchParams.get("state") || void 0;
+      if (authCredential.oauth2.state !== receivedState) {
+        throw new CredentialExchangeError(
+          "State mismatch detected. Potential CSRF attack."
+        );
+      }
+    } catch (e) {
+      throw new CredentialExchangeError(
+        "Failed to parse authResponseUri for state validation: ".concat(e instanceof Error ? e.message : String(e))
+      );
+    }
+  }
+  if (!code) {
+    throw new CredentialExchangeError(
+      "Authorization code not found in auth response."
+    );
+  }
+  const body = createOAuth2TokenRequestBody({
+    grantType: "authorization_code",
+    clientId: authCredential.oauth2.clientId,
+    clientSecret: authCredential.oauth2.clientSecret,
+    code,
+    redirectUri: authCredential.oauth2.redirectUri,
+    codeVerifier: authCredential.oauth2.codeVerifier
+  });
+  try {
+    const oauth2Auth = await fetchOAuth2Tokens(tokenEndpoint, body);
+    return {
+      credential: __spreadProps(__spreadValues({}, authCredential), {
+        oauth2: __spreadValues(__spreadValues({}, authCredential.oauth2), oauth2Auth)
+      }),
+      wasExchanged: true
+    };
+  } catch (error) {
+    throw new CredentialExchangeError(
+      "Failed to exchange tokens: ".concat(error instanceof Error ? error.message : String(error))
+    );
+  }
+}
+export {
+  OAuth2CredentialExchanger,
+  determineGrantType,
+  exchangeAuthorizationCode,
+  exchangeClientCredentials
+};

package/dist/web/auth/oauth2/oauth2_credential_refresher.js

@@ -0,0 +1,102 @@
+import {createRequire as topLevelCreateRequire} from 'module';
+const require = topLevelCreateRequire(import.meta.url);
+var __defProp = Object.defineProperty;
+var __defProps = Object.defineProperties;
+var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
+var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { logger } from "../../utils/logger.js";
+import {
+  fetchOAuth2Tokens,
+  getTokenEndpoint,
+  isTokenExpired
+} from "./oauth2_utils.js";
+class OAuth2CredentialRefresher {
+  /**
+   * Check if the OAuth2 credential needs to be refreshed.
+   *
+   * @param authCredential The OAuth2 credential to check.
+   * @param authScheme The OAuth2 authentication scheme (optional).
+   * @returns True if the credential needs to be refreshed, False otherwise.
+   */
+  async isRefreshNeeded(authCredential) {
+    if (!authCredential.oauth2) {
+      return false;
+    }
+    if (authCredential.oauth2 && authCredential.oauth2.expiresAt) {
+      return isTokenExpired(authCredential.oauth2);
+    }
+    return false;
+  }
+  /**
+   * Refresh the OAuth2 credential.
+   *
+   * @param authCredential The OAuth2 credential to refresh.
+   * @param authScheme The OAuth2 authentication scheme.
+   * @returns The refreshed credential.
+   */
+  async refresh(authCredential, authScheme) {
+    if (!authCredential.oauth2 || !authScheme) {
+      return authCredential;
+    }
+    if (!authCredential.oauth2.refreshToken) {
+      logger.warn("No refresh token available to refresh credential");
+      return authCredential;
+    }
+    const isNeeded = await this.isRefreshNeeded(authCredential);
+    if (!isNeeded) {
+      return authCredential;
+    }
+    const tokenEndpoint = getTokenEndpoint(authScheme);
+    if (!tokenEndpoint) {
+      logger.warn("Token endpoint not found in auth scheme.");
+      return authCredential;
+    }
+    if (!authCredential.oauth2.clientId || !authCredential.oauth2.clientSecret) {
+      logger.warn("clientId and clientSecret are required for token refresh.");
+      return authCredential;
+    }
+    const body = new URLSearchParams();
+    body.set("grant_type", "refresh_token");
+    body.set("refresh_token", authCredential.oauth2.refreshToken);
+    body.set("client_id", authCredential.oauth2.clientId);
+    body.set("client_secret", authCredential.oauth2.clientSecret);
+    try {
+      const data = await fetchOAuth2Tokens(tokenEndpoint, body);
+      const updatedOAuth2 = __spreadProps(__spreadValues({}, authCredential.oauth2), {
+        accessToken: data.accessToken || authCredential.oauth2.accessToken,
+        refreshToken: data.refreshToken || authCredential.oauth2.refreshToken,
+        expiresIn: data.expiresIn,
+        expiresAt: data.expiresAt || authCredential.oauth2.expiresAt
+      });
+      return __spreadProps(__spreadValues({}, authCredential), {
+        oauth2: updatedOAuth2
+      });
+    } catch (error) {
+      logger.error("Failed to refresh tokens:", error);
+      return authCredential;
+    }
+  }
+}
+export {
+  OAuth2CredentialRefresher
+};