chore(ve_identity): Make OAuth2 flow and scopes parameters optional

Updated OAuth2-related classes and functions to make 'auth_flow' and 'scopes' parameters optional, allowing control plane defaults to be used if not provided.

Author: loveyana

docs/content/91.auth/2.api-key-outbound.md

@@ -53,16 +53,6 @@ toolset = VeIdentityMcpToolset(
 )
 ```
 
-## 环境变量配置
-
-```bash
-export VOLCENGINE_ACCESS_KEY="your-access-key-id"
-export VOLCENGINE_SECRET_KEY="your-secret-access-key"
-export VOLCENGINE_SESSION_TOKEN="your-session-token"  # 可选
-```
-
-在 VeFaaS 环境中，Agent Identity 会自动从 `/var/run/secrets/iam/credential` 读取凭证。
-
 ## 示例
 
 ```python

docs/content/91.auth/3.oauth2-m2m-outbound.md

@@ -19,7 +19,7 @@ OAuth2 M2M（Machine to Machine）认证用于服务间通信，比 API Key 更
 
 ### 方式一：使用内置 Vendor（推荐）
 
-选择提供商类型：**Google**、**GitHub** 或 **Coze**，填写：
+选择提供商类型：**Lark**、**Coze**、**Google**、**GitHub** ，填写：
 - Client ID
 - Client Secret
 

docs/content/91.auth/4.oauth2-user-federation-outbound.md

@@ -18,7 +18,7 @@ OAuth2 USER_FEDERATION 认证用于用户委托场景，应用代表用户访问
 
 ### 方式一：使用内置 Vendor（推荐）
 
-选择提供商类型：**Google**、**GitHub** 或 **Coze**，填写：
+选择提供商类型：**Lark**、**Coze**、**Google**、**GitHub** ，填写：
 - Client ID
 - Client Secret
 - 回调 URL（选择[回调地址](./4.oauth2-user-federation-outbound.md#回调地址)对应区域的地址）
@@ -108,45 +108,52 @@ toolset = VeIdentityMcpToolset(
 
 ```python
 import asyncio
-from veadk import Agent, Runner
-from veadk.integrations.ve_identity import VeIdentityMcpToolset, oauth2_auth
-from google.adk.agents.mcp import StdioServerParameters
+from veadk import Agent
+from veadk.integrations.ve_identity import (
+    VeIdentityMcpToolset,
+    oauth2_auth,
+)
+from google.adk.tools.mcp_tool.mcp_session_manager import (
+    StreamableHTTPConnectionParams,
+)
+
+from veadk.integrations.ve_identity.auth_processor import AuthRequestProcessor
 
-# GitHub 工具集
-github_tools = VeIdentityMcpToolset(
+# ECS 工具集
+ecs_tools = VeIdentityMcpToolset(
     auth_config=oauth2_auth(
-        provider_name="github-oauth2-provider",
-        scopes=["repo", "workflow"],
+        provider_name="volc-ecs-oauth2-provider",
+        scopes=["read"],
         auth_flow="USER_FEDERATION",
-        callback_url="https://your-app.com/oauth/callback",
     ),
-    connection_params=StdioServerParameters(
-        command="npx",
-        args=["@modelcontextprotocol/server-github"],
+    connection_params=StreamableHTTPConnectionParams(
+        url="https://ecs.mcp.volcbiz.com/ecs/mcp",
     ),
 )
 
-# Google Drive 工具集
-drive_tools = VeIdentityMcpToolset(
+# 云助手 工具集
+cloud_assistant_tools = VeIdentityMcpToolset(
     auth_config=oauth2_auth(
-        provider_name="google-oauth2-provider",
-        scopes=["https://www.googleapis.com/auth/drive"],
+        provider_name="volc-ecs-oauth2-provider",
+        scopes=["read"],
         auth_flow="USER_FEDERATION",
-        callback_url="https://your-app.com/oauth/callback",
     ),
-    connection_params=StdioServerParameters(
-        command="npx",
-        args=["@modelcontextprotocol/server-google-drive"],
+    connection_params=StreamableHTTPConnectionParams(
+        url="https://ecs.mcp.volcbiz.com/cloud_assistant/mcp",
     ),
 )
 
 agent = Agent(
-    tools=[github_tools, drive_tools],
-    system_prompt="你是一个多服务集成助手",
+    tools=[ecs_tools, cloud_assistant_tools],
+    system_prompt="你是火山引擎ECS助手，可以查询ECS实例信息并执行服务器命令。",
+    auth_request_processor=AuthRequestProcessor(),
 )
 
-runner = Runner(agent=agent)
-asyncio.run(runner.run(messages="从 GitHub 获取最新代码变更并保存到 Google Drive"))
+asyncio.run(
+    agent.run(
+        prompt="先查询我的ECS实例列表，然后选择一个运行中的实例，在上面执行 'uname -a && df -h && free -m' 命令来检查系统信息、磁盘空间和内存使用情况"
+    )
+)
 ```
 
 ## 常见问题

tests/test_ve_identity_auth_config.py

@@ -103,7 +103,7 @@ def on_auth_url_callback(url: str):
 
     def test_oauth2_auth_empty_scopes(self):
         """Test that empty scopes raises ValueError."""
-        with pytest.raises(ValueError, match="scopes cannot be empty"):
+        with pytest.raises(ValueError, match="scopes cannot be an empty list"):
             oauth2_auth(
                 provider_name="github",
                 scopes=[],

veadk/agent.py

@@ -298,15 +298,13 @@ async def run(
         final_output = ""
         for _prompt in prompt:
             message = types.Content(role="user", parts=[types.Part(text=_prompt)])
-            final_output = await self._run(
-                runner, user_id, session_id, message, stream, auth_request_processor
-            )
+            final_output = await self._run(runner, user_id, session_id, message, stream, auth_request_processor)
 
         # VeADK features
         if save_session_to_memory:
-            assert (
-                self.long_term_memory is not None
-            ), "Long-term memory is not initialized in agent"
+            assert self.long_term_memory is not None, (
+                "Long-term memory is not initialized in agent"
+            )
             session = await session_service.get_session(
                 app_name=app_name,
                 user_id=user_id,

veadk/integrations/ve_identity/auth_config.py

@@ -21,7 +21,7 @@
 from abc import ABC, abstractmethod
 from typing import Any, Callable, List, Literal, Optional, Union
 
-from pydantic import BaseModel, model_validator, field_validator
+from pydantic import BaseModel, field_validator
 
 from veadk.integrations.ve_identity.models import OAuth2AuthPoller
 from veadk.integrations.ve_identity.identity_client import IdentityClient
@@ -35,6 +35,7 @@ def _get_default_region() -> str:
     """
     try:
         from veadk.config import settings
+
         return settings.veidentity.region
     except Exception:
         # Fallback to default if config loading fails
@@ -52,8 +53,8 @@ class AuthConfig(BaseModel, ABC):
 
     def __init__(self, **data):
         """Initialize AuthConfig with default region from VeADK config if not provided."""
-        if 'region' not in data or data['region'] is None:
-            data['region'] = _get_default_region()
+        if "region" not in data or data["region"] is None:
+            data["region"] = _get_default_region()
         super().__init__(**data)
 
     @field_validator("provider_name")
@@ -82,10 +83,10 @@ def auth_type(self) -> str:
 class OAuth2AuthConfig(AuthConfig):
     """OAuth2 authentication configuration."""
 
-    # Required fields
-    scopes: List[str]
-    auth_flow: Literal["M2M", "USER_FEDERATION"]
-    # Optional fields
+    # Optional fields - control plane will use defaults if not provided
+    scopes: Optional[List[str]] = None
+    auth_flow: Optional[Literal["M2M", "USER_FEDERATION"]] = None
+    # Additional optional fields
     callback_url: Optional[str] = None
     force_authentication: bool = False
     response_for_auth_required: Optional[Union[dict, str]] = None
@@ -94,10 +95,18 @@ class OAuth2AuthConfig(AuthConfig):
 
     @field_validator("scopes")
     @classmethod
-    def validate_scopes_not_empty(cls, v: List[str]) -> List[str]:
-        """Validate that scopes list is not empty and contains valid scope strings."""
+    def validate_scopes_not_empty(cls, v: Optional[List[str]]) -> Optional[List[str]]:
+        """Validate that scopes list is not empty and contains valid scope strings.
+
+        If scopes is None, the control plane will use default scopes.
+        """
+        if v is None:
+            return None
+
         if not v:
-            raise ValueError("scopes cannot be empty")
+            raise ValueError(
+                "scopes cannot be an empty list; use None to use control plane defaults"
+            )
 
         # Validate each scope is not empty
         for scope in v:
@@ -128,15 +137,6 @@ def validate_callback_url(cls, v: Optional[str]) -> Optional[str]:
                 raise ValueError("callback_url must be a valid HTTP/HTTPS URL")
         return v
 
-    @model_validator(mode="after")
-    def _validate_required_fields(self):
-        """Validate required fields."""
-        if not self.scopes:
-            raise ValueError("scopes is required for OAuth2AuthConfig")
-        if not self.auth_flow:
-            raise ValueError("auth_flow is required for OAuth2AuthConfig")
-        return self
-
     @property
     def auth_type(self) -> str:
         return "oauth2"
@@ -201,8 +201,8 @@ def workload_auth(
 
 def oauth2_auth(
     provider_name: str,
-    scopes: List[str],
-    auth_flow: Literal["M2M", "USER_FEDERATION"],
+    scopes: Optional[List[str]] = None,
+    auth_flow: Optional[Literal["M2M", "USER_FEDERATION"]] = None,
     callback_url: Optional[str] = None,
     force_authentication: bool = False,
     response_for_auth_required: Optional[Union[dict, str]] = None,
@@ -215,8 +215,10 @@ def oauth2_auth(
 
     Args:
         provider_name: Name of the credential provider.
-        scopes: List of OAuth2 scopes.
-        auth_flow: Authentication flow type ("M2M" or "USER_FEDERATION").
+        scopes: Optional list of OAuth2 scopes. If not provided, the control plane
+               will use the default configured scopes for the provider.
+        auth_flow: Optional authentication flow type ("M2M" or "USER_FEDERATION").
+                  If not provided, the control plane will use the default configured flow.
         callback_url: Optional callback URL for OAuth2.
         force_authentication: Whether to force authentication.
         response_for_auth_required: Response to return when auth is required.

veadk/integrations/ve_identity/auth_mixins.py

@@ -343,8 +343,8 @@ class OAuth2AuthMixin(BaseAuthMixin):
     def __init__(
         self,
         *,
-        scopes: List[str],
-        auth_flow: Literal["M2M", "USER_FEDERATION"],
+        scopes: Optional[List[str]] = None,
+        auth_flow: Optional[Literal["M2M", "USER_FEDERATION"]] = None,
         callback_url: Optional[str] = None,
         force_authentication: bool = False,
         response_for_auth_required: Optional[str] = None,
@@ -356,9 +356,11 @@ def __init__(
         """Initialize the OAuth2 authentication mixin.
 
         Args:
-            scopes: List of OAuth2 scopes to request.
-            auth_flow: Authentication flow type - "M2M" for machine-to-machine or
-                      "USER_FEDERATION" for user-delegated access.
+            scopes: Optional list of OAuth2 scopes to request. If not provided,
+                   the control plane will use the default configured scopes.
+            auth_flow: Optional authentication flow type - "M2M" for machine-to-machine or
+                      "USER_FEDERATION" for user-delegated access. If not provided,
+                      the control plane will use the default configured flow.
             callback_url: OAuth2 redirect URL (must be pre-registered).
             force_authentication: If True, forces re-authentication even if cached token exists.
             response_for_auth_required: Custom response to return when user authorization is needed.

veadk/integrations/ve_identity/auth_processor.py

@@ -230,21 +230,19 @@ async def process_auth_request(
                 on_auth_url(auth_uri)
 
         # Use custom poller or default poller
-        # Create async token fetcher for default poller
-        async def async_token_fetcher():
-            response = self._identity_client.get_oauth2_token_or_auth_url(
-                **request_dict
-            )
-            return (
-                OAuth2Auth(access_token=response.access_token)
-                if response.access_token and response.access_token.strip()
-                else None
-            )
-
         active_poller = (
             self.config.oauth2_auth_poller(auth_uri, request_dict)
             if self.config.oauth2_auth_poller
-            else _DefaultOauth2AuthPoller(auth_uri, async_token_fetcher)
+            else _DefaultOauth2AuthPoller(
+                auth_uri,
+                lambda: (
+                    lambda response: (
+                        OAuth2Auth(access_token=response.access_token)
+                        if response.access_token and response.access_token.strip()
+                        else None
+                    )
+                )(self._identity_client.get_oauth2_token_or_auth_url(**request_dict)),
+            )
         )
 
         # Poll for the oauth2 auth