chore: Remove service account support

given it was not correctly supported.

PiperOrigin-RevId: 773137317

Author: seanzhougoogle

src/google/adk/auth/auth_credential.py

@@ -230,4 +230,3 @@ class AuthCredential(BaseModelWithConfig):
   http: Optional[HttpAuth] = None
   service_account: Optional[ServiceAccount] = None
   oauth2: Optional[OAuth2Auth] = None
-  google_oauth2_json: Optional[str] = None

src/google/adk/auth/credential_manager.py

@@ -76,11 +76,7 @@ def __init__(
     self._refresher_registry = CredentialRefresherRegistry()
 
     # Register default exchangers and refreshers
-    from .exchanger.service_account_credential_exchanger import ServiceAccountCredentialExchanger
-
-    self._exchanger_registry.register(
-        AuthCredentialTypes.SERVICE_ACCOUNT, ServiceAccountCredentialExchanger()
-    )
+    # TODO: support service account credential exchanger
     from .refresher.oauth2_credential_refresher import OAuth2CredentialRefresher
 
     oauth2_refresher = OAuth2CredentialRefresher()

src/google/adk/auth/exchanger/__init__.py

@@ -15,9 +15,7 @@
 """Credential exchanger module."""
 
 from .base_credential_exchanger import BaseCredentialExchanger
-from .service_account_credential_exchanger import ServiceAccountCredentialExchanger
 
 __all__ = [
     "BaseCredentialExchanger",
-    "ServiceAccountCredentialExchanger",
 ]

src/google/adk/auth/exchanger/service_account_credential_exchanger.py

@@ -60,27 +60,12 @@ async def is_refresh_needed(
     Returns:
         True if the credential needs to be refreshed, False otherwise.
     """
-    # Handle Google OAuth2 credentials (from service account exchange)
-    if auth_credential.google_oauth2_json:
-      try:
-        google_credential = Credentials.from_authorized_user_info(
-            json.loads(auth_credential.google_oauth2_json)
-        )
-        return google_credential.expired and bool(
-            google_credential.refresh_token
-        )
-      except Exception as e:
-        logger.warning("Failed to parse Google OAuth2 JSON credential: %s", e)
-        return False
 
     # Handle regular OAuth2 credentials
-    elif auth_credential.oauth2 and auth_scheme:
+    if auth_credential.oauth2:
       if not AUTHLIB_AVIALABLE:
         return False
 
-      if not auth_credential.oauth2:
-        return False
-
       return OAuth2Token({
           "expires_at": auth_credential.oauth2.expires_at,
           "expires_in": auth_credential.oauth2.expires_in,
@@ -105,22 +90,9 @@ async def refresh(
         The refreshed credential.
 
     """
-    # Handle Google OAuth2 credentials (from service account exchange)
-    if auth_credential.google_oauth2_json:
-      try:
-        google_credential = Credentials.from_authorized_user_info(
-            json.loads(auth_credential.google_oauth2_json)
-        )
-        if google_credential.expired and google_credential.refresh_token:
-          google_credential.refresh(Request())
-          auth_credential.google_oauth2_json = google_credential.to_json()
-          logger.info("Successfully refreshed Google OAuth2 JSON credential")
-      except Exception as e:
-        # TODO reconsider whether we should raise error when refresh failed.
-        logger.error("Failed to refresh Google OAuth2 JSON credential: %s", e)
 
     # Handle regular OAuth2 credentials
-    elif auth_credential.oauth2 and auth_scheme:
+    if auth_credential.oauth2 and auth_scheme:
       if not AUTHLIB_AVIALABLE:
         return auth_credential
 

src/google/adk/auth/refresher/oauth2_credential_refresher.py

@@ -138,11 +138,6 @@ async def _get_headers(
     if credential:
       if credential.oauth2:
         headers = {"Authorization": f"Bearer {credential.oauth2.access_token}"}
-      elif credential.google_oauth2_json:
-        google_credential = Credentials.from_authorized_user_info(
-            json.loads(credential.google_oauth2_json)
-        )
-        headers = {"Authorization": f"Bearer {google_credential.token}"}
       elif credential.http:
         # Handle HTTP authentication schemes
         if (
@@ -178,10 +173,9 @@ async def _get_headers(
         headers = {"X-API-Key": credential.api_key}
       elif credential.service_account:
         # Service accounts should be exchanged for access tokens before reaching this point
-        # If we reach here, we can try to use google_oauth2_json or log a warning
         logger.warning(
-            "Service account credentials should be exchanged for access"
-            " tokens before MCP session creation"
+            "Service account credentials should be exchanged before MCP"
+            " session creation"
         )
 
     return headers

src/google/adk/tools/mcp_tool/mcp_tool.py

@@ -233,7 +233,6 @@ def _external_exchange_required(self, credential) -> bool:
             AuthCredentialTypes.OPEN_ID_CONNECT,
         )
         and not credential.oauth2.access_token
-        and not credential.google_oauth2_json
     )
 
   async def prepare_auth_credentials(