fix(auth): handle missing client-credentials scopes safely

[sqsge]

Please ensure you have read the contribution guide before creating a pull request.

Link to Issue or Description of Change

1. Link to an existing issue (if applicable):

• Closes: OpenApiToolkit OAuth Client Credential (M2M) flow - 'NoneType' object has no attribute 'keys' #5345

Problem:

The current OAuth client-credentials / M2M path can crash when scopes is absent or collapses to None, because both auth_handler.py and oauth2_credential_util.py still assume the value is always dict-like and call .keys() on it.

This shows up in the OpenAPI Toolkit client-credentials flow as:

AttributeError: 'NoneType' object has no attribute 'keys'

Solution:

Keep the fix intentionally narrow by normalizing OAuth scope handling in the two current call sites that make the dict-like assumption:

• make client-credentials scope handling None-safe in auth_handler.py
• fix the parallel dict-like scope assumption in oauth2_credential_util.py
• add focused regression coverage for both paths

This fix only addresses the immediate None-safe handling for the current client-credentials path. It does not attempt to redesign the broader OAuth flow semantics in this PR.

Testing Plan

Unit Tests:

• I have added or updated unit tests for my change.
• All unit tests pass locally.

Passed locally:

PYTHONPATH=src python3 -m pytest -q tests/unittests/auth/test_auth_handler.py
24 passed, 43 warnings in 2.10s

PYTHONPATH=src python3 -m pytest -q tests/unittests/auth/test_oauth2_credential_util.py
10 passed, 11 warnings in 2.08s

Manual End-to-End (E2E) Tests:

Not run for this change.

This patch is scoped to None-safe handling for the existing client-credentials code path and adds focused regression coverage for the affected auth helper paths. I did not run a manual OpenAPI Toolkit end-to-end flow locally in this branch.

Checklist

• I have read the CONTRIBUTING.md document.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.
• I have manually tested my changes end-to-end.
• Any dependent changes have been merged and published in downstream modules.

Additional context

This PR keeps the change small on purpose:

• it does not redesign the broader OAuth/auth flow
• it only removes the unsafe scopes.keys() assumption in the current client-credentials/M2M path
• it preserves existing behavior for the interactive flows covered by the current helpers

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[adk-bot]

Hello @sqsge, thank you for your contribution!

It looks like the CLA (Contributor License Agreement) check has failed. Please make sure you have signed the CLA to proceed with the review process. You can find more information at https://cla.developers.google.com/.

Response from ADK Triaging Agent