Is your feature request related to a specific problem?
As a enterprise user, we would like to secure our a2a instance, so a2a client need to provide OAuth access_token which Authorization header in order to communicate to a2a server. The token be send to a2a server should base on user's credential instead of using a static one.
Describe the Solution You'd Like
- We would like RemoteA2aAgent to allow user define auth_schema & auth_credential like other ADK tools
- When the host ADK agent attempts to use RemoteA2aAgent to connect with an A2A server that requires authorization, if the user has no credentials the first time, ADK should trigger the adk_request_credential event. Once the client supplies the user's authorization code, ADK will manage the token exchange and refresh process, then send the token to the A2A server.
Impact on your work
Currently, RemoteA2aAgent only allows us to set the authorization header within the httpx client, and the RemoteA2aAgent is initialized when we define the agent. This means if our application creates a runner and uses it to handle different requests for various users, when the agent decide to send requests to the A2A server, each request will use the original credentials (we setup for httpx client) provided to the A2A server. This can cause issues.
If the underlying A2A server is exposed by ADK A2aAgentExecutor and the client always sends the same token to the server regardless of which user is using it, the credentials stored in credentialService could become mixed up.
Inside A2aAgentExecutor, it calls request_converter [1], which uses convert_a2a_request_to_agent_run_request [2]. In convert_a2a_request_to_agent_run_request[3], it runs _get_user_id [4]. The _get_user_id function [5] retrieves the username from the request if the client provides a valid access_token, and this user_id is then used when storing the tool credential within CredentialService's bucket[6].
This is our setup:
User -> UI -> ADK Agent (Host agent) - (RemoteA2aAgent: Authorization within access token in header)> ADK Agent wrap as A2A Agent (A2aAgentExecutor) -> call AuthTool
Willingness to contribute
Are you interested in implementing this feature yourself or submitting a PR?
Not sure, I would like to gain insight into the perspective of the maintainer group.
Reference
[1]
|
run_request = self._config.request_converter( |
|
context, |
|
self._config.a2a_part_converter, |
|
) |
[2]
|
from ..converters.request_converter import convert_a2a_request_to_agent_run_request |
[3]
|
def convert_a2a_request_to_agent_run_request( |
[4]
|
user_id=_get_user_id(request), |
[5]
|
if ( |
|
request.call_context |
|
and request.call_context.user |
|
and request.call_context.user.user_name |
|
): |
|
return request.call_context.user.user_name |
[6]
|
def _get_bucket_for_current_context( |
|
self, callback_context: CallbackContext |
|
) -> str: |
|
app_name = callback_context._invocation_context.app_name |
|
user_id = callback_context._invocation_context.user_id |
|
|
|
if app_name not in self._credentials: |
|
self._credentials[app_name] = {} |
|
if user_id not in self._credentials[app_name]: |
|
self._credentials[app_name][user_id] = {} |
|
return self._credentials[app_name][user_id] |
🟡 Recommended Information
Describe Alternatives You've Considered
No
Proposed API / Implementation
No
Additional Context
Add any other context or screenshots about the feature request here.
Is your feature request related to a specific problem?
As a enterprise user, we would like to secure our a2a instance, so a2a client need to provide OAuth access_token which Authorization header in order to communicate to a2a server. The token be send to a2a server should base on user's credential instead of using a static one.
Describe the Solution You'd Like
Impact on your work
Currently, RemoteA2aAgent only allows us to set the authorization header within the httpx client, and the RemoteA2aAgent is initialized when we define the agent. This means if our application creates a runner and uses it to handle different requests for various users, when the agent decide to send requests to the A2A server, each request will use the original credentials (we setup for httpx client) provided to the A2A server. This can cause issues.
If the underlying A2A server is exposed by ADK A2aAgentExecutor and the client always sends the same token to the server regardless of which user is using it, the credentials stored in credentialService could become mixed up.
Inside A2aAgentExecutor, it calls request_converter [1], which uses convert_a2a_request_to_agent_run_request [2]. In convert_a2a_request_to_agent_run_request[3], it runs _get_user_id [4]. The _get_user_id function [5] retrieves the username from the request if the client provides a valid access_token, and this user_id is then used when storing the tool credential within CredentialService's bucket[6].
This is our setup:
User -> UI -> ADK Agent (Host agent) - (RemoteA2aAgent: Authorization within access token in header)> ADK Agent wrap as A2A Agent (A2aAgentExecutor) -> call AuthTool
Willingness to contribute
Are you interested in implementing this feature yourself or submitting a PR?
Not sure, I would like to gain insight into the perspective of the maintainer group.
Reference
[1]
adk-python/src/google/adk/a2a/executor/a2a_agent_executor.py
Lines 211 to 214 in 1a9df8f
[2]
adk-python/src/google/adk/a2a/executor/config.py
Line 38 in 8bc5728
[3]
adk-python/src/google/adk/a2a/converters/request_converter.py
Line 78 in 8bc5728
[4]
adk-python/src/google/adk/a2a/converters/request_converter.py
Line 110 in 8bc5728
[5]
adk-python/src/google/adk/a2a/converters/request_converter.py
Lines 66 to 71 in 8bc5728
[6]
adk-python/src/google/adk/auth/credential_service/in_memory_credential_service.py
Lines 56 to 66 in 1a9df8f
🟡 Recommended Information
Describe Alternatives You've Considered
No
Proposed API / Implementation
No
Additional Context
Add any other context or screenshots about the feature request here.