feat(core): implement HTTP authentication support for A2A remote agents (#20510)

Co-authored-by: Adam Weidman <adamfweidman@google.com>
2026-04-24 12:04:56 -07:00 · 2026-03-02 11:59:48 -08:00
parent 48412a068e
commit 446a4316c4
11 changed files with 565 additions and 27 deletions
@@ -4,7 +4,7 @@
 * SPDX-License-Identifier: Apache-2.0
 */

-import express from 'express';
+import express, { type Request } from 'express';

 import type { AgentCard, Message } from '@a2a-js/sdk';
 import {
@@ -13,8 +13,9 @@ import {
  InMemoryTaskStore,
  DefaultExecutionEventBus,
  type AgentExecutionEvent,
+  UnauthenticatedUser,
 } from '@a2a-js/sdk/server';
-import { A2AExpressApp } from '@a2a-js/sdk/server/express'; // Import server components
+import { A2AExpressApp, type UserBuilder } from '@a2a-js/sdk/server/express'; // Import server components
 import { v4 as uuidv4 } from 'uuid';
 import { logger } from '../utils/logger.js';
 import type { AgentSettings } from '../types.js';
@@ -55,8 +56,17 @@ const coderAgentCard: AgentCard = {
    pushNotifications: false,
    stateTransitionHistory: true,
  },
-  securitySchemes: undefined,
-  security: undefined,
+  securitySchemes: {
+    bearerAuth: {
+      type: 'http',
+      scheme: 'bearer',
+    },
+    basicAuth: {
+      type: 'http',
+      scheme: 'basic',
+    },
+  },
+  security: [{ bearerAuth: [] }, { basicAuth: [] }],
  defaultInputModes: ['text'],
  defaultOutputModes: ['text'],
  skills: [
@@ -81,6 +91,35 @@ export function updateCoderAgentCardUrl(port: number) {
  coderAgentCard.url = `http://localhost:${port}/`;
 }

+const customUserBuilder: UserBuilder = async (req: Request) => {
+  const auth = req.headers['authorization'];
+  if (auth) {
+    const scheme = auth.split(' ')[0];
+    logger.info(
+      `[customUserBuilder] Received Authorization header with scheme: ${scheme}`,
+    );
+  }
+  if (!auth) return new UnauthenticatedUser();
+
+  // 1. Bearer Auth
+  if (auth.startsWith('Bearer ')) {
+    const token = auth.substring(7);
+    if (token === 'valid-token') {
+      return { userName: 'bearer-user', isAuthenticated: true };
+    }
+  }
+
+  // 2. Basic Auth
+  if (auth.startsWith('Basic ')) {
+    const credentials = Buffer.from(auth.substring(6), 'base64').toString();
+    if (credentials === 'admin:password') {
+      return { userName: 'basic-user', isAuthenticated: true };
+    }
+  }
+
+  return new UnauthenticatedUser();
+};
+
 async function handleExecuteCommand(
  req: express.Request,
  res: express.Response,
@@ -204,7 +243,7 @@ export async function createApp() {
      requestStorage.run({ req }, next);
    });

-    const appBuilder = new A2AExpressApp(requestHandler);
+    const appBuilder = new A2AExpressApp(requestHandler, customUserBuilder);
    expressApp = appBuilder.setupRoutes(expressApp, '');
    expressApp.use(express.json());