From b84585d0c820a8bce2742b7e57349e443b6ee7e4 Mon Sep 17 00:00:00 2001 From: Adam Weidman <65992621+adamfweidman@users.noreply.github.com> Date: Tue, 3 Feb 2026 12:44:22 -0500 Subject: [PATCH] feat(core): Add A2A auth config types (#18205) --- .../core/src/agents/auth-provider/types.ts | 100 ++++++++++++++++++ packages/core/src/agents/types.ts | 7 ++ 2 files changed, 107 insertions(+) create mode 100644 packages/core/src/agents/auth-provider/types.ts diff --git a/packages/core/src/agents/auth-provider/types.ts b/packages/core/src/agents/auth-provider/types.ts new file mode 100644 index 0000000000..67fce94ca8 --- /dev/null +++ b/packages/core/src/agents/auth-provider/types.ts @@ -0,0 +1,100 @@ +/** + * @license + * Copyright 2026 Google LLC + * SPDX-License-Identifier: Apache-2.0 + */ + +/** + * Client-side auth configuration for A2A remote agents. + * Corresponds to server-side SecurityScheme types from @a2a-js/sdk. + * @see https://a2a-protocol.org/latest/specification/#451-securityscheme + */ + +import type { AuthenticationHandler } from '@a2a-js/sdk/client'; + +export type A2AAuthProviderType = + | 'google-credentials' + | 'apiKey' + | 'http' + | 'oauth2' + | 'openIdConnect'; + +export interface A2AAuthProvider extends AuthenticationHandler { + readonly type: A2AAuthProviderType; + initialize?(): Promise; +} + +export interface BaseAuthConfig { + agent_card_requires_auth?: boolean; +} + +/** Client config for google-credentials (not in A2A spec, Gemini-specific). */ +export interface GoogleCredentialsAuthConfig extends BaseAuthConfig { + type: 'google-credentials'; + scopes?: string[]; +} + +/** Client config corresponding to APIKeySecurityScheme. */ +export interface ApiKeyAuthConfig extends BaseAuthConfig { + type: 'apiKey'; + /** The secret. Supports $ENV_VAR, !command, or literal. */ + key: string; + /** Defaults to server's SecurityScheme.in value. */ + location?: 'header' | 'query' | 'cookie'; + /** Defaults to server's SecurityScheme.name value. */ + name?: string; +} + +/** Client config corresponding to HTTPAuthSecurityScheme. */ +export type HttpAuthConfig = BaseAuthConfig & { + type: 'http'; +} & ( + | { + scheme: 'Bearer'; + /** For Bearer. Supports $ENV_VAR, !command, or literal. */ + token: string; + } + | { + scheme: 'Basic'; + /** For Basic. Supports $ENV_VAR, !command, or literal. */ + username: string; + /** For Basic. Supports $ENV_VAR, !command, or literal. */ + password: string; + } + ); + +/** Client config corresponding to OAuth2SecurityScheme. */ +export interface OAuth2AuthConfig extends BaseAuthConfig { + type: 'oauth2'; + client_id?: string; + client_secret?: string; + scopes?: string[]; +} + +/** Client config corresponding to OpenIdConnectSecurityScheme. */ +export interface OpenIdConnectAuthConfig extends BaseAuthConfig { + type: 'openIdConnect'; + issuer_url: string; + client_id: string; + client_secret?: string; + target_audience?: string; + scopes?: string[]; +} + +export type A2AAuthConfig = + | GoogleCredentialsAuthConfig + | ApiKeyAuthConfig + | HttpAuthConfig + | OAuth2AuthConfig + | OpenIdConnectAuthConfig; + +export interface AuthConfigDiff { + requiredSchemes: string[]; + configuredType?: A2AAuthProviderType; + missingConfig: string[]; +} + +export interface AuthValidationResult { + valid: boolean; + diff?: AuthConfigDiff; +} diff --git a/packages/core/src/agents/types.ts b/packages/core/src/agents/types.ts index 581e9f2b52..337a837ea7 100644 --- a/packages/core/src/agents/types.ts +++ b/packages/core/src/agents/types.ts @@ -13,6 +13,7 @@ import type { AnyDeclarativeTool } from '../tools/tools.js'; import { type z } from 'zod'; import type { ModelConfig } from '../services/modelConfigService.js'; import type { AnySchema } from 'ajv'; +import type { A2AAuthConfig } from './auth-provider/types.js'; /** * Describes the possible termination modes for an agent. @@ -108,6 +109,12 @@ export interface RemoteAgentDefinition< > extends BaseAgentDefinition { kind: 'remote'; agentCardUrl: string; + /** + * Optional authentication configuration for the remote agent. + * If not specified, the agent will try to use defaults based on the AgentCard's + * security requirements. + */ + auth?: A2AAuthConfig; } export type AgentDefinition =