Skip to content

feat(core): implement HTTP authentication support for A2A remote agents#20510

Merged
SandyTao520 merged 7 commits intomainfrom
st/feat/remote-agent-auth
Mar 2, 2026
Merged

feat(core): implement HTTP authentication support for A2A remote agents#20510
SandyTao520 merged 7 commits intomainfrom
st/feat/remote-agent-auth

Conversation

@SandyTao520
Copy link
Contributor

@SandyTao520 SandyTao520 commented Feb 26, 2026
edited
Loading

Summary

This PR implements comprehensive HTTP authentication support for A2A remote agents. It enables agents to use Bearer, Basic, and custom IANA schemes (via a Generic Raw mode) as defined in their Markdown frontmatter, transitioning the previous TODO state into a fully functional system.

Details

  • HttpAuthProvider Implementation: Full support for Bearer and Basic schemes, plus a Generic Raw mode for extensible IANA scheme support (e.g., Authorization: <scheme> <value>).
  • Dynamic Credential Resolution: Updated AgentRegistry and RemoteAgentInvocation to use A2AAuthProviderFactory, allowing agents to resolve secrets via environment variables ($ENV) or shell commands (!command) for all HTTP fields.
  • Enhanced Agent Loader: Updated Zod schemas to support the new value field in agent Markdown frontmatter and ensured proper validation of HTTP schemes.
  • Server-Side Support: Updated the a2a-server Agent Card and added a customUserBuilder to validate credentials during testing.
  • Security & DX: Implemented masked logging for sensitive headers in the server and fixed TypeScript strict mode issues to maintain code quality.

Related Issues

Related to #17599

How to Validate

  1. Unit Tests:
    • npm test -w @google/gemini-cli-core -- src/agents/auth-provider/http-provider.test.ts
    • npm test -w @google/gemini-cli-core -- src/agents/agentLoader.test.ts
    • npm test -w @google/gemini-cli-core -- src/agents/remote-invocation.test.ts
    • npm test -w @google/gemini-cli-core -- src/agents/registry.test.ts
  2. Manual E2E:
    • Verify connectivity using different authentication modes (Bearer, Basic, Raw) against a local A2A server.
    • Verify dynamic secret resolution via environment variables and shell commands in an agent\s .md file.

Pre-Merge Checklist

  • Updated relevant documentation and README (if needed)
  • Added/updated tests (if needed)
  • Noted breaking changes (if any)
  • Validated on required platforms/methods:
    • MacOS
      • npm run
      • npx
      • Docker
      • Podman
      • Seatbelt

@SandyTao520 SandyTao520 requested a review from a team as a code owner February 26, 2026 23:32
@gemini-cli
Copy link
Contributor

gemini-cli bot commented Feb 26, 2026

Hi @SandyTao520, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Feb 26, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the authentication capabilities for A2A remote agents by introducing robust support for various HTTP authentication schemes. This change provides greater flexibility in how remote agents can secure their interactions, moving beyond previous limitations and allowing for dynamic credential management and automatic retry mechanisms. The integration of a dedicated authentication provider factory streamlines the authentication process across the system, making it more extensible and maintainable.

Highlights

  • HTTP Authentication Support: Implemented comprehensive support for HTTP authentication schemes (Bearer, Basic, and custom schemes like Digest) for A2A remote agents, allowing authentication via standard Authorization headers.
  • Dynamic Credential Resolution: Introduced dynamic credential resolution, enabling tokens and credentials to be sourced from local shell command execution (prefixed with !) or environment variables (prefixed with $).
  • Automatic Retry Mechanism: Added logic to automatically re-resolve command-based credentials and retry requests once upon receiving 401 (Unauthorized) or 403 (Forbidden) HTTP responses.
  • Agent Loader and Configuration Updates: Updated the agent loader to parse and validate custom HTTP schemes and a new value field within Markdown frontmatter, enhancing flexibility for agent configuration.
  • Authentication Provider Factory Integration: Refactored agent discovery and execution to utilize a new A2AAuthProviderFactory for creating appropriate authentication handlers, centralizing authentication logic.
  • A2A Server Testing Enhancements: Modified the experimental A2A server to include optional authentication middleware, allowing for end-to-end testing of the new HTTP authentication features.
Changelog
  • packages/a2a-server/src/http/app.ts
    • Added Bearer, Basic, and Digest security schemes to the agent card definition.
    • Implemented an optional authentication middleware for testing purposes, verifying Authorization headers against environment variables for Bearer, Basic, and generic schemes.
  • packages/core/src/agents/agentLoader.test.ts
    • Added tests to verify parsing of remote agents with custom HTTP schemes (e.g., Digest) including a value field.
    • Added a test to ensure an error is thrown if a custom HTTP scheme is defined without a value.
  • packages/core/src/agents/agentLoader.ts
    • Extended FrontmatterAuthConfig to allow any string for scheme and added a new value field for generic HTTP schemes.
    • Updated httpAuthSchema to accept any string for scheme and included the optional value field.
    • Modified validation logic to enforce value for custom HTTP schemes (not Bearer or Basic).
    • Adjusted convertFrontmatterAuthToConfig to handle generic HTTP schemes with their associated value.
  • packages/core/src/agents/auth-provider/factory.ts
    • Imported HttpAuthProvider.
    • Updated the A2AAuthProviderFactory to instantiate and initialize HttpAuthProvider for 'http' type authentication configurations.
  • packages/core/src/agents/auth-provider/http-auth-provider.test.ts
    • Added a new test file for HttpAuthProvider.
    • Included tests for generating Bearer token headers from literal and command-based tokens.
    • Added tests for generating Basic auth headers from literal and command-based credentials.
    • Implemented tests for generating headers for custom schemes (e.g., Digest).
    • Added tests to verify the retry logic for command-based credentials on 401 responses and ensure no retry for literal credentials.
  • packages/core/src/agents/auth-provider/http-auth-provider.ts
    • Added a new file defining the HttpAuthProvider class.
    • Implemented initialize() to resolve tokens, usernames, passwords, or generic values, supporting $ for environment variables and ! for shell commands.
    • Implemented headers() to construct the appropriate Authorization header based on the configured scheme (Bearer, Basic, or generic).
    • Implemented shouldRetryWithHeaders() to re-resolve command-based credentials and retry requests upon 401/403 responses.
  • packages/core/src/agents/auth-provider/types.ts
    • Extended the HttpAuthConfig type to include a union for generic HTTP schemes, requiring a value field for non-Bearer/Basic schemes.
  • packages/core/src/agents/registry.ts
    • Imported A2AAuthProviderFactory.
    • Modified AgentRegistry to use A2AAuthProviderFactory.create to generate authentication handlers based on the agent definition's auth configuration, falling back to ADCHandler if no specific auth is defined.
  • packages/core/src/agents/remote-invocation.test.ts
    • Updated mocks to include A2AAuthProviderFactory.
    • Added a test case to verify that A2AAuthProviderFactory is used when an agent definition includes authentication configuration.
  • packages/core/src/agents/remote-invocation.ts
    • Imported A2AAuthProviderFactory.
    • Removed the direct instantiation of ADCHandler.
    • Refactored the execute method to dynamically create an authHandler using A2AAuthProviderFactory if definition.auth is present, otherwise defaulting to ADCHandler.
Activity
  • The pull request author, SandyTao520, has provided a detailed summary, validation steps, and a pre-merge checklist, indicating thorough preparation and testing of the changes.
  • The pre-merge checklist shows that documentation, tests, and platform validation (MacOS) have been addressed.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces robust support for HTTP authentication in A2A remote agents, including Bearer, Basic, and custom schemes. The implementation correctly uses a factory for creating auth providers, handles dynamic credential resolution from shell commands and environment variables, and adds automatic retry logic on authentication failures. The agent loader and registry are updated accordingly, and new tests provide good coverage. I've identified one high-severity issue related to case-sensitive handling of authentication schemes, which could impact usability. My feedback includes a specific suggestion to make the new HttpAuthProvider more robust by handling schemes in a case-insensitive manner.

@github-actions
Copy link

github-actions bot commented Feb 26, 2026
edited
Loading

Size Change: +14.7 kB (+0.06%)

Total Size: 25.8 MB

Filename Size Change
./bundle/gemini.js 25.3 MB +14.7 kB (+0.06%)
ℹ️ View Unchanged
Filename Size
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js 221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js 227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js 11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js 132 B
./bundle/sandbox-macos-permissive-open.sb 890 B
./bundle/sandbox-macos-permissive-proxied.sb 1.31 kB
./bundle/sandbox-macos-restrictive-open.sb 3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb 3.56 kB
./bundle/sandbox-macos-strict-open.sb 4.82 kB
./bundle/sandbox-macos-strict-proxied.sb 5.02 kB

compressed-size-action

@gemini-cli gemini-cli bot added area/agent Issues related to Core Agent, Tools, Memory, Sub-Agents, Hooks, Agent Quality 🔒 maintainer only ⛔ Do not contribute. Internal roadmap item. labels Feb 26, 2026
@github-actions github-actions bot mentioned this pull request Feb 27, 2026
Open
@SandyTao520 SandyTao520 force-pushed the st/feat/remote-agent-auth branch from 6cae89c to 9c780ae Compare February 27, 2026 03:12
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 27, 2026
View reviewed changes
@SandyTao520 SandyTao520 force-pushed the st/feat/remote-agent-auth branch from 99f9288 to cfb1a49 Compare February 27, 2026 05:14
@SandyTao520 SandyTao520 force-pushed the st/feat/remote-agent-auth branch from cfb1a49 to 20e3baf Compare February 27, 2026 05:30
@SandyTao520 SandyTao520 force-pushed the st/feat/remote-agent-auth branch from 20e3baf to e15511f Compare February 27, 2026 06:42
adamfweidman
adamfweidman reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

@adamfweidman adamfweidman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, just left a few comments

adamfweidman and others added 4 commits March 2, 2026 09:51
@adamfweidman
Merge remote-tracking branch 'origin/main' into st/feat/remote-agent-…
bd1ffa4 
…auth
@adamfweidman
refactor(a2a-server): cleanup authentication comments in customUserBu…
4155ecd 
…ilder
@SandyTao520
fix(core): address PR review comments for HTTP auth
73db8a9 
- Mask Authorization header value in server log to avoid leaking secrets
- Remove silent ADC fallback when auth is explicitly configured
- Guard retry re-initialization behind max-retries check
- Fix TypeScript narrowing by using 'in' operator for union discrimination
- Add tests for auth provider factory failure paths
@SandyTao520
Merge branch 'st/feat/remote-agent-auth' of https://github.com/google…
38d2168 
…-gemini/gemini-cli into st/feat/remote-agent-auth

# Conflicts:
#	packages/a2a-server/src/http/app.ts
#	packages/core/src/agents/auth-provider/http-provider.ts
#	packages/core/src/agents/registry.test.ts
#	packages/core/src/agents/registry.ts
#	packages/core/src/agents/remote-invocation.test.ts
#	packages/core/src/agents/remote-invocation.ts
adamfweidman
adamfweidman reviewed Mar 2, 2026
View reviewed changes
@SandyTao520
fix(core): remove ADC fallback entirely per review
585957b 
Default to no-auth when auth is not configured instead of
silently falling back to ADCHandler. ADC support can be
re-added later as an explicit auth type.
@SandyTao520 SandyTao520 added this pull request to the merge queue Mar 2, 2026
Merged via the queue into main with commit 446a431 Mar 2, 2026
27 checks passed
@SandyTao520 SandyTao520 deleted the st/feat/remote-agent-auth branch March 2, 2026 20:17
@gemini-code-assist gemini-code-assist bot mentioned this pull request Mar 3, 2026
Merged
BryanBradfo pushed a commit to BryanBradfo/gemini-cli that referenced this pull request Mar 5, 2026
@SandyTao520 @adamfweidman @BryanBradfo
feat(core): implement HTTP authentication support for A2A remote agen…
934b9f4 
…ts (google-gemini#20510)

Co-authored-by: Adam Weidman <adamfweidman@google.com>
struckoff pushed a commit to struckoff/gemini-cli that referenced this pull request Mar 6, 2026
@SandyTao520 @adamfweidman @struckoff
feat(core): implement HTTP authentication support for A2A remote agen…
608ff94 
…ts (google-gemini#20510)

Co-authored-by: Adam Weidman <adamfweidman@google.com>
liamhelmer pushed a commit to badal-io/gemini-cli that referenced this pull request Mar 12, 2026
@SandyTao520 @adamfweidman @liamhelmer
feat(core): implement HTTP authentication support for A2A remote agen…
6059b36 
…ts (google-gemini#20510)

Co-authored-by: Adam Weidman <adamfweidman@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamfweidman adamfweidman adamfweidman approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/agent Issues related to Core Agent, Tools, Memory, Sub-Agents, Hooks, Agent Quality 🔒 maintainer only ⛔ Do not contribute. Internal roadmap item.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SandyTao520 @adamfweidman