feat(server): support A2A protocol#2656
Conversation
|
hey! thanks for contribution - we'll check this after the weekend. |
core/server/src/http/jwt/jwks.rs
Outdated
|
|
||
| #[derive(Debug, Deserialize)] | ||
| struct Jwk { | ||
| kty: String, |
There was a problem hiding this comment.
Should we make it an enum, you could use strum with all the helpers like here:
#[derive(Clone, Copy, Debug, Default, Display, PartialEq, Eq, Serialize, Deserialize)]
#[strum(serialize_all = "snake_case")]
#[serde(rename_all = "snake_case")]
pub enum McpTransport {
#[default]
#[strum(to_string = "http")]
Http,
#[strum(to_string = "stdio")]
Stdio,
}
Then the match you do later on becomes easier.
core/server/src/http/jwt/jwks.rs
Outdated
| kid: &str, | ||
| ) -> Result<DecodingKey, anyhow::Error> { | ||
| if let Err(e) = self.refresh_keys(issuer, jwks_url).await { | ||
| return Err(anyhow::anyhow!("Failed to refresh keys: {}", e)); |
There was a problem hiding this comment.
Please use the existing custom error enums we already have - feel free to add new custom variants if needed or reuse existing ones.
core/server/src/http/jwt/jwks.rs
Outdated
|
|
||
| #[derive(Debug, Clone)] | ||
| pub struct JwksClient { | ||
| cache: Arc<IggyRwLock<HashMap<CacheKey, DecodingKey>>>, |
There was a problem hiding this comment.
Maybe just use DashMap instead?
core/server/src/http/jwt/jwks.rs
Outdated
| .ok_or_else(|| anyhow::anyhow!("Key not found in cache after refresh")) | ||
| } | ||
|
|
||
| async fn refresh_keys(&self, issuer: &str, jwks_url: &str) -> Result<(), anyhow::Error> { |
There was a problem hiding this comment.
Same here regarding all the errors, don't use anyhow, please fix in all places returning errors.
core/server/src/http/jwt/jwks.rs
Outdated
|
|
||
| for key in jwks.keys { | ||
| if let Some(kid) = key.kid { | ||
| let decoding_key: DecodingKey = match key.kty.as_str() { |
There was a problem hiding this comment.
Here you could match using the previously added enum, also makes sense to make the string lowercase first.
| if let Some(config) = self.trusted_issuer.get(&insecure.claims.iss) { | ||
| debug!("Found trusted issuer config: {}", config.issuer); | ||
| if let Some(kid_str) = kid.as_deref() { | ||
| if let Some(decoding_key) = self |
There was a problem hiding this comment.
Please try to avoid multiple levels of if statements, better to return/break quickly whenever possible with let Some() or let Ok() patterns.
|
Thank you for the contribution, made a few comments here and there :) Is that all required to fully support A2A, as you wrote that I'd close #1762 which is the full integration? Also, is there a way to do the proper integration/e2e testing like e..g for existing MCP runtime to ensure it works well with A2A as the full transport? |
core/server/Cargo.toml
Outdated
| rustls-pemfile = { workspace = true } | ||
| send_wrapper = { workspace = true } | ||
| serde = { workspace = true } | ||
| serde_json.workspace = true |
There was a problem hiding this comment.
Stick to serde_json = { workspace = true } etc. everywhere
|
|
||
| Ok(()) | ||
| } | ||
| } |
There was a problem hiding this comment.
Please extend this file with unit tests matching the existing conventions to ensure that at least the logic JwksClientlikerefresh_keys` or so is correct.
|
Thanks for the review! All comments are clear and I will address every point as suggested. |
|
when testing, see how |
hubcio
changed the title
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #2656 +/- ##
==========================================
+ Coverage 69.50% 69.60% +0.09%
==========================================
Files 568 569 +1
Lines 55238 55430 +192
Branches 55238 55430 +192
==========================================
+ Hits 38394 38581 +187
Misses 14967 14967
- Partials 1877 1882 +5
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
|
It looks like something went wrong with your rebase: |
Tyooughtul
force-pushed
the
feat/server/a2a-jwt-jwks
branch
from
95c2994 to
bd98498
Compare
- Support JWKS for A2A compliant secure agent authentication - Enable key rotation without restarting the server - Allow agents from different tenants to publish to the same Iggy bus
…ness macro Extend `#[iggy_harness]` with `jwks_server(...)` attribute to support declarative JWKS mock server setup, as suggested in review to follow the harness macro convention used for MCP and connectors. - Fix the problem as suggested - Add `jwks_server(store_path = "...")` attribute to #[iggy_harness] - Add `config_path` to server(...) for custom TOML via IGGY_CONFIG_PATH - Start WireMock MockServer and inject trusted issuer env vars before server startup - Add ServerHandle::add_env() for pre-start env var injection - Add 4 e2e tests: valid_token, expired_token, unknown_issuer, missing_token with RSA key pair and JWKS fixtures
Tyooughtul
force-pushed
the
feat/server/a2a-jwt-jwks
branch
from
bd98498 to
b85afac
Compare
😱 sorry, I fetched the wrong branch. I have corrected it. |
3 participants
Which issue does this PR close?
Closes #1762
Rationale
A2A protocol requires JWKS support to enable secure agent authentication with multiple identity providers. This change allows agents from different tenants to authenticate using their own public keys, and supports key rotation without requiring server restarts.
What changed?
Added JWKS support for secure agent-to-agent authentication. The implementation includes a JwksClient that fetches and caches public keys from JWKS endpoints, integrated JWKS into JwtManager for multi-tenant agent authentication, and updated HTTP middleware to support asynchronous JWT decoding. Also added TrustedIssuerConfig to support configuring multiple trusted issuers.
Local Execution
AI Usage
debug!to help me find bugs。cargo check --package serverandcargo build --package server.