feat(server): support A2A protocol by Tyooughtul · Pull Request #2656 · apache/iggy

Tyooughtul · 2026-01-31T11:46:44Z

Which issue does this PR close?

Rationale

A2A protocol requires JWKS support to enable secure agent authentication with multiple identity providers. This change allows agents from different tenants to authenticate using their own public keys, and supports key rotation without requiring server restarts.

What changed?

Added JWKS support for secure agent-to-agent authentication. The implementation includes a JwksClient that fetches and caches public keys from JWKS endpoints, integrated JWKS into JwtManager for multi-tenant agent authentication, and updated HTTP middleware to support asynchronous JWT decoding. Also added TrustedIssuerConfig to support configuring multiple trusted issuers.

Local Execution

Passed
Pre-commit hooks ran

AI Usage

Which tools? Grok fast
Scope of usage?

I use ai for write test case and running scripts.
Some config code to test code:

# Trusted issuers for A2A (Application-to-Application) authentication
[[http.jwt.trusted_issuers]]
issuer = "test-issuer"
jwks_url = "http://127.0.0.1:8081/.well-known/jwks.json"
audience = "iggy.apache.org"

Some debug! to help me find bugs。

How did you verify the generated code works correctly?

Compile successfully with cargo check --package server and cargo build --package server.
Test case passed.

Can you explain every line of the code if asked? Yes

hubcio · 2026-01-31T12:14:25Z

hey! thanks for contribution - we'll check this after the weekend.

core/server/src/http/jwt/jwks.rs

core/server/src/http/jwt/jwt_manager.rs

spetz · 2026-02-02T10:27:02Z

Thank you for the contribution, made a few comments here and there :)

Is that all required to fully support A2A, as you wrote that I'd close #1762 which is the full integration?

Also, is there a way to do the proper integration/e2e testing like e..g for existing MCP runtime to ensure it works well with A2A as the full transport?

core/server/Cargo.toml

core/server/src/http/jwt/jwks.rs

Tyooughtul · 2026-02-02T10:51:22Z

Thanks for the review! All comments are clear and I will address every point as suggested.
I think this PR covers the full A2A support as mentioned in #1762. I will also add the corresponding integration/e2e tests for the MCP runtime & A2A.

hubcio · 2026-02-03T10:46:46Z

when testing, see how iggy_harness macro is used for connectors in #2667 or mcp (already merged). we're in the middle of refactor to use it everywhere, so it'd be great if you could use it in your tests (assuming you'll write some tests for this A2A).

codecov · 2026-02-06T14:03:14Z

Codecov Report

❌ Patch coverage is 77.01149% with 80 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.51%. Comparing base (70b8d36) to head (037e49d).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
core/server/src/http/jwt/jwks.rs	78.52%	25 Missing and 10 partials ⚠️
core/server/src/http/jwt/jwt_manager.rs	79.24%	21 Missing and 1 partial ⚠️
core/server/src/http/jwt/json_web_token.rs	63.63%	19 Missing and 1 partial ⚠️
core/configs/src/server_config/defaults.rs	0.00%	1 Missing ⚠️
core/sdk/src/client_provider.rs	0.00%	1 Missing ⚠️
core/server/src/http/jwt/middleware.rs	85.71%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             master    #2656    +/-   ##
==========================================
  Coverage     70.50%   70.51%            
  Complexity      943      943            
==========================================
  Files          1115     1117     +2     
  Lines         95388    95717   +329     
  Branches      72589    72935   +346     
==========================================
+ Hits          67256    67496   +240     
- Misses        25657    25709    +52     
- Partials       2475     2512    +37

Components	Coverage Δ
Rust Core	`70.56% <77.01%> (+0.03%)`	⬆️
Java SDK	`62.30% <ø> (ø)`
C# SDK	`69.10% <ø> (-0.31%)`	⬇️
Python SDK	`81.43% <ø> (ø)`
Node SDK	`91.53% <ø> (ø)`
Go SDK	`38.97% <ø> (ø)`

Files with missing lines	Coverage Δ
core/common/src/error/iggy_error.rs	`100.00% <ø> (ø)`
...es/configuration/http_config/http_client_config.rs	`100.00% <100.00%> (ø)`
...guration/http_config/http_client_config_builder.rs	`61.11% <100.00%> (+61.11%)`	⬆️
core/configs/src/server_config/http.rs	`66.66% <ø> (ø)`
core/sdk/src/clients/client_builder.rs	`59.88% <100.00%> (+5.02%)`	⬆️
core/sdk/src/clients/consumer.rs	`67.21% <100.00%> (+0.13%)`	⬆️
core/sdk/src/http/http_client.rs	`91.91% <100.00%> (+0.46%)`	⬆️
core/configs/src/server_config/defaults.rs	`0.00% <0.00%> (ø)`
core/sdk/src/client_provider.rs	`48.02% <0.00%> (-0.32%)`	⬇️
core/server/src/http/jwt/middleware.rs	`74.54% <85.71%> (+7.23%)`	⬆️
... and 3 more

... and 19 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

hubcio · 2026-02-06T15:47:15Z

It looks like something went wrong with your rebase:

Tyooughtul · 2026-02-06T16:16:23Z

It looks like something went wrong with your rebase:

😱 sorry, I fetched the wrong branch. I have corrected it.

hubcio · 2026-02-19T13:02:20Z

Hello @Tyooughtul
did you resolve all comments from @spetz ?
Do you plan to continue?

Tyooughtul · 2026-02-19T14:44:17Z

Hello @Tyooughtul did you resolve all comments from @spetz ? Do you plan to continue?

Hi @hubcio , I think I’ve addressed all comments from @spetz, and the PR is ready for review. I’ll keep following up and fix any issues promptly. 😊

Tyooughtul · 2026-02-21T03:58:24Z

Hi @spetz @hubcio,
I've addressed all the previous review comments. Could you please take another look when you have a moment? Thanks!
Also, could you let me know if a second review from another maintainer is needed to meet the merge requirements?
Additionally, it seems the workflow is awaiting approval from a maintainer to run the CI checks. Would you mind approving that as well?
Thanks for your time!

spetz · 2026-02-21T19:55:04Z

@Tyooughtul sure, the CI has started again, however I can see that there are still some pending comments waiting to be resolved.

Tyooughtul · 2026-02-22T02:28:27Z

Hi @spetz,
All review comments have been addressed and pushed, All newly added tests pass. PTAL when you have time, thanks! 😊

github-actions · 2026-03-05T00:37:46Z

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

If you need a review, please ensure CI is green and the PR is rebased on the latest master. Don't hesitate to ping the maintainers - either @core on Discord or by mentioning them directly here on the PR.

Thank you for your contribution!

core/sdk/src/clients/consumer.rs

core/server/src/http/jwt/jwks.rs

core/server/src/http/jwt/jwt_manager.rs

Cargo.toml

- Support JWKS for A2A compliant secure agent authentication - Enable key rotation without restarting the server - Allow agents from different tenants to publish to the same Iggy bus rebase to the newest master

…ness macro Extend `#[iggy_harness]` with `jwks_server(...)` attribute to support declarative JWKS mock server setup, as suggested in review to follow the harness macro convention used for MCP and connectors. - Fix the problem as suggested - Add `jwks_server(store_path = "...")` attribute to #[iggy_harness] - Add `config_path` to server(...) for custom TOML via IGGY_CONFIG_PATH - Start WireMock MockServer and inject trusted issuer env vars before server startup - Add ServerHandle::add_env() for pre-start env var injection - Add 4 e2e tests: valid_token, expired_token, unknown_issuer, missing_token with RSA key pair and JWKS fixtures

…edIssuerConfig

…hardening - Add Audience enum supporting both string and array formats - Add JWKS key cache cleanup for revoked/rotated keys - Add issuer URL normalization for case-insensitive matching - Reject A2A token refresh (they have their own lifecycle) - Map A2A tokens to configured user_id instead of JWT sub claim - Prevent A2A tokens from mapping to root user

- Use IggyClient SDK instead of raw HTTP requests - Add seed function to create A2A user with permissions - Add test for array audience support - Update test fixtures and configuration

- solve conflict in Cargo.lock and DEPENDENCIES.md

- re-enable standalone consumer polling on connect

…with_jwt to make naming more concise, following review feedback.

- move normalize_issuer_url to bottom of file, add unit tests - replace HTTP client with compio official implementation - bump iggy SDK version to 0.10.1

spetz · 2026-04-10T08:05:41Z

LGTM, thanks for all the changes, it's been a while :D

spetz · 2026-04-10T08:18:15Z

Looks like a typo in tests to fix

assertion `left == right` failed
  left: "https://example.com/"
 right: "https://example.com"

Tyooughtul closed this Jan 31, 2026

Tyooughtul reopened this Jan 31, 2026