fix: propagate authorization header to subagents#1757
fix: propagate authorization header to subagents#1757towsif-rahman wants to merge 7 commits intokagent-dev:mainfrom
Conversation
towsif-rahman
requested review from
EItanya,
iplay88keys,
jmhbh,
peterj,
supreme-gg-gg and
yuval-k
as code owners
github-actions
Bot
added
bug
There was a problem hiding this comment.
Pull request overview
Propagates the parent agent session’s request headers (notably Authorization) into sub-agent A2A calls so JWT/auth context is preserved across supervisor → sub-agent delegation, including HITL resume flows.
Changes:
- Add
_build_subagent_call_context()to includesession.state["headers"]inClientCallContextfor both first-call and resume paths. - Update
_SubagentInterceptorto forward the parentAuthorizationheader (case-insensitive) while preserving existingx-user-idandx-kagent-sourcebehavior. - Add unit tests covering call context header propagation and interceptor filtering/override behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
python/packages/kagent-adk/src/kagent/adk/_remote_a2a_tool.py |
Build A2A call contexts with session headers and forward Authorization via the subagent interceptor. |
python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py |
Add focused unit tests for header propagation into call contexts and for interceptor behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
towsif-rahman
force-pushed
the
fix/subagent-authorization-forwarding
branch
from
8678a21 to
d8551b4
Compare
Signed-off-by: Towsif Rahman <towsif.rahman@sanofi.com>
towsif-rahman
force-pushed
the
fix/subagent-authorization-forwarding
branch
from
d8551b4 to
97adb51
Compare
supreme-gg-gg
left a comment
supreme-gg-gg
left a comment
There was a problem hiding this comment.
hi @towsif-rahman, the changes look good here. Can you also do it for the go runtime: https://github.com/kagent-dev/kagent/blob/main/go/adk/pkg/tools/remote_a2a_tool.go
Signed-off-by: Towsif Rahman <towsif.rahman@sanofi.com>
towsif-rahman
force-pushed
the
fix/subagent-authorization-forwarding
branch
from
33e76c2 to
d381ee9
Compare
|
@supreme-gg-gg Added same implementation to Go runtime |
Signed-off-by: Towsif Rahman <towsif.rahman@sanofi.com>
|
@supreme-gg-gg Pushed a change for Go lint.. would you mind running again |
| // userIDForwardingInterceptor forwards the session user_id as an x-user-id header. | ||
| type userIDForwardingInterceptor struct { | ||
| // authorizationHeaderContextKey is the context key for passing the parent Authorization header to the subagent. | ||
| type authorizationHeaderContextKey struct{} |
There was a problem hiding this comment.
I really don't like that we're creating new context keys for all of our values. Can we re-use something similar to this PR: #1733
There was a problem hiding this comment.
Agreed, we should also do the same for userID here so there's no need for context keys for the interceptor and it's self-contained (reads directly from A2A server and tool context)
Doesn't seem like it passed, can you make sure to run it locally... |
Summary
Authorizationheader from_SubagentInterceptorwhile preserving existingx-user-idandx-kagent-sourceheaders.Test plan
UV_NATIVE_TLS=true UV_PROJECT_ENVIRONMENT=/home/ubuntu/oneai_devops/kagent/.venv ../.venv/bin/uv run --python /home/ubuntu/oneai_devops/kagent/.venv/bin/python pytest ./packages/kagent-adk/tests/unittests/test_remote_a2a_tool.pyCloses #1745