return a 404 instead of public card from extended card EP

Author: dmandar

src/a2a/server/apps/starlette_app.py

@@ -12,29 +12,17 @@
 from starlette.responses import JSONResponse, Response
 from starlette.routing import Route
 
+from a2a.server.context import ServerCallContext
 from a2a.server.request_handlers.jsonrpc_handler import JSONRPCHandler
 from a2a.server.request_handlers.request_handler import RequestHandler
-from a2a.server.context import ServerCallContext
-from a2a.types import (
-    A2AError,
-    A2ARequest,
-    AgentCard,
-    CancelTaskRequest,
-    GetTaskPushNotificationConfigRequest,
-    GetTaskRequest,
-    InternalError,
-    InvalidRequestError,
-    JSONParseError,
-    JSONRPCError,
-    JSONRPCErrorResponse,
-    JSONRPCResponse,
-    SendMessageRequest,
-    SendStreamingMessageRequest,
-    SendStreamingMessageResponse,
-    SetTaskPushNotificationConfigRequest,
-    TaskResubscriptionRequest,
-    UnsupportedOperationError,
-)
+from a2a.types import (A2AError, A2ARequest, AgentCard, CancelTaskRequest,
+                       GetTaskPushNotificationConfigRequest, GetTaskRequest,
+                       InternalError, InvalidRequestError, JSONParseError,
+                       JSONRPCError, JSONRPCErrorResponse, JSONRPCResponse,
+                       SendMessageRequest, SendStreamingMessageRequest,
+                       SendStreamingMessageResponse,
+                       SetTaskPushNotificationConfigRequest,
+                       TaskResubscriptionRequest, UnsupportedOperationError)
 from a2a.utils.errors import MethodNotImplementedError
 
 logger = logging.getLogger(__name__)
@@ -80,6 +68,13 @@ def __init__(
         self.handler = JSONRPCHandler(
             agent_card=agent_card, request_handler=http_handler
         )
+        if (
+            self.agent_card.supportsAuthenticatedExtendedCard
+            and self.extended_agent_card is None
+        ):
+            logger.error(
+                'AgentCard.supportsAuthenticatedExtendedCard is True, but no extended_agent_card was provided. The /agent/authenticatedExtendedCard endpoint will return 404.'
+            )
         self._context_builder = context_builder
 
     def _generate_error_response(
@@ -345,10 +340,12 @@ async def _handle_get_authenticated_extended_agent_card(
                     mode='json', exclude_none=True
                 )
             )
-        # Otherwise, if supportsAuthenticatedExtendedCard is true but no specific
-        # extended card is set, serve the main agent_card.
+        # If supportsAuthenticatedExtendedCard is true, but no specific
+        # extended_agent_card was provided during server initialization,
+        # return a 404
         return JSONResponse(
-            self.agent_card.model_dump(mode='json', exclude_none=True)
+            {'error': 'Authenticated extended agent card is supported but not configured on the server.'},
+            status_code=404,
         )
 
     def routes(

tests/server/test_integration.py

@@ -8,27 +8,14 @@
 from starlette.testclient import TestClient
 
 from a2a.server.apps.starlette_app import A2AStarletteApplication
-from a2a.types import (
-    AgentCapabilities,
-    AgentCard,
-    Artifact,
-    DataPart,
-    InternalError,
-    InvalidRequestError,
-    JSONParseError,
-    Part,
-    PushNotificationConfig,
-    Task,
-    TaskArtifactUpdateEvent,
-    TaskPushNotificationConfig,
-    TaskState,
-    TaskStatus,
-    TextPart,
-    UnsupportedOperationError,
-)
+from a2a.types import (AgentCapabilities, AgentCard, Artifact, DataPart,
+                       InternalError, InvalidRequestError, JSONParseError,
+                       Part, PushNotificationConfig, Task,
+                       TaskArtifactUpdateEvent, TaskPushNotificationConfig,
+                       TaskState, TaskStatus, TextPart,
+                       UnsupportedOperationError)
 from a2a.utils.errors import MethodNotImplementedError
 
-
 # === TEST SETUP ===
 
 MINIMAL_AGENT_SKILL: dict[str, Any] = {
@@ -151,21 +138,6 @@ def test_authenticated_extended_agent_card_endpoint_not_supported(
     assert response.status_code == 404 # Starlette's default for no route
 
 
-def test_authenticated_extended_agent_card_endpoint_supported_no_specific_extended_card(
-    agent_card: AgentCard, handler: mock.AsyncMock
-):
-    """Test extended card endpoint returns main card if supported but no specific extended card is set."""
-    agent_card.supportsAuthenticatedExtendedCard = True
-    app_instance = A2AStarletteApplication(agent_card, handler)
-    client = TestClient(app_instance.build())
-
-    response = client.get('/agent/authenticatedExtendedCard')
-    assert response.status_code == 200
-    data = response.json()
-    assert data['name'] == agent_card.name # Should be the main agent card
-    assert data['version'] == agent_card.version
-
-
 def test_authenticated_extended_agent_card_endpoint_supported_with_specific_extended_card(
     agent_card: AgentCard,
     extended_agent_card_fixture: AgentCard,