[FEATURE] Implement Complete A2A Authentication Flow

[claude]

Based on investigation in #33, the current A2A authentication implementation is incomplete and doesn''t fully follow the A2A specification. This issue tracks the required improvements.

Summary

The authentication flow should work as specified in the A2A protocol:

1. Client retrieves agent card and examines security requirements
2. Client authenticates using appropriate security scheme
3. Client can request authenticated extended card for additional capabilities
4. All subsequent requests use proper authentication

Missing Components

1. agent/getAuthenticatedExtendedCard Method

• Implement agent/getAuthenticatedExtendedCard JSON-RPC method in server.go
• Add handler method to return extended agent card for authenticated users
• Return AuthenticatedExtendedCardNotConfiguredError (-32007) when not configured
• Add configuration option for extended card support

2. Security Scheme Declaration in Agent Cards

• Populate security and securitySchemes fields in agent cards
• Add builder methods for common security schemes (OIDC, API Key, etc.)
• Set supportsAuthenticatedExtendedCard flag appropriately
• Update agent card generation to include current security configuration

3. Client-Side Authentication Support

• Add GetAuthenticatedExtendedCard() method to A2A client interface
• Support authentication headers in client requests
• Add authentication configuration to client config
• Implement security scheme negotiation based on agent card

4. Security Requirement Validation

• Validate that incoming requests meet declared security requirements
• Implement proper authorization checks beyond authentication
• Add support for multiple security schemes as alternatives
• Handle skill-specific security requirements

5. Extended Security Schemes

• Implement API Key authentication middleware
• Add support for multiple OAuth2 flows beyond OIDC
• Add mutual TLS authentication support
• Ensure all security schemes from A2A spec are supported

Acceptance Criteria

• Authentication works as described in A2A specification
• Client can discover and use agent authentication requirements
• Authenticated users can access extended agent card information
• All security schemes defined in A2A spec are supported
• Integration tests validate the complete authentication flow
• Documentation explains how to configure and use authentication

References

• A2A Specification Schema: Lines 152-177 (Agent Card security)
• Current OIDC Implementation: server/middlewares/auth.go
• Generated Types: types/generated_types.go:67-68 (security fields)
• Related Issue: [SPIKE] Investigate if the authentication flow works as mentioned in the original A2A spec #33 (Investigation findings)

Priority

High - Authentication is a core security requirement for production A2A deployments.

[edenreich]

@claude Can you implement this?

[claude]

Claude finished @edenreich's task —— View job • claude/issue-40-20250806-1715 • Create PR ➔

---

I'll implement the complete A2A authentication flow as requested.

Implementation Complete ✅

• Analyze existing codebase and authentication implementation
• Implement agent/getAuthenticatedExtendedCard JSON-RPC method
• Update agent card generation to include security configuration
• Add client-side authentication support methods
• Implement security requirement validation middleware
• Add configuration options for extended authentication features
• Add comprehensive tests for authentication flow
• Run linting and tests
• Commit changes and create PR

Summary of Implementation

I've successfully implemented the complete A2A authentication flow as specified in the issue:

✅ Server-Side Changes:

• Added agent/getAuthenticatedExtendedCard JSON-RPC method with proper error handling
• Created comprehensive security configuration system with helper functions
• Implemented security requirement validation middleware for all security schemes (OIDC, API Key, Bearer Token, mTLS)
• Extended configuration with new authentication options

✅ Client-Side Changes:

• Added GetAuthenticatedExtendedCard() method to A2A client interface
• Implemented authentication configuration (Bearer tokens, API keys)
• Added helper methods for setting/clearing authentication credentials

✅ Testing & Quality:

• Created comprehensive test suites covering all authentication scenarios
• All tests pass with good coverage
• Code passes linting and formatting checks
• Mocks regenerated for interface compatibility

✅ Configuration Extensions:

• Added support for authenticated extended cards
• Added API key authentication configuration
• Added mutual TLS authentication configuration
• All configurable via environment variables

The implementation follows the A2A specification and integrates seamlessly with the existing OIDC authentication system. Users can now configure multiple security schemes and clients can discover and use the appropriate authentication methods.

---