feat!: Add mTLS to SecuritySchemes, add oauth2 metadata url field, allow Skills to specify Security #362
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @a2a-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request updates the A2A specification, primarily focusing on expanding security capabilities and introducing a mechanism for authenticated extended agent cards. Key changes include adding support for mTLS security, enhancing OAuth2 scheme definitions with metadata URLs, and allowing individual agent skills to specify their own security requirements. Additionally, a new API endpoint for retrieving authenticated extended agent cards has been introduced, along with a clarification that task IDs are now generated by the server.
Highlights
- New Security Scheme: Introduced a
MutualTlsSecuritySchemeto support mTLS authentication within the A2A specification. - Enhanced OAuth2 Security: The
OAuth2SecuritySchemenow includes anoauth2_metadata_urlfield, allowing for better discovery of OAuth 2.0 authorization server metadata. - Agent Skill Security: The
AgentSkilldefinition has been extended to include asecurityfield, enabling individual skills to specify their own security requirements. - Authenticated Extended Agent Card: New request (
GetAuthenticatedExtendedCardRequest) and success/error response types (GetAuthenticatedExtendedCardSuccessResponse,AuthenticatedExtendedCardNotConfiguredError) have been added to support fetching an authenticated extended agent card. - Task ID Generation Update: The responsibility for generating task IDs has been clarified to be solely on the server side, rather than client or agent.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
holtskinner
changed the title
There was a problem hiding this comment.
Code Review
This pull request includes several updates to the A2A specification, including adding security requirements to AgentSkill, introducing a new error model, adding a new security scheme, updating descriptions, and clarifying the source of the task ID. The changes related to serialized start and end values in a2a_pb2.py might introduce backwards compatibility issues and should be carefully reviewed and documented.
…042466d176ec75ebda
holtskinner
deleted the
auto-update-a2a-types-e162c0c6c4f609d2f4eef9042466d176ec75ebda
branch
🤖 I have created a release *beep* *boop* --- ## [0.3.0](v0.2.16...v0.3.0) (2025-07-31) ### ⚠ BREAKING CHANGES * **deps:** Make opentelemetry an optional dependency ([#369](#369)) * **spec:** Update Agent Card Well-Known Path to `/.well-known/agent-card.json` ([#320](#320)) * Remove custom `__getattr__` and `__setattr__` for `camelCase` fields in `types.py` ([#335](#335)) * Add mTLS to SecuritySchemes, add oauth2 metadata url field, allow Skills to specify Security ([#362](#362)) * Support for serving agent card at deprecated path ([#352](#352)) ### Features * Add `metadata` as parameter to `TaskUpdater.update_status()` ([#371](#371)) ([9444ed6](9444ed6)) * Add mTLS to SecuritySchemes, add oauth2 metadata url field, allow Skills to specify Security ([#362](#362)) ([be6c517](be6c517)) * Add RESTful API Serving ([#348](#348)) ([82a6b7c](82a6b7c)) * Add server-side support for plumbing requested and activated extensions ([#333](#333)) ([4d5b92c](4d5b92c)) * Allow agent cards (default and extended) to be dynamic ([#365](#365)) ([ee92aab](ee92aab)) * Support for serving agent card at deprecated path ([#352](#352)) ([2444034](2444034)) * support non-blocking `sendMessage` ([#349](#349)) ([70b4999](70b4999)) * Type update to support fetching extended card ([#361](#361)) ([83304bb](83304bb)) ### Bug Fixes * Add Input Validation for Task Context IDs in new_task Function ([#340](#340)) ([a7ed7ef](a7ed7ef)) * **deps:** Reduce FastAPI library required version to `0.95.0` ([#372](#372)) ([a319334](a319334)) * Remove `DeprecationWarning` for regular properties ([#345](#345)) ([2806f3e](2806f3e)) * **spec:** Add `SendMessageRequest.request` `json_name` mapping to `message` proto ([bc97cba](bc97cba)) * **spec:** Add Transport enum to specification (a2aproject/A2A#909) ([d9e463c](d9e463c)) ### Documentation * Address typos in docstrings and docs. ([#370](#370)) ([ee48d68](ee48d68)) ### Miscellaneous Chores * Add support for authenticated extended card method ([#356](#356)) ([b567e80](b567e80)) ### Code Refactoring * **deps:** Make opentelemetry an optional dependency ([#369](#369)) ([9ad8b96](9ad8b96)) * Remove custom `__getattr__` and `__setattr__` for `camelCase` fields in `types.py` ([#335](#335)) ([cd94167](cd94167)) * **spec:** Update Agent Card Well-Known Path to `/.well-known/agent-card.json` ([#320](#320)) ([270ea9b](270ea9b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Description
This PR makes changes to our security representations in AgentCards:
securityfield. This allows agents to indicate security requirements for leveraging a particular skill.I also clarified the usage and expectations for the
securityfield in the base AgentCard.This change is marked backwards incompatible due to the addition of the MutualTLSSecurityScheme, which adds a new type to an exhaustive enum (the security scheme
anyOf).Release-As: 0.3.0
Protocol Update: a2aproject/A2A@e162c0c