[FEATURE]: Add query parameter authentication support for A2A agents

[crivetimihai]

Summary

Add query parameter authentication (auth_type=query_param) support for A2A (Agent-to-Agent) agents, similar to the support added for MCP gateways in PR #2164.

Background

Query parameter authentication appends API keys as URL query parameters for upstream servers that require this authentication method (e.g., Tavily MCP server). This feature was implemented for MCP gateways but was explicitly excluded from A2A agents to keep the scope manageable.

Requirements

Core Implementation

• Add auth_query_param_key and auth_query_param_value fields to A2A agent schemas (A2AAgentCreate, A2AAgentUpdate, A2AAgentRead)
• Add auth_query_params column to the A2A agent database model (encrypted dict storage)
• Update A2A service layer to handle query_param authentication:
  • Registration: encrypt and store auth params
  • Update: handle auth param changes
  • Health checks: decrypt and apply params to URL
  • Agent invocation: decrypt and apply params to request URL

Security Controls

• Respect INSECURE_ALLOW_QUERYPARAM_AUTH feature flag (disabled by default)
• Respect INSECURE_QUERYPARAM_AUTH_ALLOWED_HOSTS allowlist
• Use sanitize_url_for_logging() to redact secrets in logs
• Use sanitize_exception_message() to redact URLs in error messages
• Mask auth values in API responses using settings.masked_auth_value

Admin UI

• Add query_param auth option to A2A agent create/edit forms
• Show/hide auth_query_param_key and auth_query_param_value fields based on auth_type selection

Testing

• Unit tests for A2A service query_param handling
• Unit tests for schema validation
• Integration tests for A2A agent registration/update with query_param auth

Reference Implementation

See PR #2164 and the following files for the MCP gateway implementation:

• mcpgateway/schemas.py - Schema validation for query_param auth
• mcpgateway/services/gateway_service.py - Service layer handling
• mcpgateway/utils/url_auth.py - URL helper functions
• tests/unit/mcpgateway/services/test_gateway_query_param_auth.py - Test patterns

Security Note

Query parameter authentication is inherently insecure (CWE-598: Use of GET Request Method With Sensitive Query Strings). API keys in URLs may appear in proxy logs, browser history, and server access logs. This feature should only be used when the upstream server requires this authentication method and no alternative is available.

Related

• Closes [FEATURE][AUTH]: API key auth support through query params #1580 (A2A portion)
• Related PR: [PERFORMANCE]: Use async I/O instead of blocking calls in async functions (S7493, S7487) #2164 (MCP gateway implementation)