Merged
Conversation
Extends query parameter authentication (introduced for MCP gateways in #1580) to A2A agents, allowing API keys to be passed as URL query parameters when invoking remote agents. Changes: - Add auth_query_param_key/value fields to A2AAgentCreate/Update schemas - Add _mask_query_param_auth validator to A2AAgentRead for secure display - Update A2A service register/update/invoke methods with query_param handling - Add feature flag and host allowlist enforcement in service layer - Apply query params to endpoint URL during agent invocation - Sanitize URLs in logs to prevent credential leakage - Add query_param option and fields to Admin UI (add/edit forms) - Update admin.js handlers for A2A query_param auth type - Create separate migration for a2a_agents.auth_query_params column - Add comprehensive test coverage (9 new tests) Security: Includes CWE-598 warning in UI about URL-based credentials. Requires INSECURE_ALLOW_QUERYPARAM_AUTH=true to enable. Closes #2195 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
kcostell06
pushed a commit
to kcostell06/mcp-context-forge
that referenced
this pull request
Feb 24, 2026
* feat: Add query parameter authentication support for A2A agents Extends query parameter authentication (introduced for MCP gateways in IBM#1580) to A2A agents, allowing API keys to be passed as URL query parameters when invoking remote agents. Changes: - Add auth_query_param_key/value fields to A2AAgentCreate/Update schemas - Add _mask_query_param_auth validator to A2AAgentRead for secure display - Update A2A service register/update/invoke methods with query_param handling - Add feature flag and host allowlist enforcement in service layer - Apply query params to endpoint URL during agent invocation - Sanitize URLs in logs to prevent credential leakage - Add query_param option and fields to Admin UI (add/edit forms) - Update admin.js handlers for A2A query_param auth type - Create separate migration for a2a_agents.auth_query_params column - Add comprehensive test coverage (9 new tests) Security: Includes CWE-598 warning in UI about URL-based credentials. Requires INSECURE_ALLOW_QUERYPARAM_AUTH=true to enable. Closes IBM#2195 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Lint fixes Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Lint fixes Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Lint fixes Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extends query parameter authentication support (introduced for MCP gateways in #1580) to A2A agents, allowing API keys to be passed as URL query parameters when invoking remote agents.
auth_query_param_keyandauth_query_param_valuefields to A2A agent schemas_mask_query_param_authvalidator for secure display of credentialsregister_agent,update_agent, andinvoke_agentwith query_param handlingINSECURE_ALLOW_QUERYPARAM_AUTH) and host allowlist enforcement_call_a2a_agent)a2a_agents.auth_query_paramscolumnSecurity: Includes CWE-598 warning in UI about URL-based credentials.
Closes #2195