fix(spec): Fix/1251 clarify authentication scheme#1256
Conversation
…ub.com/a2aproject/A2A into fix/1251-clarify-authentication-scheme
Summary of ChangesHello @darrelmiller, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on improving the clarity and precision of documentation within the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request improves the clarity of comments related to push notification authentication in the a2a.proto specification. The changes fix a grammatical error and provide much more specific and helpful descriptions for authentication schemes and credentials, including links to relevant standards. While the changes are a definite improvement, they also bring to light a potential ambiguity in how credentials should be handled when multiple authentication schemes are specified. I've added a comment to discuss this further.
| message AuthenticationInfo { | ||
| // A list of supported authentication schemes (e.g., 'Basic', 'Bearer'). | ||
| // HTTP Authentication Schemes from the [IANA registry](https://www.iana.org/assignments/http-authschemes/). | ||
| // Common values: `Bearer`, `Basic`, `Digest`. Scheme names are case-insensitive per [RFC 9110 Section 11.1](https://www.rfc-editor.org/rfc/rfc9110#section-11.1). | ||
| repeated string schemes = 1 [(google.api.field_behavior) = REQUIRED]; | ||
| // Optional credentials | ||
| // Push Notification credentials. Format depends on the scheme (e.g., token for Bearer). | ||
| string credentials = 2; | ||
| } |
There was a problem hiding this comment.
While the updated comments provide much-needed clarity, they also highlight a potential ambiguity in the design of AuthenticationInfo. The schemes field is a repeated string, allowing a client to specify multiple supported authentication schemes for its webhook (e.g., Bearer and Basic). However, the credentials field is a single string.
This becomes problematic because the format of credentials is often scheme-specific. For example, a Bearer token is different from Basic auth credentials (base64(user:pass)).
How is an agent supposed to use the single credentials string if multiple schemes are listed? It's unclear which scheme the credentials belong to or how to format the Authorization header.
To resolve this, you could consider one of the following:
-
Clarify in comments (non-breaking): Add a comment recommending that clients specify only one scheme in the
schemeslist if credentials are required, to avoid ambiguity. -
Refactor the message (breaking change): A more robust long-term solution would be to refactor this message to explicitly link credentials to their scheme. For example:
message AuthSchemeWithCredentials { string scheme = 1; string credentials = 2; } message AuthenticationInfo { repeated AuthSchemeWithCredentials schemes = 1; }
Given this PR is focused on clarification, option 1 might be more appropriate for now. A follow-up issue could be created to discuss a potential breaking change for a future version.
There was a problem hiding this comment.
@darrelmiller Gemini makes a good point here. Maybe not the specific refactor it suggests, but it could make sense to use AuthenticationInfo as a repeated field in PushNotificationConfig
There was a problem hiding this comment.
@holtskinner Yes, we need to fix this. I would choose to remove the repeated completely. Why would a calling agent provide multiple options for the server agent to use, considering it is providing all the information needed for the server agent to authenticate the callback. I think a single scheme should be sufficient.
There was a problem hiding this comment.
@darrelmiller if we address this comment we can merge the PR.
|
/vote |
Vote created@muscariello has called for a vote on The members of the following teams have binding votes:
Non-binding votes are also appreciated as a sign of support! How to voteYou can cast your vote by reacting to
Please note that voting for multiple options is not allowed and those votes won't be counted. The vote will be open for |
Vote statusSo far Summary
Binding votes (1)
|
2 similar comments
Vote statusSo far Summary
Binding votes (1)
|
Vote statusSo far Summary
Binding votes (1)
|
Vote statusSo far Summary
Binding votes (2)
|
13 similar comments
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
7 similar comments
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
Vote statusSo far Summary
Binding votes (2)
|
|
In the TSC meeting on Jan 6th, we discussed how to move forward on this issue. The decision was to simplify this design an limit the scheme property to be just a single value in AuthenticationInfo. |
Vote statusSo far Summary
Binding votes (2)
|
| User | Vote | Timestamp |
|---|---|---|
| Tehsmash | In favor | 2026-01-13 9:21:32.0 +00:00:00 |
Vote statusSo far Summary
Binding votes (3)
|
| User | Vote | Timestamp |
|---|---|---|
| Tehsmash | In favor | 2026-01-13 9:21:32.0 +00:00:00 |
| lerhaupt | In favor | 2026-01-13 21:54:05.0 +00:00:00 |
Vote statusSo far Summary
Binding votes (4)
|
| User | Vote | Timestamp |
|---|---|---|
| Tehsmash | In favor | 2026-01-13 9:21:32.0 +00:00:00 |
| lerhaupt | In favor | 2026-01-13 21:54:05.0 +00:00:00 |
Vote closedThe vote passed! 🎉
Summary
Binding votes (5)
|
🤖 I have created a release *beep* *boop* --- ## [1.0.0](v0.3.0...v1.0.0) (2026-03-12) ### ⚠ BREAKING CHANGES * **spec:** Combine `TaskPushNotificationConfig` and `PushNotificationConfig` ([#1500](#1500)) * **spec:** remove duplicated ID from the create task push config request ([#1487](#1487)) * **spec:** pluralize configs in `ListTaskPushNotificationConfigs` ([#1486](#1486)) * **spec:** Add LF prefix to the package. ([#1474](#1474)) * **spec:** Switch to non-complex IDs in requests ([#1389](#1389)) * **spec:** Standardize spelling of "canceled" to use American Spelling throughout ([#1283](#1283)) * **spec:** Align enum format with ADR-001 ProtoJSON specification ([#1384](#1384)) * **spec:** Remove redundant `final` field from `TaskStatusUpdateEvent` ([#1308](#1308)) * **spec:** Move `extendedAgentCard` field to `AgentCapabilities` ([#1307](#1307)) * **spec:** Fixes for the last_updated_after field ([#1358](#1358)) * **spec:** modernize oauth 2.0 flows - remove implicit/password, add device code / pkce ([#1303](#1303)) * **spec:** Make "message" field name consistent between protocol bindings ([#1302](#1302)) * **spec:** Remove deprecated fields from a2a.proto for v1.0 release ([#1301](#1301)) * **spec:** Rename `supportsAuthenticatedExtendedCard` to `supportsExtendedAgentCard` ([#1222](#1222)) * **spec:** Remove v1s from a2a url http bindings * **spec:** Large refactor of specification to separate application protocol definition from mapping to transports ### Features * **spec:** Add `tasks/list` method with filtering and pagination to the specification ([0a9f629](0a9f629)) * **spec:** modernize oauth 2.0 flows - remove implicit/password, add device code / pkce ([#1303](#1303)) ([525ff38](525ff38)) * **spec:** Natively Support Multi-tenancy on gRPC through an additional scope field on the request. ([#1195](#1195)) ([cfbce32](cfbce32)), closes [#1148](#1148) * **spec:** Provide ability for SDKs to be backwards compatible. ([#1401](#1401)) ([227e249](227e249)) * **spec:** Remove v1s from a2a url http bindings ([1bd263f](1bd263f)) ### Bug Fixes * Add missing metadata field to Part message in gRPC specification ([#1019](#1019)) ([b3b266d](b3b266d)), closes [#1005](#1005) * Add name field to FilePart protobuf message ([#983](#983)) ([2b7cb6f](2b7cb6f)), closes [#984](#984) * Clarify blocking calls return on interrupted states ([#1403](#1403)) ([0655ff3](0655ff3)) * **doc:** Makes JSON-RPC SendMessage response clearer ([#1241](#1241)) ([5792804](5792804)) * **docs:** Clearer wording around context id. ([#1588](#1588)) ([dec790a](dec790a)) * **grpc:** Fix inconsistent property name between gRPC and JSON-RPC in Message object ([#1100](#1100)) ([2a1f819](2a1f819)) * **grpc:** missing field in gRPC spec - state_transition_history ([#1138](#1138)) ([a2de798](a2de798)), closes [#1139](#1139) * **grpc:** Update `CreateTaskPushNotificationConfig` endpoint to `/v1/{parent=tasks/*/pushNotificationConfigs}` ([#979](#979)) ([911f9b0](911f9b0)) * **proto:** Add icon_url to a2a.proto ([#986](#986)) ([17e7f62](17e7f62)) * **proto:** Adds metadata field to A2A DataPart proto ([#1004](#1004)) ([a8b45dc](a8b45dc)) * Remove unimplemented state_transition_history capability field ([#1396](#1396)) ([c768a44](c768a44)), closes [#1228](#1228) * Restore CreateTaskPushNotificationConfig method naming ([#1402](#1402)) ([d14f410](d14f410)) * Revert "chore(gRPC): Update a2a.proto to include metadata on GetTaskRequest" ([#1000](#1000)) ([e6b8c65](e6b8c65)) * Simplify Part message structure by flattening FilePart and DataPart ([#1411](#1411)) ([bfae8f7](bfae8f7)) * **spec:** Add LF prefix to the package. ([#1474](#1474)) ([a54e809](a54e809)) * **spec:** add metadata to `CancelTaskRequest` ([#1485](#1485)) ([c441b91](c441b91)), closes [#1484](#1484) * **spec:** Added clarification on timestamps in HTTP query params ([#1425](#1425)) ([6292104](6292104)) * **spec:** Added clarifying text around messages and artifacts ([#1424](#1424)) ([b03d141](b03d141)) * **spec:** Adjust field number for `ListTasksRequest.tenant` to prevent missing number ([#1470](#1470)) ([cd16c52](cd16c52)) * **spec:** Clarify contextId behavior when message is sent with taskId but without contextId ([#1309](#1309)) ([a336a5a](a336a5a)) * **spec:** Clarify versioning strategy and client responsibilities in protocol specification ([#1259](#1259)) ([a4afeea](a4afeea)) * **spec:** Fix/1251 clarify authentication scheme ([#1256](#1256)) ([3e6c7db](3e6c7db)) * **spec:** Fixes for the last_updated_after field ([#1358](#1358)) ([0e204bf](0e204bf)) * **spec:** Make "message" field name consistent between protocol bindings ([#1302](#1302)) ([1e5f462](1e5f462)), closes [#1230](#1230) * **spec:** make `history_length` optional ([#1071](#1071)) ([0572953](0572953)) * **spec:** pluralize configs in `ListTaskPushNotificationConfigs` ([#1486](#1486)) ([cf735cb](cf735cb)) * **spec:** Remove config from binding. ([#1587](#1587)) ([010b9cc](010b9cc)) * **spec:** Remove deprecated fields from a2a.proto for v1.0 release ([#1301](#1301)) ([60f83c3](60f83c3)), closes [#1227](#1227) * **spec:** remove duplicated ID from the create task push config request ([#1487](#1487)) ([393898d](393898d)) * **spec:** Remove metadata field from ListTasksRequest ([#1235](#1235)) ([b6ef9ee](b6ef9ee)) * **spec:** Remove reserved and fix tags ordering ([#1494](#1494)) ([1997c9d](1997c9d)) * **spec:** Rename `supportsAuthenticatedExtendedCard` to `supportsExtendedAgentCard` ([#1222](#1222)) ([c196824](c196824)), closes [#1215](#1215) * **spec:** Standardize spelling of "canceled" to use American Spelling throughout ([#1283](#1283)) ([4dd980f](4dd980f)) * **spec:** Suggest Unique Identifier fields to be UUID ([#966](#966)) ([00cf76e](00cf76e)) * **spec:** Switch to non-complex IDs in requests ([#1389](#1389)) ([2596c1c](2596c1c)), closes [#1390](#1390) * **spec:** Update security schemes example ([#1364](#1364)) ([f9a8f5b](f9a8f5b)) * Update the Java tutorials and descriptions ([#1181](#1181)) ([202aa06](202aa06)) ### Documentation * **spec:** Align enum format with ADR-001 ProtoJSON specification ([#1384](#1384)) ([810eaa1](810eaa1)), closes [#1344](#1344) ### Code Refactoring * **spec:** Combine `TaskPushNotificationConfig` and `PushNotificationConfig` ([#1500](#1500)) ([d1ed0da](d1ed0da)) * **spec:** Large refactor of specification to separate application protocol definition from mapping to transports ([b078419](b078419)) * **spec:** Move `extendedAgentCard` field to `AgentCapabilities` ([#1307](#1307)) ([40d6286](40d6286)) * **spec:** Remove redundant `final` field from `TaskStatusUpdateEvent` ([#1308](#1308)) ([5b101cc](5b101cc)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: Amye Scavarda Perrin <amye@amye.org> Co-authored-by: Holt Skinner <13262395+holtskinner@users.noreply.github.com>
Fixes #1251