fix: propagate authorization header to subagents#1757
Open
towsif-rahman wants to merge 2 commits intokagent-dev:mainfrom
Open
fix: propagate authorization header to subagents#1757towsif-rahman wants to merge 2 commits intokagent-dev:mainfrom
towsif-rahman wants to merge 2 commits intokagent-dev:mainfrom
Conversation
towsif-rahman
requested review from
EItanya,
iplay88keys,
jmhbh,
peterj,
supreme-gg-gg and
yuval-k
as code owners
github-actions
Bot
added
bug
Contributor
There was a problem hiding this comment.
Pull request overview
Propagates the parent agent session’s request headers (notably Authorization) into sub-agent A2A calls so JWT/auth context is preserved across supervisor → sub-agent delegation, including HITL resume flows.
Changes:
- Add
_build_subagent_call_context()to includesession.state["headers"]inClientCallContextfor both first-call and resume paths. - Update
_SubagentInterceptorto forward the parentAuthorizationheader (case-insensitive) while preserving existingx-user-idandx-kagent-sourcebehavior. - Add unit tests covering call context header propagation and interceptor filtering/override behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
python/packages/kagent-adk/src/kagent/adk/_remote_a2a_tool.py |
Build A2A call contexts with session headers and forward Authorization via the subagent interceptor. |
python/packages/kagent-adk/tests/unittests/test_remote_a2a_tool.py |
Add focused unit tests for header propagation into call contexts and for interceptor behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
towsif-rahman
force-pushed
the
fix/subagent-authorization-forwarding
branch
from
8678a21 to
d8551b4
Compare
Signed-off-by: Towsif Rahman <towsif.rahman@sanofi.com>
towsif-rahman
force-pushed
the
fix/subagent-authorization-forwarding
branch
from
d8551b4 to
97adb51
Compare
Contributor
supreme-gg-gg
left a comment
supreme-gg-gg
left a comment
There was a problem hiding this comment.
hi @towsif-rahman, the changes look good here. Can you also do it for the go runtime: https://github.com/kagent-dev/kagent/blob/main/go/adk/pkg/tools/remote_a2a_tool.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Authorizationheader from_SubagentInterceptorwhile preserving existingx-user-idandx-kagent-sourceheaders.Test plan
UV_NATIVE_TLS=true UV_PROJECT_ENVIRONMENT=/home/ubuntu/oneai_devops/kagent/.venv ../.venv/bin/uv run --python /home/ubuntu/oneai_devops/kagent/.venv/bin/python pytest ./packages/kagent-adk/tests/unittests/test_remote_a2a_tool.pyCloses #1745