datarobot_genai.dragent.plugins.auth_a2a_client
auth_a2a_client
AgentCardAware
Bases: Protocol
Protocol for auth providers that need the agent card before authenticate().
:class:_AuthenticatedA2ABaseClient checks for this via isinstance
and calls :meth:set_agent_card automatically after card resolution.
Source code in datarobot_genai/dragent/plugins/auth_a2a_client.py
set_agent_card
A2ADiscoveryAuthMixin
Bases: ABC
Mixin for auth providers that need different credentials for agent card discovery.
Without this mixin, _AuthenticatedA2ABaseClient calls authenticate() for
both discovery and call phases. Implement authenticate_for_discovery() to
supply separate headers for the agent card GET.
Source code in datarobot_genai/dragent/plugins/auth_a2a_client.py
authenticate_for_discovery
abstractmethod
async
Return HTTP headers for the agent card GET request.
Returns
dict[str, str] Header name → value pairs to attach to the agent card HTTP request.
Source code in datarobot_genai/dragent/plugins/auth_a2a_client.py
AgentCardRegistryLookup
Bases: BaseModel
Identifies an agent card in the central DataRobot agent card registry.
Exactly one of deployment_id or external_id must be specified.
The registry is queried using standard DataRobot API-token authentication
(DATAROBOT_API_TOKEN), which avoids the chicken-and-egg problem where the
agent's own card endpoint requires per-agent AuthN/AuthZ.
Example YAML::
registry:
deployment_id: "64a1b2c3d4e5f6a7b8c9d0e1"
Source code in datarobot_genai/dragent/plugins/auth_a2a_client.py
AuthenticatedA2AClientConfig
Bases: A2AClientConfig
A2A client config with separate discovery and call-phase auth.
Supports two modes for agent card resolution:
Direct fetch (existing behaviour) — set url to the agent's base URL
and the card is fetched from {url}/.well-known/agent-card.json::
function_groups:
my_agent:
_type: authenticated_a2a_client
url: "http://agent.example.com:8080"
auth_provider: my_auth
Central registry lookup — set registry with either deployment_id
or external_id. The card is fetched from the DataRobot central agent card
registry using DATAROBOT_API_TOKEN, and the agent's RPC URL is derived
from the card's advertised url::
function_groups:
my_agent:
_type: authenticated_a2a_client
registry:
deployment_id: "64a1b2c3d4e5f6a7b8c9d0e1"
auth_provider: okta_auth
The two modes are mutually exclusive.
Source code in datarobot_genai/dragent/plugins/auth_a2a_client.py
AuthenticatedA2AClientFunctionGroup
Bases: A2AClientFunctionGroup
Uses :class:_AuthenticatedA2ABaseClient so both A2A phases are authenticated.
Source code in datarobot_genai/dragent/plugins/auth_a2a_client.py
428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 | |
add_function
Intercept function registration to wrap fn with error handling.
In degraded mode (registry lookup failed), replaces fn entirely
with one that raises the stored error — so _wrap_a2a_function
catches it and returns an actionable message to the LLM.
This avoids coupling to NAT's client method signatures or protocols.
Source code in datarobot_genai/dragent/plugins/auth_a2a_client.py
authenticated_a2a_client
async
authenticated_a2a_client(config: AuthenticatedA2AClientConfig, _builder: Builder) -> AsyncGenerator[Any, None]
NAT factory for :class:AuthenticatedA2AClientFunctionGroup.