feat(server): support A2A protocol

[Tyooughtul]

Which issue does this PR close?

Closes #1762

Rationale

A2A protocol requires JWKS support to enable secure agent authentication with multiple identity providers. This change allows agents from different tenants to authenticate using their own public keys, and supports key rotation without requiring server restarts.

What changed?

Added JWKS support for secure agent-to-agent authentication. The implementation includes a JwksClient that fetches and caches public keys from JWKS endpoints, integrated JWKS into JwtManager for multi-tenant agent authentication, and updated HTTP middleware to support asynchronous JWT decoding. Also added TrustedIssuerConfig to support configuring multiple trusted issuers.

Local Execution

• Passed
• Pre-commit hooks ran

AI Usage

1. Which tools? Grok fast
2. Scope of usage?

• I use ai for write test case and running scripts.
• Some config code to test code:

# Trusted issuers for A2A (Application-to-Application) authentication
[[http.jwt.trusted_issuers]]
issuer = "test-issuer"
jwks_url = "http://127.0.0.1:8081/.well-known/jwks.json"
audience = "iggy.apache.org"

• Some debug! to help me find bugs。

3. How did you verify the generated code works correctly?

• Compile successfully with cargo check --package server and cargo build --package server.
• Test case passed.

5. Can you explain every line of the code if asked? Yes

[hubcio]

hey! thanks for contribution - we'll check this after the weekend.

[spetz]

Thank you for the contribution, made a few comments here and there :)

Is that all required to fully support A2A, as you wrote that I'd close #1762 which is the full integration?

Also, is there a way to do the proper integration/e2e testing like e..g for existing MCP runtime to ensure it works well with A2A as the full transport?

[Tyooughtul]

Thanks for the review! All comments are clear and I will address every point as suggested.
I think this PR covers the full A2A support as mentioned in #1762. I will also add the corresponding integration/e2e tests for the MCP runtime & A2A.

[hubcio]

when testing, see how iggy_harness macro is used for connectors in #2667 or mcp (already merged). we're in the middle of refactor to use it everywhere, so it'd be great if you could use it in your tests (assuming you'll write some tests for this A2A).

[codecov]

Codecov Report

❌ Patch coverage is 79.52381% with 43 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.60%. Comparing base (aff29a5) to head (24f9624).

Files with missing lines	Patch %	Lines
core/server/src/http/jwt/jwks.rs	81.69%	20 Missing and 6 partials ⚠️
core/server/src/http/jwt/jwt_manager.rs	75.00%	14 Missing and 1 partial ⚠️
core/server/src/configs/defaults.rs	0.00%	1 Missing ⚠️
core/server/src/http/jwt/middleware.rs	85.71%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #2656      +/-   ##
============================================
+ Coverage     68.52%   68.60%   +0.07%     
  Complexity      656      656              
============================================
  Files           743      744       +1     
  Lines         62808    63000     +192     
  Branches      59221    59413     +192     
============================================
+ Hits          43039    43220     +181     
- Misses        17656    17660       +4     
- Partials       2113     2120       +7     

Flag	Coverage Δ
java	52.19% <ø> (ø)
rust	69.67% <79.52%> (+0.08%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
core/common/src/error/iggy_error.rs	100.00% <ø> (ø)
core/server/src/configs/http.rs	66.66% <ø> (ø)
core/server/src/configs/defaults.rs	0.00% <0.00%> (ø)
core/server/src/http/jwt/middleware.rs	80.00% <85.71%> (+12.69%)	⬆️
core/server/src/http/jwt/jwt_manager.rs	61.25% <75.00%> (+7.12%)	⬆️
core/server/src/http/jwt/jwks.rs	81.69% <81.69%> (ø)

... and 10 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hubcio]

It looks like something went wrong with your rebase:

[Tyooughtul]

It looks like something went wrong with your rebase:

😱 sorry, I fetched the wrong branch. I have corrected it.

[hubcio]

Hello @Tyooughtul
did you resolve all comments from @spetz ?
Do you plan to continue?

[Tyooughtul]

Hello @Tyooughtul did you resolve all comments from @spetz ? Do you plan to continue?

Hi @hubcio , I think I’ve addressed all comments from @spetz, and the PR is ready for review. I’ll keep following up and fix any issues promptly. 😊

[Tyooughtul]

Hi @spetz @hubcio,
I've addressed all the previous review comments. Could you please take another look when you have a moment? Thanks!
Also, could you let me know if a second review from another maintainer is needed to meet the merge requirements?
Additionally, it seems the workflow is awaiting approval from a maintainer to run the CI checks. Would you mind approving that as well?
Thanks for your time!

[spetz]

@Tyooughtul sure, the CI has started again, however I can see that there are still some pending comments waiting to be resolved.

[Tyooughtul]

Hi @spetz,
All review comments have been addressed and pushed, All newly added tests pass. PTAL when you have time, thanks! 😊