a2aproject
diff --git a/‎samples/java/agents/README.md‎
Lines changed: 3 additions & 0 deletions b/‎samples/java/agents/README.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎samples/java/agents/magic_8_ball_security/README.md‎
Lines changed: 120 additions & 0 deletions b/‎samples/java/agents/magic_8_ball_security/README.md‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎samples/java/agents/magic_8_ball_security/client/pom.xml‎
Lines changed: 74 additions & 0 deletions b/‎samples/java/agents/magic_8_ball_security/client/pom.xml‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎samples/java/agents/magic_8_ball_security/client/src/main/java/com/samples/a2a/client/KeycloakOAuth2CredentialService.java‎
Lines changed: 55 additions & 0 deletions b/‎samples/java/agents/magic_8_ball_security/client/src/main/java/com/samples/a2a/client/KeycloakOAuth2CredentialService.java‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎samples/java/agents/magic_8_ball_security/client/src/main/java/com/samples/a2a/client/TestClient.java‎
Lines changed: 119 additions & 0 deletions b/‎samples/java/agents/magic_8_ball_security/client/src/main/java/com/samples/a2a/client/TestClient.java‎
Lines changed: 119 additions & 0 deletions
@@ -19,6 +19,9 @@ Each agent can be run as its own A2A server with the instructions in its README.
   Sample agent that can roll dice of different sizes and check if numbers are prime. This agent demonstrates
   multi-transport capabilities.
 
+* [**Magic 8 Ball Agent (Security)**](magic_8_ball_security/README.md)  
+  Sample agent that can respond to yes/no questions by consulting a Magic 8 Ball. This sample demonstrates how to secure an A2A server with Keycloak using bearer token authentication and it shows how to configure an A2A client to specify the token when sending requests.
+
 ## Disclaimer
 
 Important: The sample code provided is for demonstration purposes and illustrates the
 
@@ -0,0 +1,120 @@
+# Magic 8-Ball Security Agent
+
+This sample agent responds to yes/no questions by consulting a Magic 8-Ball.
+
+This sample demonstrates how to secure an A2A server with Keycloak using bearer token authentication and it shows how to configure an A2A client to specify the token when
+sending requests. The agent is written using Quarkus LangChain4j and makes use of the
+[A2A Java](https://github.com/a2aproject/a2a-java) SDK.
+
+## Prerequisites
+
+- Java 17 or higher
+- Access to an LLM and API Key
+- A working container runtime (Docker or [Podman](https://quarkus.io/guides/podman))
+
+>**NOTE**: We'll be making use of Quarkus Dev Services in this sample to automatically create and configure a Keycloak instance that we'll use as our OAuth2 provider. For more details on using Podman with Quarkus, see this [guide](https://quarkus.io/guides/podman).
+
+## Running the Sample
+
+This sample consists of an A2A server agent, which is in the `server` directory, and an A2A client,
+which is in the `client` directory.
+
+### Running the A2A Server Agent
+
+1. Navigate to the `magic-8-ball-security` sample directory:
+
+    ```bash
+    cd samples/java/agents/magic-8-ball-security/server
+    ```
+
+2. Set your Google AI Studio API Key as an environment variable:
+
+   ```bash
+   export QUARKUS_LANGCHAIN4J_AI_GEMINI_API_KEY=your_api_key_here
+   ```
+
+   Alternatively, you can create a `.env` file in the `magic-8-ball-security/server` directory:
+
+   ```bash
+   QUARKUS_LANGCHAIN4J_AI_GEMINI_API_KEY=your_api_key_here
+   ```
+
+3. Start the A2A server agent
+
+   **NOTE:**
+   By default, the agent will start on port 11000. To override this, add the `-Dquarkus.http.port=YOUR_PORT`
+   option at the end of the command below.
+
+   ```bash
+   mvn quarkus:dev
+   ```
+
+### Running the A2A Java Client
+
+The Java `TestClient` communicates with the Magic 8-Ball Agent using the A2A Java SDK.
+
+The client supports specifying which transport protocol to use ("jsonrpc", "rest", or "grpc"). By default, it uses JSON-RPC.
+
+1. Make sure you have [JBang installed](https://www.jbang.dev/documentation/jbang/latest/installation.html)
+
+2. Run the client using the JBang script:
+   ```bash
+   cd samples/java/agents/magic-8-ball-security/client/src/main/java/com/samples/a2a/client
+   jbang TestClientRunner.java
+   ```
+
+   Or specify a custom server URL:
+   ```bash
+   jbang TestClientRunner.java --server-url http://localhost:11000
+   ```
+
+   Or specify a custom message:
+   ```bash
+   jbang TestClientRunner.java --message "Should I refactor this code?"
+   ```
+
+   Or specify a specific transport (jsonrpc, grpc, or rest):
+   ```bash
+   jbang TestClientRunner.java --transport grpc
+   ```
+
+   Or combine multiple options:
+   ```bash
+   jbang TestClientRunner.java --server-url http://localhost:11000 --message "Will my tests pass?" --transport rest
+   ```
+
+## Expected Client Output
+
+The Java A2A client will:
+1. Connect to the Magic 8-Ball agent
+2. Fetch the agent card
+3. Use the specified transport (JSON-RPC by default, or as specified via --transport option)
+4. Send the message "Should I deploy this code on Friday?" (or your custom message)
+5. Display the Magic 8-Ball's mystical response from the agent
+
+## Keycloak OAuth2 Authentication
+
+This sample includes a `KeycloakOAuth2CredentialService` that implements the `CredentialService` interface from the A2A Java SDK to retrieve tokens from Keycloak
+using Keycloak `AuthzClient`.
+
+## Multi-Transport Support
+
+This sample demonstrates multi-transport capabilities by supporting the JSON-RPC, HTTP+JSON/REST, and gRPC transports. The A2A server agent is configured to use a unified port for all three transports.
+
+## Disclaimer
+Important: The sample code provided is for demonstration purposes and illustrates the
+mechanics of the Agent-to-Agent (A2A) protocol. When building production applications,
+it is critical to treat any agent operating outside of your direct control as a
+potentially untrusted entity.
+
+All data received from an external agent—including but not limited to its AgentCard,
+messages, artifacts, and task statuses—should be handled as untrusted input. For
+example, a malicious agent could provide an AgentCard containing crafted data in its
+fields (e.g., description, name, skills.description). If this data is used without
+sanitization to construct prompts for a Large Language Model (LLM), it could expose
+your application to prompt injection attacks.  Failure to properly validate and
+sanitize this data before use can introduce security vulnerabilities into your
+application.
+
+Developers are responsible for implementing appropriate security measures, such as
+input validation and secure handling of credentials to protect their systems and users.
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>com.samples.a2a</groupId>
+        <artifactId>magic-8-ball-security</artifactId>
+        <version>0.1.0</version>
+    </parent>
+
+    <artifactId>magic-8-ball-security-client</artifactId>
+    <name>Magic 8-Ball Security Agent Client</name>
+    <description>A2A Magic 8-Ball Security Agent Test Client</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.github.a2asdk</groupId>
+            <artifactId>a2a-java-sdk-client</artifactId>
+            <version>${io.a2a.sdk.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.github.a2asdk</groupId>
+            <artifactId>a2a-java-sdk-client-transport-rest</artifactId>
+            <version>${io.a2a.sdk.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.github.a2asdk</groupId>
+            <artifactId>a2a-java-sdk-client-transport-grpc</artifactId>
+            <version>${io.a2a.sdk.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.grpc</groupId>
+            <artifactId>grpc-netty-shaded</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.google.auth</groupId>
+            <artifactId>google-auth-library-oauth2-http</artifactId>
+            <version>1.19.0</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.http-client</groupId>
+            <artifactId>google-http-client-jackson2</artifactId>
+            <version>1.43.3</version>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-authz-client</artifactId>
+            <version>25.0.1</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>exec-maven-plugin</artifactId>
+                <configuration>
+                    <mainClass>com.samples.a2a.TestClient</mainClass>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
@@ -0,0 +1,55 @@
+package com.samples.a2a.client;
+
+import com.samples.a2a.client.util.CachedToken;
+import com.samples.a2a.client.util.KeycloakUtil;
+import io.a2a.client.transport.spi.interceptors.ClientCallContext;
+import io.a2a.client.transport.spi.interceptors.auth.CredentialService;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import org.keycloak.authorization.client.AuthzClient;
+
+/**
+ * A CredentialService implementation that provides OAuth2 access tokens
+ * using Keycloak. This service is used by the A2A client transport
+ * authentication interceptors.
+ */
+public final class KeycloakOAuth2CredentialService implements CredentialService {
+
+  /** OAuth2 scheme name. */
+  private static final String OAUTH2_SCHEME_NAME = "oauth2";
+
+  /** Token cache. */
+  private final ConcurrentMap<String, CachedToken> tokenCache
+          = new ConcurrentHashMap<>();
+
+  /** Keycloak authz client. */
+  private final AuthzClient authzClient;
+
+  /**
+   * Creates a new KeycloakOAuth2CredentialService using the
+   * default keycloak.json file.
+   *
+   * @throws IllegalArgumentException if keycloak.json cannot be found/loaded
+   */
+  public KeycloakOAuth2CredentialService() {
+    this.authzClient = KeycloakUtil.createAuthzClient();
+  }
+
+  @Override
+  public String getCredential(final String securitySchemeName,
+                              final ClientCallContext clientCallContext) {
+    if (!OAUTH2_SCHEME_NAME.equals(securitySchemeName)) {
+      throw new IllegalArgumentException("Unsupported security scheme: "
+              + securitySchemeName);
+    }
+
+    try {
+      return KeycloakUtil.getAccessToken(securitySchemeName,
+              tokenCache, authzClient);
+    } catch (Exception e) {
+      throw new RuntimeException(
+          "Failed to obtain OAuth2 access token for scheme: "
+                  + securitySchemeName, e);
+    }
+  }
+}
@@ -0,0 +1,119 @@
+package com.samples.a2a.client;
+
+import com.samples.a2a.client.util.EventHandlerUtil;
+import io.a2a.client.Client;
+import io.a2a.client.ClientEvent;
+import io.a2a.client.config.ClientConfig;
+import io.a2a.client.transport.grpc.GrpcTransport;
+import io.a2a.client.transport.grpc.GrpcTransportConfigBuilder;
+import io.a2a.client.transport.jsonrpc.JSONRPCTransport;
+import io.a2a.client.transport.jsonrpc.JSONRPCTransportConfigBuilder;
+import io.a2a.client.transport.rest.RestTransport;
+import io.a2a.client.transport.rest.RestTransportConfigBuilder;
+import io.a2a.client.transport.spi.interceptors.auth.AuthInterceptor;
+import io.a2a.client.transport.spi.interceptors.auth.CredentialService;
+import io.a2a.spec.AgentCard;
+import io.grpc.Channel;
+import io.grpc.ManagedChannelBuilder;
+import java.util.List;
+import java.util.concurrent.CompletableFuture;
+import java.util.function.BiConsumer;
+import java.util.function.Consumer;
+import java.util.function.Function;
+
+/**
+ * Test client utility for creating A2A clients with HTTP-based transports
+ * and OAuth2 authentication.
+ *
+ * <p>This class encapsulates the complexity of setting up A2A clients with
+ * multiple transport options (gRPC, REST, JSON-RPC) and Keycloak OAuth2
+ * authentication, providing simple methods to create configured clients
+ * for testing and development.
+ */
+public final class TestClient {
+
+  private TestClient() {
+  }
+
+  /**
+   * Creates an A2A client with the specified transport and
+   * OAuth2 authentication.
+   *
+   * @param agentCard the agent card to connect to
+   * @param messageResponse CompletableFuture for handling responses
+   * @param transport the transport type to use ("grpc", "rest", or "jsonrpc")
+   * @return configured A2A client
+   */
+  public static Client createClient(
+      final AgentCard agentCard,
+      final CompletableFuture<String> messageResponse,
+      final String transport) {
+
+    // Create consumers for handling client events
+    List<BiConsumer<ClientEvent, AgentCard>> consumers =
+        EventHandlerUtil.createEventConsumers(messageResponse);
+
+    // Create error handler for streaming errors
+    Consumer<Throwable> streamingErrorHandler =
+        EventHandlerUtil.createStreamingErrorHandler(messageResponse);
+
+    // Create credential service for OAuth2 authentication
+    CredentialService credentialService
+            = new KeycloakOAuth2CredentialService();
+
+    // Create shared auth interceptor for all transports
+    AuthInterceptor authInterceptor = new AuthInterceptor(credentialService);
+
+    // Create channel factory for gRPC transport
+    Function<String, Channel> channelFactory =
+        agentUrl -> {
+          return ManagedChannelBuilder
+                  .forTarget(agentUrl)
+                  .usePlaintext()
+                  .build();
+        };
+
+    // Create the A2A client with the specified transport
+    try {
+      var builder =
+          Client.builder(agentCard)
+              .addConsumers(consumers)
+              .streamingErrorHandler(streamingErrorHandler);
+
+      // Configure only the specified transport
+      switch (transport.toLowerCase()) {
+        case "grpc":
+          builder.withTransport(
+              GrpcTransport.class,
+              new GrpcTransportConfigBuilder()
+                  .channelFactory(channelFactory)
+                  .addInterceptor(authInterceptor) // auth config
+                  .build());
+          break;
+        case "rest":
+          builder.withTransport(
+              RestTransport.class,
+              new RestTransportConfigBuilder()
+                  .addInterceptor(authInterceptor) // auth config
+                  .build());
+          break;
+        case "jsonrpc":
+          builder.withTransport(
+              JSONRPCTransport.class,
+              new JSONRPCTransportConfigBuilder()
+                  .addInterceptor(authInterceptor) // auth config
+                  .build());
+          break;
+        default:
+          throw new IllegalArgumentException(
+              "Unsupported transport type: "
+                  + transport
+                  + ". Supported types are: grpc, rest, jsonrpc");
+      }
+
+      return builder.clientConfig(new ClientConfig.Builder().build()).build();
+    } catch (Exception e) {
+      throw new RuntimeException("Failed to create A2A client", e);
+    }
+  }
+}