feat(server): support A2A protocol

[Tyooughtul]

Which issue does this PR close?

Closes #1762

Rationale

A2A protocol requires JWKS support to enable secure agent authentication with multiple identity providers. This change allows agents from different tenants to authenticate using their own public keys, and supports key rotation without requiring server restarts.

What changed?

Added JWKS support for secure agent-to-agent authentication. The implementation includes a JwksClient that fetches and caches public keys from JWKS endpoints, integrated JWKS into JwtManager for multi-tenant agent authentication, and updated HTTP middleware to support asynchronous JWT decoding. Also added TrustedIssuerConfig to support configuring multiple trusted issuers.

Local Execution

• Passed
• Pre-commit hooks ran

AI Usage

1. Which tools? Grok fast
2. Scope of usage?

• I use ai for write test case and running scripts.
• Some config code to test code:

# Trusted issuers for A2A (Application-to-Application) authentication
[[http.jwt.trusted_issuers]]
issuer = "test-issuer"
jwks_url = "http://127.0.0.1:8081/.well-known/jwks.json"
audience = "iggy.apache.org"

• Some debug! to help me find bugs。

3. How did you verify the generated code works correctly?

• Compile successfully with cargo check --package server and cargo build --package server.
• Test case passed.

5. Can you explain every line of the code if asked? Yes

[hubcio]

hey! thanks for contribution - we'll check this after the weekend.

[spetz]

Should we make it an enum, you could use strum with all the helpers like here:

#[derive(Clone, Copy, Debug, Default, Display, PartialEq, Eq, Serialize, Deserialize)]
#[strum(serialize_all = "snake_case")]
#[serde(rename_all = "snake_case")]
pub enum McpTransport {
    #[default]
    #[strum(to_string = "http")]
    Http,
    #[strum(to_string = "stdio")]
    Stdio,
}

Then the match you do later on becomes easier.

[spetz]

Please use the existing custom error enums we already have - feel free to add new custom variants if needed or reuse existing ones.

[spetz]

Maybe just use DashMap instead?

[spetz]

Same here regarding all the errors, don't use anyhow, please fix in all places returning errors.

[spetz]

Here you could match using the previously added enum, also makes sense to make the string lowercase first.

[spetz]

Please try to avoid multiple levels of if statements, better to return/break quickly whenever possible with let Some() or let Ok() patterns.

[spetz]

Thank you for the contribution, made a few comments here and there :)

Is that all required to fully support A2A, as you wrote that I'd close #1762 which is the full integration?

Also, is there a way to do the proper integration/e2e testing like e..g for existing MCP runtime to ensure it works well with A2A as the full transport?

[spetz]

Stick to serde_json = { workspace = true } etc. everywhere

[spetz]

Please extend this file with unit tests matching the existing conventions to ensure that at least the logic JwksClientlikerefresh_keys` or so is correct.

[Tyooughtul]

Thanks for the review! All comments are clear and I will address every point as suggested.
I think this PR covers the full A2A support as mentioned in #1762. I will also add the corresponding integration/e2e tests for the MCP runtime & A2A.

[hubcio]

when testing, see how iggy_harness macro is used for connectors in #2667 or mcp (already merged). we're in the middle of refactor to use it everywhere, so it'd be great if you could use it in your tests (assuming you'll write some tests for this A2A).