Skip to content

[Bug]: APIKeySecurityScheme field name inconsistency between JSON schema and gRPC proto #1172

New issue
New issue
Open
Bug
#1173
Open
[Bug]: APIKeySecurityScheme field name inconsistency between JSON schema and gRPC proto#1172
Bug
#1173
@adarshnarayanhegde

Description

@adarshnarayanhegde
adarshnarayanhegde
opened on Oct 21, 2025

What happened?

Problem Description

There is a critical field name mismatch in the APIKeySecurityScheme message that breaks interoperability between JSON-RPC and gRPC transports:

  • JSON Schema (a2a.json): Uses field name "in" (following OpenAPI 3.0 standard)
  • gRPC Proto (a2a.proto): Uses field name "location"

This inconsistency causes authentication configuration to fail when converting between JSON and gRPC formats, as clients implementing different transports cannot properly exchange security scheme information.

Current State

gRPC Proto:

message APIKeySecurityScheme {
  string description = 1;
  string location = 2;  // ❌ Incorrect field name
  string name = 3;
}

JSON Schema:

"APIKeySecurityScheme": {
  // ...
  "in": {
                    "description": "The location of the API key.",
                    "enum": [
                        "cookie",
                        "header",
                        "query"
                    ],
                    "type": "string"
                }
// ...
}

Why This Breaks

  1. Proto serializes to JSON as "location", violating the JSON schema
  2. JSON clients send "in", which proto parsers don't recognize
  3. OpenAPI 3.0 standard mandates "in" - the JSON schema is correct per spec
  4. Authentication configuration fails silently - security schemes are ignored

Expected Behavior

Both specifications should use "in" to match the OpenAPI 3.0 Security Scheme specification.

Reproduction

// 1. Create security scheme in gRPC
security_schemes {
  key: "api_key"
  value {
    api_key_security_scheme {
      description: "API Key authentication"
      location: "header"  // Using proto field name
      name: "X-API-Key"
    }
  }
}

// 2. Serialize to JSON via HTTP/JSON transcoding
// Result: {"location": "header", ...}

// 3. Validate against JSON schema
// Error: Missing required field "in"

Proposed Solution

Option A (Recommended): Rename proto field

message APIKeySecurityScheme {
  string description = 1;
  string in = 2;  // CHANGED: Renamed from "location" to "in"
  string name = 3;
}

Option B: Add json_name annotation

message APIKeySecurityScheme {
  string description = 1;
  string location = 2 [json_name = "in"];  // Map to correct JSON field
  string name = 3;
}

Recommendation: Option A aligns the proto with OpenAPI 3.0 standard and maintains consistency. Field number 2 remains unchanged, so wire format compatibility is preserved.

Relevant log output



Code of Conduct


    

  •  I agree to follow this project's Code of Conduct
    • 

Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    Bug
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions