feat: integration tests for agw auth methods

Author: NicoleMGomes

.env_integration_tests.example

@@ -19,3 +19,6 @@ CLOUD_SDK_CFG_SDM_DEFAULT_UAA='{"url":"https://your-auth-url","clientid":"your-c
 
 CLOUD_SDK_CFG_HANA_AGENT_MEMORY_DEFAULT_APPLICATION_URL=https://your-agent-memory-api-url-here
 CLOUD_SDK_CFG_HANA_AGENT_MEMORY_DEFAULT_UAA='{"url":"https://your-auth-url","clientid":"your-client-id","clientsecret":"your-client-secret"}'
+
+APPFND_CONHOS_LANDSCAPE=your-landscape-here
+AGW_USER_TOKEN=your-user-jwt-here

docs/INTEGRATION_TESTS.md

@@ -74,6 +74,28 @@ CLOUD_SDK_CFG_HANA_AGENT_MEMORY_DEFAULT_APPLICATION_URL=https://your-agent-memor
 CLOUD_SDK_CFG_HANA_AGENT_MEMORY_DEFAULT_UAA='{"url":"https://your-auth-url","clientid":"your-client-id","clientsecret":"your-client-secret"}'
 ```
 
+### Agent Gateway Integration Tests
+
+Agent Gateway integration tests use the LoB agent flow via the Destination Service. Configure the following variables in `.env_integration_tests`:
+
+```bash
+# Destination Service (required by the LoB agent flow)
+CLOUD_SDK_CFG_DESTINATION_DEFAULT_CLIENTID=your-destination-client-id-here
+CLOUD_SDK_CFG_DESTINATION_DEFAULT_CLIENTSECRET=your-destination-client-secret-here
+CLOUD_SDK_CFG_DESTINATION_DEFAULT_URL=https://your-destination-auth-url-here
+CLOUD_SDK_CFG_DESTINATION_DEFAULT_URI=https://your-destination-configuration-uri-here
+CLOUD_SDK_CFG_DESTINATION_DEFAULT_IDENTITYZONE=your-identity-zone-here
+
+# Landscape suffix used to resolve the IAS destination name
+APPFND_CONHOS_LANDSCAPE=your-landscape-here
+
+# User JWT for token exchange scenarios (get_user_auth)
+# If not set, user auth scenarios are automatically skipped
+AGW_USER_TOKEN=your-user-jwt-here
+```
+
+The tenant subdomain is hardcoded to `731465182` in the test fixtures.
+
 ## Running Integration Tests
 
 ```bash
@@ -85,6 +107,7 @@ uv run pytest tests/core/integration/auditlog -v
 uv run pytest tests/objectstore/integration/ -v
 uv run pytest tests/destination/integration/ -v
 uv run pytest tests/agent_memory/integration/ -v
+uv run pytest tests/agentgateway/integration/ -v
 ```
 
 ### BDD Scenarios

src/sap_cloud_sdk/agentgateway/_lob.py

@@ -6,7 +6,6 @@
 """
 
 import asyncio
-import base64
 import logging
 import os
 import uuid
@@ -61,19 +60,19 @@ def _fetch_auth_token(
     tenant_subdomain: str,
     options: ConsumptionOptions | None = None,
 ) -> tuple[str, str]:
-    """Fetch raw access token and gateway URL from destination service.
+    """Fetch auth token and gateway URL from destination service.
 
-    Extracts the raw JWT by base64-decoding the token value field
-    from the destination service response, and the gateway URL from
-    the destination's URL property.
+    Extracts the raw JWT from the Authorization header value returned by the
+    destination service (e.g. strips the "Bearer " prefix from "Bearer <jwt>"),
+    and the gateway URL from the destination's URL property.
 
     Args:
         dest_name: Destination name.
         tenant_subdomain: Tenant subdomain for multi-tenant lookup.
         options: Consumption options (fragment_name, user_token).
 
     Returns:
-        Tuple of (raw_access_token, gateway_url).
+        Tuple of (raw_jwt, gateway_url).
 
     Raises:
         MCPServerNotFoundError: If no auth token is returned.
@@ -91,14 +90,17 @@ def _fetch_auth_token(
             f"No auth token returned for destination '{dest_name}'"
         )
 
-    token_value = dest.auth_tokens[0].value
-    if not token_value:
-        raise MCPServerNotFoundError(f"Empty token value for destination '{dest_name}'")
+    auth_token = dest.auth_tokens[0]
+    header_value = auth_token.http_header.get("value") or ""
+    if not header_value:
+        raise MCPServerNotFoundError(f"Empty auth header for destination '{dest_name}'")
+
+    # Strip "Bearer " prefix — AuthResult.access_token is always a raw JWT
+    raw_token = header_value.removeprefix("Bearer ").strip()
 
-    token = base64.b64decode(token_value).decode("utf-8")
     gateway_url = (dest.url or "").rstrip("/")
 
-    return token, gateway_url
+    return raw_token, gateway_url
 
 
 def list_mcp_fragments(tenant_subdomain: str) -> list:

src/sap_cloud_sdk/agentgateway/_models.py

@@ -11,7 +11,7 @@ class AuthResult:
     Contains the access token and the Agent Gateway URL.
 
     Attributes:
-        access_token: Raw JWT access token string.
+        access_token: Raw JWT access token (no "Bearer " prefix).
         gateway_url: Agent Gateway base URL (no trailing slash).
 
     Example:

tests/agentgateway/integration/__init__.py

@@ -0,0 +1,48 @@
+Feature: Agent Gateway Auth Integration
+  As a developer using the SDK
+  I want to fetch auth credentials from the Agent Gateway
+  So that I can make authenticated requests to MCP servers
+
+  Background:
+    Given the Agent Gateway client is available
+
+  Scenario: Get system auth returns a valid AuthResult
+    When I call get_system_auth
+    Then the result should be an AuthResult
+    And the access_token should be a non-empty string
+    And the gateway_url should be a non-empty string
+    And the gateway_url should have no trailing slash
+    And the access_token should not start with "Bearer "
+
+  Scenario: Get user auth returns a valid AuthResult
+    Given I have a valid user token
+    When I call get_user_auth with the user token
+    Then the result should be an AuthResult
+    And the access_token should be a non-empty string
+    And the gateway_url should be a non-empty string
+    And the gateway_url should have no trailing slash
+    And the access_token should not start with "Bearer "
+
+  Scenario: Get user auth accepts a callable user token
+    Given I have a valid user token
+    When I call get_user_auth with a callable returning the user token
+    Then the result should be an AuthResult
+    And the access_token should be a non-empty string
+
+  Scenario: System auth and user auth return the same gateway URL
+    Given I have a valid user token
+    When I call get_system_auth
+    And I call get_user_auth with the user token
+    Then both gateway URLs should match
+
+  Scenario: Get user auth fails when user token is empty
+    When I call get_user_auth with an empty user token
+    Then the operation should fail with AgentGatewaySDKError
+    And the error message should mention "user_token is required"
+
+  Scenario: List MCP tools returns a non-empty list of tools
+    When I call list_mcp_tools
+    Then the result should be a list of MCPTool
+    And the list should be non-empty
+    And each tool should have a non-empty name
+    And each tool should have a non-empty url

tests/agentgateway/integration/agw_auth.feature

@@ -0,0 +1,42 @@
+"""Pytest configuration and fixtures for Agent Gateway integration tests."""
+
+from pathlib import Path
+
+import pytest
+from dotenv import load_dotenv
+
+from sap_cloud_sdk.agentgateway import create_client, AgentGatewayClient
+
+
+def _setup_cloud_mode():
+    """Load environment variables from .env_integration_tests if present."""
+    env_file = Path(__file__).parents[3] / ".env_integration_tests"
+    if env_file.exists():
+        load_dotenv(env_file)
+
+
+@pytest.fixture(scope="session")
+def agw_client() -> AgentGatewayClient:
+    """Create an AgentGatewayClient from environment variables."""
+    _setup_cloud_mode()
+
+    try:
+        return create_client(tenant_subdomain="731465182")
+    except Exception as e:
+        pytest.fail(f"Failed to create Agent Gateway client for integration tests: {e}")
+
+
+# Configure pytest markers for integration tests
+def pytest_configure(config):
+    """Configure pytest markers."""
+    config.addinivalue_line(
+        "markers",
+        "integration: mark test as integration test"
+    )
+
+
+def pytest_collection_modifyitems(config, items):
+    """Automatically mark integration tests."""
+    for item in items:
+        if "integration" in str(item.fspath):
+            item.add_marker(pytest.mark.integration)