fix(adk): pass user_id as query param in create_session to fix SessionNotFoundError

[Abhiram-Rakesh]

Summary

Fixes #1882

POST /api/sessions was the only KAgentSessionService method that did not include user_id as a query parameter. The controller's UnsecureAuthenticator resolves the caller's identity from the query param (or X-User-Id header), not the JSON body:

// go/core/internal/httpserver/auth/authn.go — UnsecureAuthenticator
userID := query.Get("user_id")       // reads query param
if userID == "" {
    userID = reqHeaders.Get("X-User-Id")
}
if userID == "" {
    userID = "admin@kagent.dev"      // fallback when neither is set
}

Because the user_id was only in the JSON body, the create call fell back to "admin@kagent.dev" while every subsequent get_session / append_event call used the A2A-derived user_id (e.g. "A2A_USER_<contextId>"). The guaranteed mismatch caused a 404 on the follow-up GET, which surfaced as SessionNotFoundError in google.adk.runners.

Root cause trace

step	call	user_id used	result
1	GET /api/sessions/<CTX>?user_id=A2A_USER_<CTX>	A2A_USER_<CTX>	404 — not yet created
2	POST /api/sessions (body only, no query param)	admin@kagent.dev ← fallback	201 — session created under wrong identity
3	GET /api/sessions/<CTX>?user_id=A2A_USER_<CTX>	A2A_USER_<CTX>	404 — exists but under admin@kagent.dev
4	SessionNotFoundError

Fix

Add ?user_id={user_id} to the POST /api/sessions URL in create_session, consistent with every other method in the same class:

• get_session → f"/api/sessions/{session_id}?user_id={user_id}&..." ✅
• list_sessions → f"/api/sessions?user_id={user_id}" ✅
• delete_session → f"/api/sessions/{session_id}?user_id={user_id}" ✅
• append_event → f"/api/sessions/{session.id}/events?user_id={session.user_id}" ✅
• create_session → "/api/sessions" ❌ → f"/api/sessions?user_id={user_id}" ✅ (this PR)

Test

Added test_create_session_passes_user_id_as_query_param to test_session_service.py — asserts that the URL passed to client.post contains user_id=<value> as a query param. This is a regression test so the mismatch cannot silently reappear.

Notes

• Reproducible on every A2A message/send invocation with controller.auth.mode: unsecure (the default in-cluster setup)
• PR fix: ensure user identity is propagated across A2A requests/sessions #1775 fixed the authenticated path (call_context.user.user_name); this PR fixes the unauthenticated fallback path
• Verified against UnsecureAuthenticator source in go/core/internal/httpserver/auth/authn.go

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a regression fix ensuring user_id is consistently sent as a query parameter when creating sessions, preventing mismatched identities that can lead to SessionNotFoundError.

Changes:

• Update KAgentSessionService.create_session() to include user_id in the POST /api/sessions query string.
• Add an async unit test verifying user_id is present in the create-session request URL.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
python/packages/kagent-adk/src/kagent/adk/_session_service.py	Includes user_id as a query parameter when creating a session to align with controller auth behavior.
python/packages/kagent-adk/tests/unittests/test_session_service.py	Adds a regression test asserting the create-session request includes user_id in the URL.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Abhiram-Rakesh]

Fixed in the latest push — switched to params={"user_id": user_id} so httpx handles the URL encoding correctly.

[Abhiram-Rakesh]

Fixed in the latest push — the assertion now checks client.post.call_args.kwargs["params"]["user_id"] directly, so it's robust to URL encoding and argument ordering changes.