Skip to content

Add OAuth2 SSO support for veadk web with Agent Identity #477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yaozheng-fang merged 1 commit into from
Jan 29, 2026
Merged

Add OAuth2 SSO support for veadk web with Agent Identity #477

yaozheng-fang merged 1 commit into from
Jan 29, 2026

Conversation

@loveyana
Copy link
Contributor

@loveyana loveyana commented Jan 28, 2026

Overview

This PR adds comprehensive OAuth2/OIDC Single Sign-On (SSO) support for VeADK Web and implements Access Token validation based on JWKS with optional Introspection.

Key Changes

1. OAuth2 Middleware Enhancements

  • OIDC JWKS Validation: Support JWT Access Token validation via JWKS (JSON Web Key Set)
  • Optional Introspection: Support OAuth2 Token Introspection endpoint for opaque token validation
  • Dual Authentication Sources: Validates both Authorization Header and Session Cookie tokens
  • No Authorization Passthrough: Middleware no longer passes through the original client Authorization header; instead uses the validated Session Token

2. /oauth2/userinfo Endpoint Token Validation

  • The /oauth2/userinfo endpoint now validates the Access Token in the Session before returning user info
  • Ensures returned user information corresponds to a valid authentication state

3. VeADK Web CLI Integration

  • veadk web command supports --oauth2-user-pool and --oauth2-user-pool-client parameters
  • Automatic OAuth2 middleware configuration with VeIdentity User Pool integration

Technical Implementation

Access Token Validation Flow

┌─────────────────┐
│ Request Arrives │
└────────┬────────┘
         │
         ▼
┌─────────────────┐     Has Authorization Header?
│  Check Auth     │────────────────────────────┐
│  Header         │                            │
└────────┬────────┘                            │
         │ No                                  │ Yes
         ▼                                     ▼
┌─────────────────┐                   ┌─────────────────┐
│  Check Session  │                   │  Extract Bearer │
│  Cookie         │                   │  Token          │
└────────┬────────┘                   └────────┬────────┘
         │                                     │
         ▼                                     ▼
┌─────────────────┐                   ┌─────────────────┐
│  Validate       │                   │  JWKS/Intro-    │
│  Session Token  │                   │  spection       │
└────────┬────────┘                   └────────┬────────┘
         │                                     │
         ▼                                     ▼
┌─────────────────┐                   ┌─────────────────┐
│  Inject Auth    │                   │  Set User       │
│  Header         │                   │  Scope          │
└────────┬────────┘                   └────────┬────────┘
         │                                     │
         └──────────────┬──────────────────────┘
                        ▼
               ┌─────────────────┐
               │ Continue Request│
               └─────────────────┘

New Configuration Parameters

Parameter Type Default Description
issuer str None JWT Issuer for validating iss claim
jwks_uri str None JWKS endpoint URL
audience str | list[str] None Allowed audience list
allowed_algorithms list[str] ["RS256"] Allowed signing algorithms
jwks_cache_ttl_seconds int 300 JWKS cache TTL
jwks_kid_miss_cooldown_seconds int 30 Cooldown before refreshing on KID miss
use_introspection bool False Whether to use Introspection validation
introspection_url str None Introspection endpoint URL
introspection_client_id str None Introspection client ID
introspection_client_secret str None Introspection client secret
introspection_cache_ttl_seconds int 300 Introspection result cache TTL

Security Features

  • Algorithm Whitelist: Prevents alg=none attacks
  • Issuer Validation: Ensures token is from expected IdP
  • Audience Validation: Ensures token is issued for this application
  • Expiration Validation: Automatically rejects expired tokens
  • JWKS Caching: Reduces requests to IdP, supports auto-refresh on KID miss
  • Cookie Signing: Session cookies are signed with HMAC-SHA256

@loveyana
Add OAuth2 SSO support for veadk web with Agent Identity
7c8141e 
This update introduces OAuth2/OIDC SSO authentication via Agent Identity User Pool to the `veadk web` command. Documentation is updated to describe new CLI options (`--oauth2-user-pool`, `--oauth2-user-pool-client`, `--oauth2-redirect-uri`). The CLI and middleware are extended to support access token validation (JWKS/introspection), user info extraction, and secure session handling for both API and browser requests.

Reformat long lines for readability in oauth2_auth.py

Refactored several long lines and conditional statements to improve code readability and maintain PEP8 compliance. No functional changes were made.
@yaozheng-fang yaozheng-fang merged commit b54cdb2 into volcengine:main Jan 29, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yaozheng-fang yaozheng-fang yaozheng-fang approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loveyana @yaozheng-fang