feat(auth): allow token to be provided for use against jwks endpoint

Though the jwks endpoint does not usually require authentication, it does by default in a kubernetes cluster. The cluster can be configured to allow anonymous access to that endpoint, but by allowing a token to be presented that cluster configuration is not necessary.
2025-07-14 00:56:09 +00:00 · 2025-06-04 19:12:15 +01:00 · 2025-06-04 19:12:15 +01:00 · 74d891db72
commit 74d891db72
parent c8c742ba45
3 changed files with 57 additions and 24 deletions
--- a/llama_stack/distribution/server/auth_providers.py
+++ b/llama_stack/distribution/server/auth_providers.py
@ -84,6 +84,7 @@ def get_attributes_from_claims(claims: dict[str, str], mapping: dict[str, str])
 class OAuth2JWKSConfig(BaseModel):
    # The JWKS URI for collecting public keys
    uri: str
+    token: str | None = Field(default=None, description="token to authorise access to jwks")
    key_recheck_period: int = Field(default=3600, description="The period to recheck the JWKS URI for key updates")


@ -246,9 +247,12 @@ class OAuth2TokenAuthProvider(AuthProvider):
            if self.config.jwks is None:
                raise ValueError("JWKS is not configured")
            if time.time() - self._jwks_at > self.config.jwks.key_recheck_period:
+                headers = {}
+                if self.config.jwks.token:
+                    headers["Authorization"] = f"Bearer {self.config.jwks.token}"
                verify = self.config.tls_cafile.as_posix() if self.config.tls_cafile else self.config.verify_tls
                async with httpx.AsyncClient(verify=verify) as client:
-                    res = await client.get(self.config.jwks.uri, timeout=5)
+                    res = await client.get(self.config.jwks.uri, timeout=5, headers=headers)
                    res.raise_for_status()
                    jwks_data = res.json()["keys"]
                    updated = {}