diff --git a/docs/source/distributions/configuration.md b/docs/source/distributions/configuration.md index 1bba6677e..4646b3688 100644 --- a/docs/source/distributions/configuration.md +++ b/docs/source/distributions/configuration.md @@ -56,8 +56,8 @@ shields: [] server: port: 8321 auth: - provider_type: "oauth2_token" - config: + provider_config: + type: "oauth2_token" jwks: uri: "https://my-token-issuing-svc.com/jwks" ``` @@ -226,6 +226,8 @@ server: ### Authentication Configuration +> **Breaking Change (v0.2.13)**: The authentication configuration structure has changed. The previous format with `provider_type` and `config` fields has been replaced with a unified `provider_config` field that includes the `type` field. Update your configuration files accordingly. + The `auth` section configures authentication for the server. When configured, all API requests must include a valid Bearer token in the Authorization header: ``` @@ -240,8 +242,8 @@ The server can be configured to use service account tokens for authorization, va ```yaml server: auth: - provider_type: "oauth2_token" - config: + provider_config: + type: "oauth2_token" jwks: uri: "https://kubernetes.default.svc:8443/openid/v1/jwks" token: "${env.TOKEN:+}" @@ -325,13 +327,25 @@ You can easily validate a request by running: curl -s -L -H "Authorization: Bearer $(cat llama-stack-auth-token)" http://127.0.0.1:8321/v1/providers ``` +#### GitHub Token Provider +Validates GitHub personal access tokens or OAuth tokens directly: +```yaml +server: + auth: + provider_config: + type: "github_token" + github_api_base_url: "https://api.github.com" # Or GitHub Enterprise URL +``` + +The provider fetches user information from GitHub and maps it to access attributes based on the `claims_mapping` configuration. + #### Custom Provider Validates tokens against a custom authentication endpoint: ```yaml server: auth: - provider_type: "custom" - config: + provider_config: + type: "custom" endpoint: "https://auth.example.com/validate" # URL of the auth endpoint ``` @@ -416,8 +430,8 @@ clients. server: port: 8321 auth: - provider_type: custom - config: + provider_config: + type: custom endpoint: https://auth.example.com/validate quota: kvstore: diff --git a/llama_stack/distribution/datatypes.py b/llama_stack/distribution/datatypes.py index c207e1108..ead1331f3 100644 --- a/llama_stack/distribution/datatypes.py +++ b/llama_stack/distribution/datatypes.py @@ -244,8 +244,7 @@ class GitHubTokenAuthConfig(BaseModel): ) claims_mapping: dict[str, str] = Field( default_factory=lambda: { - "login": "username", - "id": "user_id", + "login": "roles", "organizations": "teams", }, description="Mapping from GitHub user fields to access attributes", diff --git a/llama_stack/distribution/server/auth.py b/llama_stack/distribution/server/auth.py index 83ca419a4..fadbf7b49 100644 --- a/llama_stack/distribution/server/auth.py +++ b/llama_stack/distribution/server/auth.py @@ -92,7 +92,7 @@ class AuthenticationMiddleware: return await self._send_auth_error(send, error_msg) if not auth_header.startswith("Bearer "): - return await self._send_auth_error(send, "Missing or invalid Authorization header") + return await self._send_auth_error(send, "Invalid Authorization header format") token = auth_header.split("Bearer ", 1)[1] diff --git a/llama_stack/distribution/server/auth_providers.py b/llama_stack/distribution/server/auth_providers.py index abf7802d4..1037c4112 100644 --- a/llama_stack/distribution/server/auth_providers.py +++ b/llama_stack/distribution/server/auth_providers.py @@ -322,7 +322,10 @@ class GitHubTokenAuthProvider(AuthProvider): self.config = config async def validate_token(self, token: str, scope: dict | None = None) -> User: - """Validate a GitHub token by calling the GitHub API.""" + """Validate a GitHub token by calling the GitHub API. + + This validates tokens issued by GitHub (personal access tokens or OAuth tokens). + """ try: user_info = await self._get_github_user_info(token)