phoenix-oss/llama-stack-mirror
0
0
Fork 1
mirror of https://github.com/meta-llama/llama-stack.git synced 2025-07-29 15:23:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Address PR review comments

Browse source 
- Fix error message: Change 'Missing or invalid' to 'Invalid' for Authorization header format
- Update documentation: Add breaking change notice for v0.2.13 auth config structure
- Update all auth config examples to use new provider_config structure
- Add GitHub token provider documentation
- Align GitHub default claims mapping with OAuth2 (use 'roles' instead of 'username')
- Add clarification comment that GitHub provider validates GitHub-issued tokens
This commit is contained in:
ehhuang 2025-07-03 10:26:51 -07:00 committed by Eric Huang
parent c2d16c713e
commit bdf2b50097
4 changed files with 28 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

30
docs/source/distributions/configuration.md
View file

@ -56,8 +56,8 @@ shields: []
server: server:
port: 8321 port: 8321
auth: auth:
provider_type: "oauth2_token" provider_config:
config: type: "oauth2_token"
jwks: jwks:
uri: "https://my-token-issuing-svc.com/jwks" uri: "https://my-token-issuing-svc.com/jwks"
``` ```
@ -226,6 +226,8 @@ server:
### Authentication Configuration ### Authentication Configuration
> **Breaking Change (v0.2.13)**: The authentication configuration structure has changed. The previous format with `provider_type` and `config` fields has been replaced with a unified `provider_config` field that includes the `type` field. Update your configuration files accordingly.
The `auth` section configures authentication for the server. When configured, all API requests must include a valid Bearer token in the Authorization header: The `auth` section configures authentication for the server. When configured, all API requests must include a valid Bearer token in the Authorization header:
``` ```
@ -240,8 +242,8 @@ The server can be configured to use service account tokens for authorization, va
```yaml ```yaml
server: server:
auth: auth:
provider_type: "oauth2_token" provider_config:
config: type: "oauth2_token"
jwks: jwks:
uri: "https://kubernetes.default.svc:8443/openid/v1/jwks" uri: "https://kubernetes.default.svc:8443/openid/v1/jwks"
token: "${env.TOKEN:+}" token: "${env.TOKEN:+}"
@ -325,13 +327,25 @@ You can easily validate a request by running:
curl -s -L -H "Authorization: Bearer $(cat llama-stack-auth-token)" http://127.0.0.1:8321/v1/providers curl -s -L -H "Authorization: Bearer $(cat llama-stack-auth-token)" http://127.0.0.1:8321/v1/providers
``` ```
#### GitHub Token Provider
Validates GitHub personal access tokens or OAuth tokens directly:
```yaml
server:
auth:
provider_config:
type: "github_token"
github_api_base_url: "https://api.github.com" # Or GitHub Enterprise URL
```
The provider fetches user information from GitHub and maps it to access attributes based on the `claims_mapping` configuration.
#### Custom Provider #### Custom Provider
Validates tokens against a custom authentication endpoint: Validates tokens against a custom authentication endpoint:
```yaml ```yaml
server: server:
auth: auth:
provider_type: "custom" provider_config:
config: type: "custom"
endpoint: "https://auth.example.com/validate" # URL of the auth endpoint endpoint: "https://auth.example.com/validate" # URL of the auth endpoint
``` ```
@ -416,8 +430,8 @@ clients.
server: server:
port: 8321 port: 8321
auth: auth:
provider_type: custom provider_config:
config: type: custom
endpoint: https://auth.example.com/validate endpoint: https://auth.example.com/validate
quota: quota:
kvstore: kvstore:

3
llama_stack/distribution/datatypes.py
View file

@ -244,8 +244,7 @@ class GitHubTokenAuthConfig(BaseModel):
) )
claims_mapping: dict[str, str] = Field( claims_mapping: dict[str, str] = Field(
default_factory=lambda: { default_factory=lambda: {
"login": "username", "login": "roles",
"id": "user_id",
"organizations": "teams", "organizations": "teams",
}, },
description="Mapping from GitHub user fields to access attributes", description="Mapping from GitHub user fields to access attributes",

2
llama_stack/distribution/server/auth.py
View file

@ -92,7 +92,7 @@ class AuthenticationMiddleware:
return await self._send_auth_error(send, error_msg) return await self._send_auth_error(send, error_msg)
if not auth_header.startswith("Bearer "): if not auth_header.startswith("Bearer "):
return await self._send_auth_error(send, "Missing or invalid Authorization header") return await self._send_auth_error(send, "Invalid Authorization header format")
token = auth_header.split("Bearer ", 1)[1] token = auth_header.split("Bearer ", 1)[1]

5
llama_stack/distribution/server/auth_providers.py
View file

@ -322,7 +322,10 @@ class GitHubTokenAuthProvider(AuthProvider):
self.config = config self.config = config
async def validate_token(self, token: str, scope: dict | None = None) -> User: async def validate_token(self, token: str, scope: dict | None = None) -> User:
"""Validate a GitHub token by calling the GitHub API.""" """Validate a GitHub token by calling the GitHub API.
This validates tokens issued by GitHub (personal access tokens or OAuth tokens).
"""
try: try:
user_info = await self._get_github_user_info(token) user_info = await self._get_github_user_info(token)