phoenix-oss/llama-stack-mirror
0
0
Fork 1
mirror of https://github.com/meta-llama/llama-stack.git synced 2025-06-27 18:50:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(auth): allow token to be provided for use against jwks endpoint (#2394)
Some checks failed
Integration Auth Tests / test-matrix (oauth2_token) (push) Failing after 1s
Details
Integration Tests / test-matrix (http, 3.10, providers) (push) Failing after 4s
Details
Integration Tests / test-matrix (http, 3.10, inspect) (push) Failing after 5s
Details
Integration Tests / test-matrix (http, 3.10, inference) (push) Failing after 7s
Details
Integration Tests / test-matrix (http, 3.11, agents) (push) Failing after 5s
Details
Integration Tests / test-matrix (http, 3.10, vector_io) (push) Failing after 7s
Details
Update ReadTheDocs / update-readthedocs (push) Failing after 1m11s
Details
Integration Tests / test-matrix (http, 3.10, datasets) (push) Failing after 10s
Details
Integration Tests / test-matrix (http, 3.10, tool_runtime) (push) Failing after 8s
Details
Integration Tests / test-matrix (http, 3.10, scoring) (push) Failing after 8s
Details
Integration Tests / test-matrix (http, 3.10, agents) (push) Failing after 10s
Details
Integration Tests / test-matrix (http, 3.11, post_training) (push) Failing after 6s
Details
Integration Tests / test-matrix (http, 3.11, inspect) (push) Failing after 6s
Details
Integration Tests / test-matrix (http, 3.11, inference) (push) Failing after 7s
Details
Integration Tests / test-matrix (http, 3.12, agents) (push) Failing after 5s
Details
Integration Tests / test-matrix (http, 3.11, vector_io) (push) Failing after 6s
Details
Integration Tests / test-matrix (http, 3.12, post_training) (push) Failing after 6s
Details
Integration Tests / test-matrix (http, 3.10, post_training) (push) Failing after 13s
Details
Integration Tests / test-matrix (http, 3.12, providers) (push) Failing after 6s
Details
Integration Tests / test-matrix (http, 3.11, providers) (push) Failing after 10s
Details
Integration Tests / test-matrix (http, 3.11, datasets) (push) Failing after 12s
Details
Integration Tests / test-matrix (http, 3.12, datasets) (push) Failing after 10s
Details
Integration Tests / test-matrix (http, 3.11, tool_runtime) (push) Failing after 11s
Details
Integration Tests / test-matrix (library, 3.10, agents) (push) Failing after 7s
Details
Integration Tests / test-matrix (http, 3.12, tool_runtime) (push) Failing after 8s
Details
Integration Tests / test-matrix (http, 3.12, inference) (push) Failing after 10s
Details
Integration Tests / test-matrix (http, 3.12, scoring) (push) Failing after 9s
Details
Integration Tests / test-matrix (library, 3.11, post_training) (push) Failing after 6s
Details
Integration Tests / test-matrix (library, 3.11, scoring) (push) Failing after 7s
Details
Integration Tests / test-matrix (library, 3.10, post_training) (push) Failing after 7s
Details
Integration Tests / test-matrix (library, 3.12, datasets) (push) Failing after 7s
Details
Integration Tests / test-matrix (library, 3.10, inspect) (push) Failing after 7s
Details
Integration Tests / test-matrix (library, 3.10, providers) (push) Failing after 7s
Details
Integration Tests / test-matrix (http, 3.12, vector_io) (push) Failing after 8s
Details
Integration Tests / test-matrix (library, 3.10, inference) (push) Failing after 9s
Details
Integration Tests / test-matrix (library, 3.10, datasets) (push) Failing after 8s
Details
Integration Tests / test-matrix (library, 3.10, vector_io) (push) Failing after 8s
Details
Integration Tests / test-matrix (library, 3.11, agents) (push) Failing after 5s
Details
Integration Tests / test-matrix (library, 3.12, inspect) (push) Failing after 12s
Details
Integration Tests / test-matrix (library, 3.10, scoring) (push) Failing after 9s
Details
Integration Tests / test-matrix (library, 3.11, inference) (push) Failing after 9s
Details
Integration Tests / test-matrix (http, 3.12, inspect) (push) Failing after 10s
Details
Integration Tests / test-matrix (library, 3.11, providers) (push) Failing after 8s
Details
Integration Tests / test-matrix (library, 3.10, tool_runtime) (push) Failing after 11s
Details
Integration Tests / test-matrix (library, 3.12, scoring) (push) Failing after 7s
Details
Integration Tests / test-matrix (http, 3.11, scoring) (push) Failing after 12s
Details
Integration Tests / test-matrix (library, 3.11, datasets) (push) Failing after 7s
Details
Integration Tests / test-matrix (library, 3.12, tool_runtime) (push) Failing after 6s
Details
Integration Tests / test-matrix (library, 3.11, tool_runtime) (push) Failing after 7s
Details
Integration Tests / test-matrix (library, 3.12, inference) (push) Failing after 8s
Details
Integration Tests / test-matrix (library, 3.12, agents) (push) Failing after 8s
Details
Integration Tests / test-matrix (library, 3.11, vector_io) (push) Failing after 9s
Details
Integration Tests / test-matrix (library, 3.11, inspect) (push) Failing after 8s
Details
Integration Tests / test-matrix (library, 3.12, post_training) (push) Failing after 7s
Details
Test External Providers / test-external-providers (venv) (push) Failing after 6s
Details
Integration Tests / test-matrix (library, 3.12, providers) (push) Failing after 10s
Details
Integration Tests / test-matrix (library, 3.12, vector_io) (push) Failing after 9s
Details
Unit Tests / unit-tests (3.11) (push) Failing after 8s
Details
Unit Tests / unit-tests (3.13) (push) Failing after 6s
Details
Unit Tests / unit-tests (3.12) (push) Failing after 1m17s
Details
Unit Tests / unit-tests (3.10) (push) Failing after 1m19s
Details
Pre-commit / pre-commit (push) Successful in 2m26s
Details

Browse source 
Though the jwks endpoint does not usually require authentication, it
does in a kubernetes cluster. While the cluster can be configured to
allow anonymous access to that endpoint, this avoids the need to do so.
This commit is contained in:
grs 2025-06-13 04:13:41 -04:00 committed by GitHub
parent ddaee42650
commit e2e15ebb6c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 99 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

77
docs/source/distributions/configuration.md
View file

@ -56,10 +56,10 @@ shields: []
server:
port: 8321
auth:
provider_type: "kubernetes"
provider_type: "oauth2_token"
config:
api_server_url: "https://kubernetes.default.svc"
ca_cert_path: "/path/to/ca.crt"
jwks:
uri: "https://my-token-issuing-svc.com/jwks"
```
Let's break this down into the different sections. The first section specifies the set of APIs that the stack server will serve:
@ -132,16 +132,52 @@ The server supports multiple authentication providers:
#### OAuth 2.0/OpenID Connect Provider with Kubernetes
The Kubernetes cluster must be configured to use a service account for authentication.
The server can be configured to use service account tokens for authorization, validating these against the Kubernetes API server, e.g.:
```yaml
server:
auth:
provider_type: "oauth2_token"
config:
jwks:
uri: "https://kubernetes.default.svc:8443/openid/v1/jwks"
token: "${env.TOKEN:}"
key_recheck_period: 3600
tls_cafile: "/path/to/ca.crt"
issuer: "https://kubernetes.default.svc"
audience: "https://kubernetes.default.svc"
```
To find your cluster's jwks uri (from which the public key(s) to verify the token signature are obtained), run:
```
kubectl get --raw /.well-known/openid-configuration| jq -r .jwks_uri
```
For the tls_cafile, you can use the CA certificate of the OIDC provider:
```bash
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.certificate-authority}'
```
For the issuer, you can use the OIDC provider's URL:
```bash
kubectl get --raw /.well-known/openid-configuration| jq .issuer
```
The audience can be obtained from a token, e.g. run:
```bash
kubectl create token default --duration=1h | cut -d. -f2 | base64 -d | jq .aud
```
The jwks token is used to authorize access to the jwks endpoint. You can obtain a token by running:
```bash
kubectl create namespace llama-stack
kubectl create serviceaccount llama-stack-auth -n llama-stack
kubectl create rolebinding llama-stack-auth-rolebinding --clusterrole=admin --serviceaccount=llama-stack:llama-stack-auth -n llama-stack
kubectl create token llama-stack-auth -n llama-stack > llama-stack-auth-token
export TOKEN=$(cat llama-stack-auth-token)
```
Make sure the `kube-apiserver` runs with `--anonymous-auth=true` to allow unauthenticated requests
Alternatively, you can configure the jwks endpoint to allow anonymous access. To do this, make sure
the `kube-apiserver` runs with `--anonymous-auth=true` to allow unauthenticated requests
and that the correct RoleBinding is created to allow the service account to access the necessary
resources. If that is not the case, you can create a RoleBinding for the service account to access
the necessary resources:
@ -175,35 +211,6 @@ And then apply the configuration:
kubectl apply -f allow-anonymous-openid.yaml
```
Validates tokens against the Kubernetes API server through the OIDC provider:
```yaml
server:
auth:
provider_type: "oauth2_token"
config:
jwks:
uri: "https://kubernetes.default.svc"
key_recheck_period: 3600
tls_cafile: "/path/to/ca.crt"
issuer: "https://kubernetes.default.svc"
audience: "https://kubernetes.default.svc"
```
To find your cluster's audience, run:
```bash
kubectl create token default --duration=1h | cut -d. -f2 | base64 -d | jq .aud
```
For the issuer, you can use the OIDC provider's URL:
```bash
kubectl get --raw /.well-known/openid-configuration| jq .issuer
```
For the tls_cafile, you can use the CA certificate of the OIDC provider:
```bash
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.certificate-authority}'
```
The provider extracts user information from the JWT token:
- Username from the `sub` claim becomes a role
- Kubernetes groups become teams