Feature Description
When Kagenti import's an agent with AuthBridge Enabled, an OIDC client is created in Keycloak. For example, when I import the git-issue-agent, I get client ID spiffe://localtest.me/ns/team1/sa/git-issue-agent.
The "Description" field should be filled in so that users who navigate to it have some hint. (The description could be dynamic, mentioning the Agent and it's Agent Card URL, or it could be static, with nothing more than a link to Kagenti and/or Kagenti AuthBridge).
A scope, e.g. spiffe://localtest.me/ns/team1/sa/git-issue-agent-dedicated is also created. This scope has description "Dedicated scope and mappers for this client" but doesn't have any mappers.
Proposed Solution
Create a OIDC Client with a Description that either links to Kagenti AuthBridge docs or has text explaining "This Client is specific to the Kagenti Agent instance git-issue-agent."
The documentation should help a new Kagenti admin understand that the Agent cannot be contacted via A2A and asked to do work without a bearer token that is a JWT issued by this Keycloak with this OIDC Client as the audience.
The documentation might even include instructions for creating that JWT.
Want to contribute?
Additional Context
When designing the solution, consider making it generic to non-Keycloak OIDC providers, in case Kagenti is ever required to integrate with OpenShift OIDC or a corporate SSO.
Feature Description
When Kagenti import's an agent with AuthBridge Enabled, an OIDC client is created in Keycloak. For example, when I import the git-issue-agent, I get client ID
spiffe://localtest.me/ns/team1/sa/git-issue-agent.The "Description" field should be filled in so that users who navigate to it have some hint. (The description could be dynamic, mentioning the Agent and it's Agent Card URL, or it could be static, with nothing more than a link to Kagenti and/or Kagenti AuthBridge).
A scope, e.g. spiffe://localtest.me/ns/team1/sa/git-issue-agent-dedicated is also created. This scope has description "Dedicated scope and mappers for this client" but doesn't have any mappers.
Proposed Solution
Create a OIDC Client with a Description that either links to Kagenti AuthBridge docs or has text explaining "This Client is specific to the Kagenti Agent instance
git-issue-agent."The documentation should help a new Kagenti admin understand that the Agent cannot be contacted via A2A and asked to do work without a bearer token that is a JWT issued by this Keycloak with this OIDC Client as the audience.
The documentation might even include instructions for creating that JWT.
Want to contribute?
Additional Context
When designing the solution, consider making it generic to non-Keycloak OIDC providers, in case Kagenti is ever required to integrate with OpenShift OIDC or a corporate SSO.