You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OpenRAG already uses a universal JWT for all OpenSearch calls (SaaS/IBM auth mode). However, the Docling Serve Langflow component (flows/components/docling_remote.py — DoclingRemoteComponent) does not automatically forward the JWT as an Authorization: Bearer <token> header when making requests to Docling Serve.
src/services/langflow_file_service.py → submit_to_docling() already accepts a jwt_token parameter and forwards it as auth_header to upload_to_docling_direct_async():
❌ Langflow flow component — JWT not automatically injected
flows/components/docling_remote.py — DoclingRemoteComponent — currently relies on a manualapi_headers TableInput for custom headers. There is no automatic injection of the JWT from the Langflow global variable system (i.e., X-Langflow-Global-Var-JWT) when the ingestion flow runs inside Langflow.
By contrast, flows/components/opensearch_multimodal.py already supports a dedicated JWT auth mode (with jwt_token, jwt_header, and bearer_prefix inputs) and reads the JWT from the global variable passed via X-Langflow-Global-Var-JWT.
Problem Statement
When the ingestion flow is executed via Langflow (rather than via the direct service path), the Docling Serve component does not authenticate with the Docling Serve instance using the user's JWT. This means:
Docling Serve deployed behind an auth proxy (e.g., IBM SaaS) will reject unauthenticated requests.
The JWT available as a Langflow global variable (JWT) is never forwarded to Docling Serve.
Proposed Solution
Update DoclingRemoteComponent in flows/components/docling_remote.py to:
Add a dedicated JWT input (similar to opensearch_multimodal.py) that reads from the Langflow global variable JWT:
Add a StrInput for jwt_token (with global_field=True or wired to the global JWT variable) — marked advanced/optional.
When set, automatically prepend it as Authorization: Bearer <jwt_token> to the headers sent to Docling Serve.
Merge with existing api_headers — the manual headers table should continue to work; the JWT should be merged in, with explicit headers taking precedence.
Update the flow JSONs (flows/ingestion_flow.json, flows/openrag_url_mcp.json, flows/openrag_url_n.json) to wire the global JWT variable into the new Docling JWT input field.
Overview
OpenRAG already uses a universal JWT for all OpenSearch calls (SaaS/IBM auth mode). However, the Docling Serve Langflow component (
flows/components/docling_remote.py—DoclingRemoteComponent) does not automatically forward the JWT as anAuthorization: Bearer <token>header when making requests to Docling Serve.Requested by
@edwinjosechittilappillyin PR #1717 comment.Current State
✅ Direct upload path — already handled
src/services/langflow_file_service.py→submit_to_docling()already accepts ajwt_tokenparameter and forwards it asauth_headertoupload_to_docling_direct_async():❌ Langflow flow component — JWT not automatically injected
flows/components/docling_remote.py—DoclingRemoteComponent— currently relies on a manualapi_headersTableInput for custom headers. There is no automatic injection of the JWT from the Langflow global variable system (i.e.,X-Langflow-Global-Var-JWT) when the ingestion flow runs inside Langflow.By contrast,
flows/components/opensearch_multimodal.pyalready supports a dedicated JWT auth mode (withjwt_token,jwt_header, andbearer_prefixinputs) and reads the JWT from the global variable passed viaX-Langflow-Global-Var-JWT.Problem Statement
When the ingestion flow is executed via Langflow (rather than via the direct service path), the Docling Serve component does not authenticate with the Docling Serve instance using the user's JWT. This means:
JWT) is never forwarded to Docling Serve.Proposed Solution
Update
DoclingRemoteComponentinflows/components/docling_remote.pyto:Add a dedicated JWT input (similar to
opensearch_multimodal.py) that reads from the Langflow global variableJWT:StrInputforjwt_token(withglobal_field=Trueor wired to the globalJWTvariable) — marked advanced/optional.Authorization: Bearer <jwt_token>to the headers sent to Docling Serve.Merge with existing
api_headers— the manual headers table should continue to work; the JWT should be merged in, with explicit headers taking precedence.Update the flow JSONs (
flows/ingestion_flow.json,flows/openrag_url_mcp.json,flows/openrag_url_n.json) to wire the globalJWTvariable into the new Docling JWT input field.Sketch
Acceptance Criteria
DoclingRemoteComponentautomatically setsAuthorization: Bearer <jwt>whenjwt_tokenis provided (via global var or explicit input).api_headersTableInput continues to work and takes precedence over the auto-injected JWT header.flows/ingestion_flow.jsonwires the globalJWTvariable to the new JWT input on the Docling Serve component.openrag_url_mcp.json,openrag_url_n.json) are updated similarly.DoclingRemoteComponent._process_headers()correctly injects theAuthorizationheader whenjwt_tokenis set.References
flows/components/docling_remote.py— Docling Serve Langflow component (needs update)flows/components/opensearch_multimodal.py— reference implementation for JWT auth in a Langflow componentsrc/services/langflow_file_service.py—submit_to_docling()— direct path already handles JWTsrc/utils/langflow_headers.py—build_ibm_opensearch_vars()— shows how JWT global vars are built