Skip to content

feat: introduce OAuth2TokenAuthProvider and notion of "principal" #2185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
May 19, 2025
Merged

feat: introduce OAuth2TokenAuthProvider and notion of "principal" #2185

merged 6 commits into from
May 19, 2025

Conversation

ashwinb
Copy link
Contributor

@ashwinb ashwinb commented May 16, 2025
edited
Loading

This PR adds a notion of principal (aka some kind of persistent identity) to the authentication infrastructure of the Stack. Until now we only used access attributes ("claims" in the more standard OAuth / OIDC setup) but we need the notion of a User fundamentally as well. (Thanks @rhuss for bringing this up.)

This value is not yet used anywhere downstream but will be used to segregate access to resources.

In addition, the PR introduces a built-in JWT token validator so the Stack does not need to contact an authentication provider to validating the authorization and merely check the signed token for the represented claims. Public keys are refreshed via the configured JWKS server. This Auth Provider should overwhelmingly be considered the default given the seamless integration it offers with OAuth setups.

@facebook-github-bot facebook-github-bot added the CLA Signed This label is managed by the Meta Open Source bot. label May 16, 2025
@ashwinb ashwinb changed the title feat: introduce JWKSAuthProvider feat: introduce JWKSAuthProvider and notion of "principal" May 16, 2025
@ashwinb ashwinb changed the title feat: introduce JWKSAuthProvider and notion of "principal" feat: introduce JWTAuthProvider and notion of "principal" May 16, 2025
ashwinb
ashwinb commented May 18, 2025
View reviewed changes
pyproject.toml
@@ -31,6 +31,7 @@ dependencies = [
"openai>=1.66",
"prompt-toolkit",
"python-dotenv",
"python-jose",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not happy about this right now, I am going to split off Auth (and then Credentials) to proper APIs which have proper providers so the overall distribution dependency system takes over. we dont want starter distros to have complex dependencies if they don't need them.

but for now, this will do.

@ashwinb ashwinb changed the title feat: introduce JWTAuthProvider and notion of "principal" feat: introduce OAuth2TokenAuthProvider and notion of "principal" May 18, 2025
@ashwinb ashwinb merged commit c7015d3 into meta-llama:main May 19, 2025
24 checks passed
@ashwinb ashwinb deleted the jwt_auth branch May 19, 2025 00:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhuss rhuss rhuss left review comments

@grs grs grs left review comments

@raghotham raghotham raghotham approved these changes

@yanxi0830 yanxi0830 Awaiting requested review from yanxi0830 yanxi0830 is a code owner

@hardikjshah hardikjshah Awaiting requested review from hardikjshah hardikjshah is a code owner

@ehhuang ehhuang Awaiting requested review from ehhuang ehhuang is a code owner

@terrytangyuan terrytangyuan Awaiting requested review from terrytangyuan terrytangyuan is a code owner

@leseb leseb Awaiting requested review from leseb leseb is a code owner

Assignees
No one assigned
Labels
CLA Signed This label is managed by the Meta Open Source bot.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@ashwinb @rhuss @grs @raghotham @leseb @facebook-github-bot