feat(#3309): pivot Kagenti auth to OAuth2 Client Credentials#3602
feat(#3309): pivot Kagenti auth to OAuth2 Client Credentials#3602gabemontero wants to merge 8 commits into
Conversation
Missing ChangesetsThe following package(s) are changed by this PR but do not have a changeset:
See CONTRIBUTING.md for more information about how to add changesets. Changed Packages
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3602 +/- ##
=======================================
Coverage 54.03% 54.03%
=======================================
Files 2325 2325
Lines 89196 89196
Branches 24970 24970
=======================================
Hits 48194 48194
Misses 39547 39547
Partials 1455 1455
*This pull request uses carry forward flags. Click here to find out more. Continue to review full report in Codecov by Harness.
🚀 New features to boost your workflow:
|
|
🤖 Finished Review · ❌ Failure · Started 1:52 PM UTC · Completed 2:05 PM UTC |
|
@rohitkrai03 @mareklibra - per our discussion today, here is the change to fallback to the existing service account level OIDC flow to kagenti, i.e. what augment does today Then, we will use the finer grained backstage RBAC (vs. what augment provides) to control who makes what calls to kagenti I have also refactored #3309 to reflect this new approach @durandom FYI |
ReviewFindingsMedium
Low
Previous runReviewFindingsLow
Previous run (2)ReviewFindingsMedium
Low
Previous run (3)ReviewReason: stale-head The review agent reviewed commit Previous run (4)ReviewFindingsMedium
Low
Labels: PR modifies boost workspace auth configuration and security specifications Previous run (5)ReviewReason: stale-head The review agent reviewed commit Previous run (6)ReviewFindingsMedium
Low
Labels: PR modifies boost workspace auth configuration and security specifications. |
|
🤖 Finished Review · ✅ Success · Started 2:55 PM UTC · Completed 3:06 PM UTC |
Review findings triageAddressed the findings from the fullsend review agent (comment). Fixed (commit 8cb43ef)All 3 medium findings — stale references to the abandoned RFC 8693 /
Also bumped Deferred (low-priority schema hardening)The remaining low findings (L1–L6) are schema hardening suggestions — tighter Zod constraints, |
|
/fs-review |
|
🤖 Finished Review · ✅ Success · Started 3:10 PM UTC · Completed 3:26 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 3:40 PM UTC · Completed 3:54 PM UTC |
|
/fs-review |
|
🤖 Finished Review · ✅ Success · Started 3:57 PM UTC · Completed 4:11 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 4:20 PM UTC · Completed 4:31 PM UTC |
…xchange to OAuth2 Client Credentials
Replace per-user RFC 8693 token exchange approach with service-account
Keycloak authentication via OAuth2 Client Credentials Grant. The
service-account approach is simpler, proven in production, and
sufficient for current requirements. User identity is propagated
via X-Backstage-User header for audit purposes.
Config keys changed:
- boost.kagenti.auth.tokenExchange.{enabled,audience,userTokenHeader}
+ boost.kagenti.auth.{tokenEndpoint,clientId,clientSecret,tokenExpiryBufferSeconds}
Updated files:
- specifications/boost-context.md (principle 10)
- specifications/prd/security-safety-governance.md (section 3, throughout)
- openspec security-safety-governance: design, proposal, tasks, access-control spec
- openspec runtime-config spec
- config.d.ts, schemas.ts, schemas.test.ts, report.api.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…schema version bump - staged-issues.md: update issue redhat-developer#3309 entry from TokenExchangeManager/RFC 8693 to KeycloakTokenManager/Client Credentials Grant - platform-operations-deployment.md: update Kagenti auth config key references - platform-operations-deployment/tasks.md: update task 2.5 config field list - schemas.ts: bump BOOST_CONFIG_SCHEMA_VERSION from 1 to 2 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…tch new auth approach Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…larity, task wording - access-control/spec.md: add max-1-retry constraint to 401 scenario - security-safety-governance/design.md: add retry limit to Decision 4 - security-safety-governance/tasks.md: task 7.5 'single 401 retry' - staged-issues.md: mirror task 7.5 update - pluggable-ai-platform-architecture/design.md: clarify per-user token exchange is deferred, not covered elsewhere Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…piryBuffer tests - Remove .default(60) from Zod schema — raw config resolution bypasses Zod defaults, so the consumer (KeycloakTokenManager) must apply its own fallback. The description already documents the default. - Add tests: valid integers (0, 120), reject negative, reject float, undefined returns undefined (consumer applies default). - Regenerate report.api.md. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Document the actual Kagenti REST API paths (/api/v1/agents, /api/v1/tools) and Llama Stack endpoint (/v1/models) with response shapes and auth requirements. This prevents coding agents from guessing wrong paths (e.g. /a2a/ vs /api/v1/). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…l spec Add scenario documenting the exact /api/v1/ REST paths and response shapes for agent and tool discovery. Prevents coding agents from using incorrect /a2a/ paths when implementing against this spec. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
91fbac0 to
08f6fc3
Compare
|
|
🤖 Finished Review · ✅ Success · Started 2:34 PM UTC · Completed 2:51 PM UTC |



Summary
boost.kagenti.auth.tokenExchange.{enabled,audience,userTokenHeader}toboost.kagenti.auth.{tokenEndpoint,clientId,clientSecret,tokenExpiryBufferSeconds}Rationale
The service-account approach (matching the pattern proven in production) is simpler and sufficient for current requirements. Per-user RFC 8693 token exchange adds complexity (auth proxy dependency, per-user cache management) without proportional benefit. User identity is propagated via
X-Backstage-Userheader for audit trails.Files changed (11)
Specifications (2):
boost-context.md,security-safety-governance.mdPRDOpenSpec (5): security design, proposal, tasks, access-control spec, runtime-config spec
Code (4):
config.d.ts,schemas.ts,schemas.test.ts,report.api.mdTest plan
🤖 Generated with Claude Code