Skip to content

Add OAuth2 SSO support for veadk web with Agent Identity#477

Merged
yaozheng-fang merged 1 commit intovolcengine:mainfrom
loveyana:feat/veadk-web-sso
Jan 29, 2026
Merged

Add OAuth2 SSO support for veadk web with Agent Identity#477
yaozheng-fang merged 1 commit intovolcengine:mainfrom
loveyana:feat/veadk-web-sso

Conversation

@loveyana
Copy link
Contributor

@loveyana loveyana commented Jan 28, 2026

Overview

This PR adds comprehensive OAuth2/OIDC Single Sign-On (SSO) support for VeADK Web and implements Access Token validation based on JWKS with optional Introspection.

Key Changes

1. OAuth2 Middleware Enhancements

  • OIDC JWKS Validation: Support JWT Access Token validation via JWKS (JSON Web Key Set)
  • Optional Introspection: Support OAuth2 Token Introspection endpoint for opaque token validation
  • Dual Authentication Sources: Validates both Authorization Header and Session Cookie tokens
  • No Authorization Passthrough: Middleware no longer passes through the original client Authorization header; instead uses the validated Session Token

2. /oauth2/userinfo Endpoint Token Validation

  • The /oauth2/userinfo endpoint now validates the Access Token in the Session before returning user info
  • Ensures returned user information corresponds to a valid authentication state

3. VeADK Web CLI Integration

  • veadk web command supports --oauth2-user-pool and --oauth2-user-pool-client parameters
  • Automatic OAuth2 middleware configuration with VeIdentity User Pool integration

Technical Implementation

Access Token Validation Flow

┌─────────────────┐
│ Request Arrives │
└────────┬────────┘
         │
         ▼
┌─────────────────┐     Has Authorization Header?
│  Check Auth     │────────────────────────────┐
│  Header         │                            │
└────────┬────────┘                            │
         │ No                                  │ Yes
         ▼                                     ▼
┌─────────────────┐                   ┌─────────────────┐
│  Check Session  │                   │  Extract Bearer │
│  Cookie         │                   │  Token          │
└────────┬────────┘                   └────────┬────────┘
         │                                     │
         ▼                                     ▼
┌─────────────────┐                   ┌─────────────────┐
│  Validate       │                   │  JWKS/Intro-    │
│  Session Token  │                   │  spection       │
└────────┬────────┘                   └────────┬────────┘
         │                                     │
         ▼                                     ▼
┌─────────────────┐                   ┌─────────────────┐
│  Inject Auth    │                   │  Set User       │
│  Header         │                   │  Scope          │
└────────┬────────┘                   └────────┬────────┘
         │                                     │
         └──────────────┬──────────────────────┘
                        ▼
               ┌─────────────────┐
               │ Continue Request│
               └─────────────────┘

New Configuration Parameters

Parameter Type Default Description
issuer str None JWT Issuer for validating iss claim
jwks_uri str None JWKS endpoint URL
audience str | list[str] None Allowed audience list
allowed_algorithms list[str] ["RS256"] Allowed signing algorithms
jwks_cache_ttl_seconds int 300 JWKS cache TTL
jwks_kid_miss_cooldown_seconds int 30 Cooldown before refreshing on KID miss
use_introspection bool False Whether to use Introspection validation
introspection_url str None Introspection endpoint URL
introspection_client_id str None Introspection client ID
introspection_client_secret str None Introspection client secret
introspection_cache_ttl_seconds int 300 Introspection result cache TTL

Security Features

  • Algorithm Whitelist: Prevents alg=none attacks
  • Issuer Validation: Ensures token is from expected IdP
  • Audience Validation: Ensures token is issued for this application
  • Expiration Validation: Automatically rejects expired tokens
  • JWKS Caching: Reduces requests to IdP, supports auto-refresh on KID miss
  • Cookie Signing: Session cookies are signed with HMAC-SHA256

@loveyana
Add OAuth2 SSO support for veadk web with Agent Identity
7c8141e 
This update introduces OAuth2/OIDC SSO authentication via Agent Identity User Pool to the `veadk web` command. Documentation is updated to describe new CLI options (`--oauth2-user-pool`, `--oauth2-user-pool-client`, `--oauth2-redirect-uri`). The CLI and middleware are extended to support access token validation (JWKS/introspection), user info extraction, and secure session handling for both API and browser requests.

Reformat long lines for readability in oauth2_auth.py

Refactored several long lines and conditional statements to improve code readability and maintain PEP8 compliance. No functional changes were made.
@yaozheng-fang yaozheng-fang merged commit b54cdb2 into volcengine:main Jan 29, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yaozheng-fang yaozheng-fang yaozheng-fang approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loveyana @yaozheng-fang