feat: add alibaba oauth comfig (#167)

Co-authored-by: 越鸿 <nishenghao.nsh@oceanbase.com>
Co-authored-by: magic.chen <cfqsunny@163.com>
Co-authored-by: AnotherSola <38176179+anotherso1a@users.noreply.github.com>
Co-authored-by: 坐山客 <157097695@qq.com>
Co-authored-by: Aries-ckt <916701291@qq.com>
Co-authored-by: heyzcat <31226585+heyzcat@users.noreply.github.com>
Co-authored-by: yangchuan <yangchuan@oppo.com>
Co-authored-by: neuqliu <1196932066@qq.com>
Co-authored-by: yanzhiyong <932374019@qq.com>
Co-authored-by: gallopxiong <62653374+josehap@users.noreply.github.com>
Co-authored-by: gallopxiong <gallopxiong@tencent.com>
Co-authored-by: XinyueDu <51403464+XinyueDu@users.noreply.github.com>
Co-authored-by: duxinyue.dxy <duxinyue.dxy@antgroup.com>
Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com>
Co-authored-by: lpq131004 <66124950+lpq131004@users.noreply.github.com>
Co-authored-by: chenketing.ckt <chenketing.ckt@antgroup.com>
Co-authored-by: Aries-ckt <ariesketing@gmail.com>
Co-authored-by: Lin-Zhipeng <2542207527@qq.com>
Co-authored-by: zhipeng.lin <zhipeng.lin@shopee.com>
Co-authored-by: Claude (GLM-4.7) <noreply@anthropic.com>
Co-authored-by: tptpp <544016459@qq.com>
Co-authored-by: RichardoMu <44485717+RichardoMrMu@users.noreply.github.com>
Co-authored-by: RichardoMrMu <tianbowen.tbw@antgroup.com>
Co-authored-by: yhjun1026 <yhjun1026@users.noreply.github.com>

Author: 24 people

assets/schema/derisk.sql

@@ -9,7 +9,7 @@ use derisk;
 -- MySQL DDL Script for Derisk
 -- Version: 0.3.0
 -- Generated from SQLAlchemy ORM Models
--- Generated: 2026-03-16 15:22:00
+-- Generated: 2026-03-18 00:22:14
 -- ============================================================
 
 SET NAMES utf8mb4;

configs/derisk-ob.toml

@@ -0,0 +1,85 @@
+[system]
+# Load language from environment variable(It is set by the hook)
+language = "${env:DERISK_LANG:-zh}"
+log_level = "INFO"
+api_keys = []
+encrypt_key = "${ENCRYPT_KEY:-your_secret_key}"
+
+# Server Configurations
+[service.web]
+host = "0.0.0.0"
+port = 7777
+model_storage = "database"
+web_url = "https://localhost:${env:WEB_SERVER_PORT:-7777}"
+
+[service.web.database]
+type = "sqlite"
+path = "pilot/meta_data/derisk.db"
+
+[service.web.trace]
+file = "${env:TRACE_FILE_DIR:-logs}/derisk_webserver_tracer.jsonl"
+
+[service.model.worker]
+host = "127.0.0.1"
+
+[agent.llm]
+# (可选) 全局配置
+temperature = 0.5
+
+[[agent.llm.provider]]
+provider = "openai"
+api_base = "https://dashscope.aliyuncs.com/compatible-mode/v1"
+api_key = "${DASHSCOPE_API_KEY:-sk-...}"
+
+[[agent.llm.provider.model]]
+name = "deepseek-r1"
+temperature = 0.7
+max_new_tokens = 4096
+[[agent.llm.provider.model]]
+name = "deepseek-v3"
+temperature = 0.7
+max_new_tokens = 4096
+[[agent.llm.provider.model]]
+name = "Kimi-k2"
+temperature = 0.7
+max_new_tokens = 4096
+[[agent.llm.provider.model]]
+name = "qwen-plus"
+temperature = 0.7
+max_new_tokens = 4096
+[[agent.llm.provider.model]]
+name = "qwen-vl-max"
+temperature = 0.7
+max_new_tokens = 4096
+
+[[agent.llm.provider.model]]
+name = "glm-5"
+temperature = 0.7
+max_new_tokens = 4096
+
+[[serves]]
+type = "file"
+# Default backend for file server
+default_backend = "oss"
+
+#[[serves.backends]]
+#type = "oss"
+#endpoint = "https://oss-cn-beijing.aliyuncs.com"
+#region = "oss-cn-beijing"
+#access_key_id = "${env:OSS_ACCESS_KEY_ID:-xxx}"
+#access_key_secret = "${env:OSS_ACCESS_KEY_SECRET:-xxx}"
+#fixed_bucket = "openderisk"
+#
+#
+#[sandbox]
+#type="local"
+#template_id=""
+#user_id="derisk"
+#agent_name="derisk"
+#repo_url=""
+#work_dir="/home/ubuntu"
+#skill_dir="/mnt/derisk/skills"
+#oss_ak="${env:OSS_ACCESS_KEY_ID:-xxx}"
+#oss_sk="${env:OSS_ACCESS_KEY_SECRET:-xxx}"
+#oss_endpoint="https://oss-cn-beijing.aliyuncs.com"
+#oss_bucket_name="openderisk"

packages/derisk-app/src/derisk_app/auth/oauth.py

@@ -12,6 +12,11 @@
 GITHUB_TOKEN_URL = "https://github.com/login/oauth/access_token"
 GITHUB_USERINFO_URL = "https://api.github.com/user"
 
+# Alibaba-inc (MOZI) OAuth2 endpoints
+MOZI_AUTH_URL = "https://mozi-login.alibaba-inc.com/oauth2/auth.htm"
+MOZI_TOKEN_URL = "https://mozi-login.alibaba-inc.com/rpc/oauth2/access_token.json"
+MOZI_USERINFO_URL = "https://mozi-login.alibaba-inc.com/rpc/oauth2/user_info.json"
+
 
 class OAuth2Service:
     """OAuth2 flow service - handles login redirect, callback, userinfo fetch."""
@@ -40,6 +45,21 @@ def get_authorization_url(
             }
             qs = "&".join(f"{k}={v}" for k, v in params.items())
             return f"{GITHUB_AUTH_URL}?{qs}"
+        elif provider_config.get("type") == "alibaba-inc":
+            client_id = provider_config.get("client_id", "")
+            scope = provider_config.get("scope", "get_user_info")
+            if not client_id:
+                return None
+            params = {
+                "client_id": client_id,
+                "redirect_uri": redirect_uri,
+                "state": state,
+                "response_type": "code",
+            }
+            if scope:
+                params["scope"] = scope
+            qs = "&".join(f"{k}={v}" for k, v in params.items())
+            return f"{MOZI_AUTH_URL}?{qs}"
         elif provider_config.get("type") == "custom":
             auth_url = provider_config.get("authorization_url", "")
             client_id = provider_config.get("client_id", "")
@@ -76,6 +96,16 @@ async def exchange_code_for_token(
                 "redirect_uri": redirect_uri,
             }
             headers = {"Accept": "application/json"}
+        elif provider_config.get("type") == "alibaba-inc":
+            token_url = MOZI_TOKEN_URL
+            data = {
+                "client_id": provider_config.get("client_id", ""),
+                "client_secret": provider_config.get("client_secret", ""),
+                "code": code,
+                "redirect_uri": redirect_uri,
+                "grant_type": "authorization_code",
+            }
+            headers = {"Accept": "application/json"}
         elif provider_config.get("type") == "custom":
             token_url = provider_config.get("token_url", "")
             if not token_url:
@@ -108,6 +138,10 @@ async def fetch_userinfo(
         if provider_config.get("type") == "github":
             userinfo_url = GITHUB_USERINFO_URL
             headers = {"Authorization": f"Bearer {access_token}"}
+        elif provider_config.get("type") == "alibaba-inc":
+            userinfo_url = MOZI_USERINFO_URL
+            # MOZI format: POST with access_token in body
+            headers = {"Content-Type": "application/x-www-form-urlencoded"}
         elif provider_config.get("type") == "custom":
             userinfo_url = provider_config.get("userinfo_url", "")
             if not userinfo_url:
@@ -118,18 +152,22 @@ async def fetch_userinfo(
 
         try:
             async with httpx.AsyncClient() as client:
-                resp = await client.get(userinfo_url, headers=headers)
+                if provider_config.get("type") == "alibaba-inc":
+                    resp = await client.post(
+                        userinfo_url, data={"access_token": access_token}, headers=headers
+                    )
+                else:
+                    resp = await client.get(userinfo_url, headers=headers)
                 resp.raise_for_status()
                 data = resp.json()
-                # Normalize to common format
                 return {
-                    "id": str(data.get("id", "")),
-                    "login": data.get("login", ""),
-                    "username": data.get("username", data.get("login", "")),
-                    "name": data.get("name", ""),
+                    "id": str(data.get("openId") or data.get("id") or ""),
+                    "login": data.get("login", data.get("account", "")),
+                    "username": data.get("username", data.get("nickNameCn", "")),
+                    "name": data.get("name", data.get("realName", data.get("lastName", ""))),
                     "email": data.get("email", ""),
-                    "avatar_url": data.get("avatar_url", ""),
-                    "avatar": data.get("avatar", data.get("avatar_url", "")),
+                    "avatar_url": data.get("avatar_url", data.get("avatar", "")),
+                    "avatar": data.get("avatar", ""),
                     "picture": data.get("picture", ""),
                 }
         except Exception as e: