Skip to content

frontend: add --auth-mode gateway + AK/SK workbench notice#638

Open
yaozheng-fang wants to merge 1 commit into
mainfrom
frontend-gateway-auth
Open

frontend: add --auth-mode gateway + AK/SK workbench notice#638
yaozheng-fang wants to merge 1 commit into
mainfrom
frontend-gateway-auth

Conversation

@yaozheng-fang

Copy link
Copy Markdown
Collaborator

What

Two additions to veadk frontend, both opt-in and leaving the existing self-hosted SSO path untouched.

1. --auth-mode gateway (env VEADK_FRONTEND_AUTH_MODE)

A new auth mode for when an upstream API gateway has already authenticated the user and forwards the identity as Authorization: Bearer <JWT> (e.g. behind the AgentKit runtime gateway). In this mode the server:

  • does not run its own OAuth2 login/redirect,
  • parses the forwarded JWT's claims and serves them from /oauth2/userinfo (so the SPA resolves identity unchanged),
  • returns an empty /web/auth-config (no in-app login buttons).

Default is --auth-mode frontend — the existing behavior (this server runs its own VeIdentity/OAuth2 login) — so nothing changes unless you opt in.

Decode is intentionally trust-on-forward (no signature re-check): the gateway already validated the token. Localized to cli_frontend.py via a small _claims_from_forwarded_jwt helper.

2. AK/SK workbench notice

New /web/runtime-config reports whether VOLCENGINE_ACCESS_KEY / VOLCENGINE_SECRET_KEY are present. When the agent-creation workbench is opened without them, the SPA shows a centered "配置 AK/SK" notice instead of a broken workbench.

veadk/webui is rebuilt to include the frontend change.

Test

# existing behavior unchanged (self-hosted SSO / local username)
veadk frontend --agents-dir examples

# gateway mode: identity comes from a forwarded bearer JWT
veadk frontend --agents-dir examples --auth-mode gateway
#   GET /oauth2/userinfo with `Authorization: Bearer <userpool-jwt>` -> {sub, email, ...}
#   GET /oauth2/userinfo with no token                              -> 401

# AK/SK notice: run without creds, open the "创建 Agent" workbench -> centered notice

Note

The AgentKit runtime gateway's custom_jwt authorizer only validates a bearer JWT (401 without one) — it does not do interactive browser login. So --auth-mode gateway is for callers that already hold a userpool JWT; interactive browser SSO is still served by the default --auth-mode frontend.

🤖 Generated with Claude Code

- `veadk frontend --auth-mode gateway` (env VEADK_FRONTEND_AUTH_MODE): trust the
  identity an upstream API gateway (AgentKit runtime) already authenticated and
  forwards as `Authorization: Bearer <JWT>`; parse the user from the token and
  run no in-app login. Default `frontend` keeps the existing self-hosted SSO.
- /web/runtime-config reports whether Volcengine AK/SK are present; the SPA shows
  a centered "configure AK/SK" notice when opening the agent workbench without them.
- Rebuild veadk/webui.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant