frontend: add --auth-mode gateway + AK/SK workbench notice#638
Open
yaozheng-fang wants to merge 1 commit into
Open
frontend: add --auth-mode gateway + AK/SK workbench notice#638yaozheng-fang wants to merge 1 commit into
yaozheng-fang wants to merge 1 commit into
Conversation
- `veadk frontend --auth-mode gateway` (env VEADK_FRONTEND_AUTH_MODE): trust the identity an upstream API gateway (AgentKit runtime) already authenticated and forwards as `Authorization: Bearer <JWT>`; parse the user from the token and run no in-app login. Default `frontend` keeps the existing self-hosted SSO. - /web/runtime-config reports whether Volcengine AK/SK are present; the SPA shows a centered "configure AK/SK" notice when opening the agent workbench without them. - Rebuild veadk/webui. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two additions to
veadk frontend, both opt-in and leaving the existing self-hosted SSO path untouched.1.
--auth-mode gateway(envVEADK_FRONTEND_AUTH_MODE)A new auth mode for when an upstream API gateway has already authenticated the user and forwards the identity as
Authorization: Bearer <JWT>(e.g. behind the AgentKit runtime gateway). In this mode the server:/oauth2/userinfo(so the SPA resolves identity unchanged),/web/auth-config(no in-app login buttons).Default is
--auth-mode frontend— the existing behavior (this server runs its own VeIdentity/OAuth2 login) — so nothing changes unless you opt in.Decode is intentionally trust-on-forward (no signature re-check): the gateway already validated the token. Localized to
cli_frontend.pyvia a small_claims_from_forwarded_jwthelper.2. AK/SK workbench notice
New
/web/runtime-configreports whetherVOLCENGINE_ACCESS_KEY/VOLCENGINE_SECRET_KEYare present. When the agent-creation workbench is opened without them, the SPA shows a centered "配置 AK/SK" notice instead of a broken workbench.veadk/webuiis rebuilt to include the frontend change.Test
Note
The AgentKit runtime gateway's
custom_jwtauthorizer only validates a bearer JWT (401 without one) — it does not do interactive browser login. So--auth-mode gatewayis for callers that already hold a userpool JWT; interactive browser SSO is still served by the default--auth-mode frontend.🤖 Generated with Claude Code