Improvements to documentation with regards to remote OAuth issue #97
+122
−6
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -774,6 +774,76 @@ For platforms without file persistence (Railway, Render, Vercel): | |||||
|
|
||||||
| </details> | ||||||
|
|
||||||
| <details> | ||||||
| <summary><b>Remote Host Deployment (SSH Port Forwarding)</b></summary> | ||||||
|
|
||||||
| When the proxy is running on a remote host (VPS, cloud server, etc.), OAuth token authentication requires SSH port forwarding. This is because the OAuth callback URL is sent to `localhost`, which on the remote server points to the server itself, not your local machine. | ||||||
|
|
||||||
| **The Problem:** | ||||||
|
|
||||||
| - You run the proxy on a remote VPS | ||||||
| - You try to add OAuth credentials using the credential tool | ||||||
| - The OAuth provider redirects to `http://localhost:PORT/callback` | ||||||
| - On the VPS, `localhost` refers to the VPS, not your local machine | ||||||
| - The callback fails because your browser can't reach the VPS's localhost | ||||||
|
|
||||||
| **The Solution: SSH Port Forwarding** | ||||||
|
|
||||||
| Use SSH to tunnel the OAuth callback ports from the VPS back to your local machine. You only need to do this when adding OAuth credentials. | ||||||
|
|
||||||
| **Single Provider Examples:** | ||||||
|
|
||||||
| ```bash | ||||||
| # Gemini CLI (port 8085) | ||||||
| ssh -L 8085:localhost:8085 user@your-vps-ip | ||||||
|
|
||||||
| # Antigravity (port 51121) | ||||||
| ssh -L 51121:localhost:51121 user@your-vps-ip | ||||||
|
|
||||||
| # iFlow (port 11451) | ||||||
| ssh -L 11451:localhost:11451 user@your-vps-ip | ||||||
| ``` | ||||||
|
|
||||||
| **Multiple Providers at Once:** | ||||||
|
|
||||||
| ```bash | ||||||
| # Forward all three OAuth ports simultaneously | ||||||
| ssh -L 8085:localhost:8085 -L 51121:localhost:51121 -L 11451:localhost:11451 user@your-vps-ip | ||||||
| ``` | ||||||
|
|
||||||
| **Complete Workflow:** | ||||||
|
|
||||||
| 1. **Establish SSH tunnel** (keep this connection open): | ||||||
|
Contributor
There was a problem hiding this comment. The iFlow port (
Suggested change
|
||||||
| ```bash | ||||||
| ssh -L 8085:localhost:8085 -L 51121:localhost:51121 user@your-vps-ip | ||||||
| ``` | ||||||
|
|
||||||
| 2. **Run the credential tool on the VPS** (in a separate terminal or SSH session): | ||||||
| ```bash | ||||||
| ssh user@your-vps-ip | ||||||
| cd /path/to/LLM-API-Key-Proxy | ||||||
| python -m rotator_library.credential_tool | ||||||
| ``` | ||||||
|
|
||||||
| 3. **Complete OAuth authentication**: | ||||||
|
Contributor
There was a problem hiding this comment. On many remote servers (especially headless VPS instances), the credential tool cannot automatically open a browser window. It usually prints a URL for the user to copy. Clarifying this (e.g., "The tool will provide a URL to open in your local browser") would be more accurate for VPS users. |
||||||
| - The credential tool will open a browser window | ||||||
| - Because of the SSH tunnel, the callback will be forwarded to your local machine | ||||||
| - Complete the authentication flow as normal | ||||||
|
|
||||||
| 4. **Close SSH tunnel** after authentication is complete | ||||||
|
|
||||||
| **Alternative: Local Authentication + Deploy Credentials** | ||||||
|
|
||||||
| If you prefer not to use SSH port forwarding: | ||||||
|
|
||||||
| 1. Complete OAuth flows locally on your machine | ||||||
| 2. Export credentials to environment variables using the credential tool | ||||||
| 3. Deploy the `.env` file to your remote server | ||||||
|
|
||||||
| See the "Stateless Deployment" section above for details on exporting credentials. | ||||||
|
|
||||||
| </details> | ||||||
|
|
||||||
| <details> | ||||||
| <summary><b>OAuth Callback Port Configuration</b></summary> | ||||||
|
|
||||||
|
|
@@ -930,11 +1000,13 @@ For OAuth providers (Antigravity, Gemini CLI, etc.), you must authenticate local | |||||
|
|
||||||
| ```bash | ||||||
| # Forward callback ports through SSH | ||||||
| ssh -L 8085:localhost:8085 -L 51121:localhost:51121 -L 11451:localhost:11451 user@your-vps-ip | ||||||
|
|
||||||
| # Then run credential tool on the VPS in a separate terminal | ||||||
| ``` | ||||||
|
|
||||||
| This creates a tunnel that forwards OAuth callback ports from the VPS to your local machine, allowing the browser-based authentication to complete successfully. | ||||||
|
|
||||||
| **Systemd Service:** | ||||||
|
|
||||||
| ```ini | ||||||
|
|
@@ -953,6 +1025,7 @@ WantedBy=multi-user.target | |||||
| ``` | ||||||
|
|
||||||
| See [VPS Deployment](Deployment%20guide.md#appendix-deploying-to-a-custom-vps) for complete guide. | ||||||
| See the [Remote Host Deployment (SSH Port Forwarding)](#remote-host-deployment-ssh-port-forwarding) section above for detailed OAuth setup instructions. | ||||||
|
|
||||||
| </details> | ||||||
|
|
||||||
|
|
@@ -967,6 +1040,7 @@ See [VPS Deployment](Deployment%20guide.md#appendix-deploying-to-a-custom-vps) f | |||||
| | All keys on cooldown | All keys failed recently; check `logs/detailed_logs/` for upstream errors | | ||||||
| | Model not found | Verify format is `provider/model_name` (e.g., `gemini/gemini-2.5-flash`) | | ||||||
| | OAuth callback failed | Ensure callback port (8085, 51121, 11451) isn't blocked by firewall | | ||||||
| | OAuth callback failed on remote VPS | Use SSH port forwarding: `ssh -L 8085:localhost:8085 -L 51121:localhost:51121 user@your-vps-ip` | | ||||||
|
Contributor
There was a problem hiding this comment. The iFlow port (
Suggested change
|
||||||
| | Streaming hangs | Increase `TIMEOUT_READ_STREAMING`; check provider status | | ||||||
|
|
||||||
| **Detailed Logs:** | ||||||
|
|
||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be helpful to include the actual command for exporting credentials here, e.g.,
python -m rotator_library.credential_tool --export, so users don’t have to hunt for it.