Adds user_token auth mode to llama stack module (opendatahub-io#4596)

* Updates authentication to follow pattern used by model registry. Now supports user_token mode.

* fix: properly disable authentication if auth_method=disabled

* refactor: optimize TokenClientFactory performance and make API path prefix configurable

- Move TokenClientFactory creation from per-request to app-level initialization
- Add configurable APIPathPrefix to EnvConfig with default /api/v1
- Add --api-path-prefix command-line flag and API_PATH_PREFIX env var
- Replace hardcoded ApiPathPrefix constants with dynamic path generation methods
- Update middleware to use app.tokenFactory instead of recreating per request
- Update isAPIRoute function to be App method using configurable prefix
- Update all tests to work with new configurable approach
- Maintain backward compatibility with default /api/v1 prefix

This improves performance by eliminating per-request object creation and
provides flexibility for different deployment scenarios.

---------

Co-authored-by: Akram Ben Aissi <akram.benaissi@gmail.com>

Author: alexcreasy

frontend/packages/llama-stack-modular-ui/bff/.gitignore

@@ -1 +1,2 @@
 vendor/
+pkg/

frontend/packages/llama-stack-modular-ui/bff/Makefile

@@ -7,6 +7,7 @@ LOG_LEVEL ?= debug
 ALLOWED_ORIGINS ?= ""
 LLAMA_STACK_URL ?= ""
 MOCK_LS_CLIENT ?= false
+AUTH_METHOD ?= "disabled"
 
 .PHONY: all
 all: build
@@ -47,7 +48,7 @@ build: fmt vet test ## Builds the project to produce a binary executable.
 .PHONY: run
 run: fmt vet envtest ## Runs the project.
 	ENVTEST_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" \
-	go run ./cmd --port=$(PORT) --static-assets-dir=$(STATIC_ASSETS_DIR) --log-level=$(LOG_LEVEL) --allowed-origins=$(ALLOWED_ORIGINS) --llama-stack-url=$(LLAMA_STACK_URL) --mock-ls-client=$(MOCK_LS_CLIENT)
+	go run ./cmd --port=$(PORT) --static-assets-dir=$(STATIC_ASSETS_DIR) --log-level=$(LOG_LEVEL) --allowed-origins=$(ALLOWED_ORIGINS) --llama-stack-url=$(LLAMA_STACK_URL) --mock-ls-client=$(MOCK_LS_CLIENT) --auth-method=$(AUTH_METHOD)
 
 ##@ Dependencies
 

frontend/packages/llama-stack-modular-ui/bff/cmd/helpers.go

@@ -24,6 +24,9 @@ func getEnvAsString(name string, defaultVal string) string {
 	return defaultVal
 }
 
+// TODO: remove nolint comment below when we use this method
+//
+//nolint:unused
 func getEnvAsBool(name string, defaultVal bool) bool {
 	if value, exists := os.LookupEnv(name); exists {
 		boolValue, err := strconv.ParseBool(value)

frontend/packages/llama-stack-modular-ui/bff/cmd/main.go

@@ -23,19 +23,14 @@ func main() {
 	flag.TextVar(&cfg.LogLevel, "log-level", parseLevel(getEnvAsString("LOG_LEVEL", "DEBUG")), "Sets server log level, possible values: error, warn, info, debug")
 	flag.Func("allowed-origins", "Sets allowed origins for CORS purposes, accepts a comma separated list of origins or * to allow all, default none", newOriginParser(&cfg.AllowedOrigins, getEnvAsString("ALLOWED_ORIGINS", "")))
 	flag.BoolVar(&cfg.MockLSClient, "mock-ls-client", false, "Use mock Llama Stack client")
+	flag.StringVar(&cfg.AuthMethod, "auth-method", "disabled", "Authentication method (disabled or user_token)")
+	flag.StringVar(&cfg.AuthTokenHeader, "auth-token-header", getEnvAsString("AUTH_TOKEN_HEADER", config.DefaultAuthTokenHeader), "Header used to extract the token (e.g., Authorization)")
+	flag.StringVar(&cfg.AuthTokenPrefix, "auth-token-prefix", getEnvAsString("AUTH_TOKEN_PREFIX", config.DefaultAuthTokenPrefix), "Prefix used in the token header (e.g., 'Bearer ')")
+	flag.StringVar(&cfg.APIPathPrefix, "api-path-prefix", getEnvAsString("API_PATH_PREFIX", "/api/v1"), "API path prefix for BFF endpoints (e.g., /api/v1)")
 
 	// Llama Stack configuration
 	flag.StringVar(&cfg.LlamaStackURL, "llama-stack-url", getEnvAsString("LLAMA_STACK_URL", ""), "Llama Stack server URL for proxying requests")
 
-	// OAuth configuration
-	flag.BoolVar(&cfg.OAuthEnabled, "oauth-enabled", getEnvAsBool("OAUTH_ENABLED", false), "Enable OAuth authentication")
-	flag.StringVar(&cfg.OAuthClientID, "oauth-client-id", getEnvAsString("OAUTH_CLIENT_ID", ""), "OAuth client ID")
-	flag.StringVar(&cfg.OAuthClientSecret, "oauth-client-secret", getEnvAsString("OAUTH_CLIENT_SECRET", ""), "OAuth client secret")
-	flag.StringVar(&cfg.OAuthRedirectURI, "oauth-redirect-uri", getEnvAsString("OAUTH_REDIRECT_URI", ""), "OAuth redirect URI")
-	flag.StringVar(&cfg.OAuthServerURL, "oauth-server-url", getEnvAsString("OAUTH_SERVER_URL", ""), "OAuth server URL")
-	flag.StringVar(&cfg.OpenShiftApiServerUrl, "openshift-api-server-url", getEnvAsString("OPENSHIFT_API_SERVER_URL", "https://kubernetes.default.svc.cluster.local"), "OpenShift API server URL for token validation")
-	flag.StringVar(&cfg.OAuthUserInfoEndpoint, "oauth-user-info-endpoint", getEnvAsString("OAUTH_USER_INFO_ENDPOINT", ""), "OAuth user info endpoint URL for token validation (optional, defaults to OpenShift API server + /apis/user.openshift.io/v1/users/~)")
-
 	flag.Parse()
 
 	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{

frontend/packages/llama-stack-modular-ui/bff/internal/api/app.go

@@ -13,47 +13,53 @@ import (
 	"github.com/julienschmidt/httprouter"
 	"github.com/opendatahub-io/llama-stack-modular-ui/internal/config"
 	helper "github.com/opendatahub-io/llama-stack-modular-ui/internal/helpers"
+	"github.com/opendatahub-io/llama-stack-modular-ui/internal/integrations"
 )
 
 const (
 	Version = "1.0.0"
 
-	ApiPathPrefix   = "/api/v1"
 	HealthCheckPath = "/healthcheck"
-
-	OauthCallbackPath = ApiPathPrefix + "/auth/callback"
-	OauthStatePath    = ApiPathPrefix + "/auth/state"
-
-	ConfigPath = ApiPathPrefix + "/config"
-
-	ModelListPath    = ApiPathPrefix + "/models"
-	VectorDBListPath = ApiPathPrefix + "/vector-dbs"
-
-	// making it simpler than /tool-runtime/rag-tool/insert
-	UploadPath = ApiPathPrefix + "/upload"
-	QueryPath  = ApiPathPrefix + "/query"
 )
 
 // isAPIRoute checks if the given path is an API route
-func isAPIRoute(path string) bool {
+func (app *App) isAPIRoute(path string) bool {
 	return path == HealthCheckPath ||
 		path == OpenAPIPath ||
 		path == OpenAPIJSONPath ||
 		path == OpenAPIYAMLPath ||
 		path == SwaggerUIPath ||
-		// Match exactly “/api/v1” or any sub-path under it
-		path == ApiPathPrefix ||
-		strings.HasPrefix(path, ApiPathPrefix+"/") ||
+		// Match exactly the configured API path prefix or any sub-path under it
+		path == app.config.APIPathPrefix ||
+		strings.HasPrefix(path, app.config.APIPathPrefix+"/") ||
 		// Similarly for the llama-stack prefix
 		path == "/llama-stack" ||
 		strings.HasPrefix(path, "/llama-stack/")
 }
 
+// Path generation methods for configurable API paths
+func (app *App) getModelListPath() string {
+	return app.config.APIPathPrefix + "/models"
+}
+
+func (app *App) getVectorDBListPath() string {
+	return app.config.APIPathPrefix + "/vector-dbs"
+}
+
+func (app *App) getUploadPath() string {
+	return app.config.APIPathPrefix + "/upload"
+}
+
+func (app *App) getQueryPath() string {
+	return app.config.APIPathPrefix + "/query"
+}
+
 type App struct {
 	config       config.EnvConfig
 	logger       *slog.Logger
 	repositories *repositories.Repositories
 	openAPI      *OpenAPIHandler
+	tokenFactory *integrations.TokenClientFactory
 }
 
 func NewApp(cfg config.EnvConfig, logger *slog.Logger) (*App, error) {
@@ -62,25 +68,6 @@ func NewApp(cfg config.EnvConfig, logger *slog.Logger) (*App, error) {
 
 	logger.Info("Initializing app with config", slog.Any("config", cfg))
 
-	// Validate OAuth configuration
-	if cfg.OAuthEnabled {
-		if cfg.OAuthServerURL == "" {
-			return nil, fmt.Errorf("OAUTH_SERVER_URL is required when OAuth is enabled")
-		}
-		if cfg.OAuthClientID == "" {
-			return nil, fmt.Errorf("OAUTH_CLIENT_ID is required when OAuth is enabled")
-		}
-		if cfg.OAuthClientSecret == "" {
-			return nil, fmt.Errorf("OAUTH_CLIENT_SECRET is required when OAuth is enabled")
-		}
-		if cfg.OAuthRedirectURI == "" {
-			return nil, fmt.Errorf("OAUTH_REDIRECT_URI is required when OAuth is enabled")
-		}
-		logger.Info("OAuth configuration validated",
-			slog.String("oauth_server_url", cfg.OAuthServerURL),
-			slog.String("openshift_api_server_url", cfg.OpenShiftApiServerUrl))
-	}
-
 	if cfg.MockLSClient {
 		lsClient, err = mocks.NewLlamastackClientMock()
 	} else {
@@ -102,6 +89,7 @@ func NewApp(cfg config.EnvConfig, logger *slog.Logger) (*App, error) {
 		logger:       logger,
 		repositories: repositories.NewRepositories(lsClient),
 		openAPI:      openAPIHandler,
+		tokenFactory: integrations.NewTokenClientFactory(logger, cfg),
 	}
 	return app, nil
 }
@@ -113,43 +101,19 @@ func (app *App) Routes() http.Handler {
 	apiRouter.NotFound = http.HandlerFunc(app.notFoundResponse)
 	apiRouter.MethodNotAllowed = http.HandlerFunc(app.methodNotAllowedResponse)
 
-	// OAuth routes
-	if app.config.OAuthEnabled {
-		apiRouter.POST(OauthCallbackPath, app.HandleOAuthCallback)
-		apiRouter.GET(OauthStatePath, app.HandleOAuthState)
-	}
-
-	// Config endpoint (not authenticated)
-	apiRouter.GET(ConfigPath, app.HandleConfig)
-
-	apiRouter.GET(ModelListPath, app.RequireAuthRoute(app.AttachRESTClient(app.GetAllModelsHandler)))
-	apiRouter.GET(VectorDBListPath, app.RequireAuthRoute(app.AttachRESTClient(app.GetAllVectorDBsHandler)))
+	apiRouter.GET(app.getModelListPath(), app.RequireAccessToService(app.AttachRESTClient(app.GetAllModelsHandler)))
+	apiRouter.GET(app.getVectorDBListPath(), app.RequireAccessToService(app.AttachRESTClient(app.GetAllVectorDBsHandler)))
 
 	// POST to register the vectorDB (/v1/vector-dbs)
-	apiRouter.POST(VectorDBListPath, app.RequireAuthRoute(app.AttachRESTClient(app.RegisterVectorDBHandler)))
-	apiRouter.POST(UploadPath, app.RequireAuthRoute(app.AttachRESTClient(app.UploadHandler)))
-	apiRouter.POST(QueryPath, app.RequireAuthRoute(app.AttachRESTClient(app.QueryHandler)))
+	apiRouter.POST(app.getVectorDBListPath(), app.RequireAccessToService(app.AttachRESTClient(app.RegisterVectorDBHandler)))
+	apiRouter.POST(app.getUploadPath(), app.RequireAccessToService(app.AttachRESTClient(app.UploadHandler)))
+	apiRouter.POST(app.getQueryPath(), app.RequireAccessToService(app.AttachRESTClient(app.QueryHandler)))
 
 	// App Router
 	appMux := http.NewServeMux()
 
-	//// Register /api/v1/config as a public endpoint
-	//appMux.HandleFunc(ApiPathPrefix+"/config", func(w http.ResponseWriter, r *http.Request) {
-	//	app.HandleConfig(w, r, nil)
-	//})
-	//
-	//// Register /api/v1/auth/callback as a public endpoint
-	//appMux.HandleFunc(ApiPathPrefix+"/auth/callback", func(w http.ResponseWriter, r *http.Request) {
-	//	app.HandleOAuthCallback(w, r, nil)
-	//})
-	//
-	//// Register /api/v1/auth/state as a public endpoint
-	//appMux.HandleFunc(ApiPathPrefix+"/auth/state", func(w http.ResponseWriter, r *http.Request) {
-	//	app.HandleOAuthState(w, r, nil)
-	//})
-
-	//All other /api/v1/* routes require auth
-	appMux.Handle(ApiPathPrefix+"/", apiRouter)
+	//All other API routes require auth
+	appMux.Handle(app.config.APIPathPrefix+"/", apiRouter)
 
 	// Llama Stack proxy handler (unprotected)
 	appMux.HandleFunc("/llama-stack/", app.HandleLlamaStackProxy)
@@ -164,7 +128,7 @@ func (app *App) Routes() http.Handler {
 
 		// Skip API routes
 		if (r.URL.Path == "/" || r.URL.Path == "/index.html") ||
-			(len(r.URL.Path) > 0 && r.URL.Path[0] == '/' && !isAPIRoute(r.URL.Path)) {
+			(len(r.URL.Path) > 0 && r.URL.Path[0] == '/' && !app.isAPIRoute(r.URL.Path)) {
 
 			// Check if the requested file exists
 			cleanPath := path.Clean(r.URL.Path)
@@ -200,7 +164,7 @@ func (app *App) Routes() http.Handler {
 	combinedMux.HandleFunc(OpenAPIYAMLPath, app.openAPI.HandleOpenAPIYAMLWrapper)
 	combinedMux.HandleFunc(SwaggerUIPath, app.openAPI.HandleSwaggerUIWrapper)
 
-	combinedMux.Handle("/", app.RecoverPanic(app.EnableTelemetry(app.EnableCORS(appMux))))
+	combinedMux.Handle("/", app.RecoverPanic(app.EnableTelemetry(app.EnableCORS(app.InjectRequestIdentity(appMux)))))
 
 	return combinedMux
 }

frontend/packages/llama-stack-modular-ui/bff/internal/api/app_test.go

@@ -1,12 +1,23 @@
 package api
 
 import (
+	"log/slog"
 	"testing"
 
+	"github.com/opendatahub-io/llama-stack-modular-ui/internal/config"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestIsAPIRoute(t *testing.T) {
+	// Create a test app with default API path prefix
+	cfg := config.EnvConfig{
+		APIPathPrefix: "/api/v1",
+	}
+	app := &App{
+		config: cfg,
+		logger: slog.Default(),
+	}
+
 	tests := []struct {
 		name     string
 		path     string
@@ -49,42 +60,42 @@ func TestIsAPIRoute(t *testing.T) {
 		// API v1 routes - exact matches
 		{
 			name:     "api v1 prefix exact match",
-			path:     ApiPathPrefix,
+			path:     "/api/v1",
 			expected: true,
 		},
 		{
 			name:     "api v1 config",
-			path:     ApiPathPrefix + "/config",
+			path:     "/api/v1/config",
 			expected: true,
 		},
 		{
 			name:     "api v1 models",
-			path:     ApiPathPrefix + "/models",
+			path:     "/api/v1/models",
 			expected: true,
 		},
 		{
 			name:     "api v1 vector-dbs",
-			path:     ApiPathPrefix + "/vector-dbs",
+			path:     "/api/v1/vector-dbs",
 			expected: true,
 		},
 		{
 			name:     "api v1 upload",
-			path:     ApiPathPrefix + "/upload",
+			path:     "/api/v1/upload",
 			expected: true,
 		},
 		{
 			name:     "api v1 query",
-			path:     ApiPathPrefix + "/query",
+			path:     "/api/v1/query",
 			expected: true,
 		},
 		{
 			name:     "api v1 auth callback",
-			path:     ApiPathPrefix + "/auth/callback",
+			path:     "/api/v1/auth/callback",
 			expected: true,
 		},
 		{
 			name:     "api v1 auth state",
-			path:     ApiPathPrefix + "/auth/state",
+			path:     "/api/v1/auth/state",
 			expected: true,
 		},
 
@@ -226,7 +237,7 @@ func TestIsAPIRoute(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := isAPIRoute(tt.path)
+			result := app.isAPIRoute(tt.path)
 			assert.Equal(t, tt.expected, result,
 				"Path: %s, Expected: %v, Got: %v", tt.path, tt.expected, result)
 		})
@@ -235,6 +246,14 @@ func TestIsAPIRoute(t *testing.T) {
 
 // TestIsAPIRouteEdgeCases tests additional edge cases and boundary conditions
 func TestIsAPIRouteEdgeCases(t *testing.T) {
+	// Create a test app with default API path prefix
+	cfg := config.EnvConfig{
+		APIPathPrefix: "/api/v1",
+	}
+	app := &App{
+		config: cfg,
+		logger: slog.Default(),
+	}
 	tests := []struct {
 		name     string
 		path     string
@@ -304,7 +323,7 @@ func TestIsAPIRouteEdgeCases(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := isAPIRoute(tt.path)
+			result := app.isAPIRoute(tt.path)
 			assert.Equal(t, tt.expected, result,
 				"Path: %s, Expected: %v, Got: %v", tt.path, tt.expected, result)
 		})
@@ -313,13 +332,22 @@ func TestIsAPIRouteEdgeCases(t *testing.T) {
 
 // TestIsAPIRoutePerformance tests that the function handles various path lengths efficiently
 func TestIsAPIRoutePerformance(t *testing.T) {
+	// Create a test app with default API path prefix
+	cfg := config.EnvConfig{
+		APIPathPrefix: "/api/v1",
+	}
+	app := &App{
+		config: cfg,
+		logger: slog.Default(),
+	}
+
 	// Test with very long paths to ensure no performance issues
 	longPath := "/api/v1/" + string(make([]byte, 1000))
-	result := isAPIRoute(longPath)
+	result := app.isAPIRoute(longPath)
 	assert.True(t, result, "Long API path should still be recognized as API route")
 
 	// Test with very long non-API paths
 	longNonAPIPath := "/dashboard/" + string(make([]byte, 1000))
-	result = isAPIRoute(longNonAPIPath)
+	result = app.isAPIRoute(longNonAPIPath)
 	assert.False(t, result, "Long non-API path should not be recognized as API route")
 }