Issue 1483

[tedhabeck]

• Adds support for agentstack-cli automatic token refresh.

Please slack me directly if you need a working PKCE configuration to test this setup.

Automatic token refresh example:

#( 11/11/25@12:02PM )( habeck@TEDs-MacBook-Pro ):~/beeai-networking/agentstack/apps/agentstack-server@issue-1483✗✗✗
   mise agentstack-cli:run -- agent list
[agentstack-cli:run] $ uv run agentstack agent list
warning: `VIRTUAL_ENV=/Users/habeck/beeai-networking/agentstack/apps/agentstack-server/.venv` does not match the project environment path `.venv` and will be ignored; use `--active` to target the active environment instead
SHORT ID  NAME                    STATE     DESCRIPTION        INTERACTION  LOCATION               MISSING ENV  LAST ERROR
3b906a27  Chat                    ready     Agent with memor…  multi-turn   agents/chat:0.4.1-rc2  <none>       <none>    
6b27a943  RAG                     missing   RAG agent that r…  multi-turn   agents/rag:0.4.1-rc2   <none>       <none>    
1af40f1e  Single-turn Form Agent  missing   Example demonstr…  multi-turn   agents/form:0.4.1-rc2  <none>       <none>    
Finished in 9.36s
#( 11/11/25@12:17PM )( habeck@TEDs-MacBook-Pro ):~/beeai-networking/agentstack/apps/agentstack-server@issue-1483✗✗✗
   

cli login example:

  mise agentstack-cli:run -- server login 
[agentstack-sdk-py:setup] sources up-to-date, skipping
[helm:build:dependencies] sources up-to-date, skipping
[agentstack-cli:setup] sources up-to-date, skipping
[helm:build] sources up-to-date, skipping
[agentstack-cli:build:copy-helm-chart] sources up-to-date, skipping
[agentstack-cli:run] $ uv run agentstack server login
warning: `VIRTUAL_ENV=/Users/habeck/beeai-networking/agentstack/apps/agentstack-server/.venv` does not match the project environment path `.venv` and will be ignored; use `--active` to target the active environment instead
? Select a server, or log in to a new one: Log in to a new server
? Enter server URL: http://agentstack-cli.localhost:8333
📝 INFO: No authentication tokens found for this server. Proceeding to log in.
? Select an identity provider: IBMiD-PKCE
📝 INFO: Opening browser for login: 
https://isg-verify1.verify.ibm.com/oauth2/authorize?client_id=14d88fab-d185-4100-bea0-581461ef4fc7&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A9001%2Fcallback&scope=openid+email+profile&code_challenge=n941S9cSZlaJWj7Iw2t5KIALMJQsG1pNl2bfH1Z22aA&code_challenge_method=S256
✅ SUCCESS: Logged in to http://agentstack-cli.localhost:8333.
Finished in 44.47s

[pilartomas]

Please, only focus on the changes in auth_manager. That's all what is needed.

The remaining changes should be reverted, they introduce bugs and regressions.

[araujof]

Overall, this PR makes good changes to address issues with CLI auth:

• Token refresh implementation for handling expired tokens
• PKCE implementation for the CLI
• Separation of authentication concerns

However, a few changes may require discussion (and could be split into separate PRs):

• Issues related to commented-out DCR code (# registration_endpoint = oidc["registration_endpoint"])
• Issues related to manual client input (# if not client_id: # client_id = await inquirer.text()):
• The app field

[pilartomas]

LGTM

[pilartomas]

I believe this can be also cleaned up.

By the way, I noticed Client ID Metadata RFC Draft which tries to approach this problem from a different angle but also replaces DCR in a sense. It allows client_id to be an arbitrary URL, previously unknown to the authorization server. The authorization server is then responsible for grabbing the client information dynamically during the flow itself (but making no persistent client, I believe).