Merge pull request #20 from loveyana/main

feat(cloud): add OAuth2/JWT authentication support for CloudStrategy

Author: innsd

agentkit/toolkit/config/__init__.py

@@ -44,6 +44,8 @@
 from .utils import is_valid_config, is_invalid_config, merge_runtime_envs
 from .constants import (
     AUTO_CREATE_VE,
+    AUTH_TYPE_KEY_AUTH,
+    AUTH_TYPE_CUSTOM_JWT,
     GLOBAL_CONFIG_FILE_PERMISSIONS,
     GLOBAL_CONFIG_FILE,
     GLOBAL_CONFIG_DIR,
@@ -70,6 +72,8 @@
     "CRGlobalConfig",
     "TOSGlobalConfig",
     "AUTO_CREATE_VE",
+    "AUTH_TYPE_KEY_AUTH",
+    "AUTH_TYPE_CUSTOM_JWT",
     "DEFAULT_WORKSPACE_NAME",
     "DEFAULT_CR_NAMESPACE",
     "DEFAULT_CR_INSTANCE_TEMPLATE_NAME",

agentkit/toolkit/config/constants.py

@@ -36,3 +36,6 @@
 GLOBAL_CONFIG_DIR = Path.home() / ".agentkit"
 GLOBAL_CONFIG_FILE = GLOBAL_CONFIG_DIR / "config.yaml"
 GLOBAL_CONFIG_FILE_PERMISSIONS = 0o600  # Owner read/write only
+
+AUTH_TYPE_KEY_AUTH = "key_auth"
+AUTH_TYPE_CUSTOM_JWT = "custom_jwt"

agentkit/toolkit/config/strategy_configs.py

@@ -2,6 +2,8 @@
 from typing import Dict, List
 from .dataclass_utils import AutoSerializableMixin
 from .constants import (
+    AUTH_TYPE_CUSTOM_JWT,
+    AUTH_TYPE_KEY_AUTH,
     AUTO_CREATE_VE,
     DEFAULT_CR_NAMESPACE,
     DEFAULT_IMAGE_TAG,
@@ -207,6 +209,20 @@ class HybridStrategyConfig(AutoSerializableMixin):
             "aliases": ["ve_runtime_role_name"],
         },
     )
+    runtime_auth_type: str = field(
+        default=AUTH_TYPE_KEY_AUTH,
+        metadata={
+            "description": "Runtime authentication type",
+            "icon": "🔑",
+            "choices": [
+                {"value": AUTH_TYPE_KEY_AUTH, "description": "API Key authentication"},
+                {
+                    "value": AUTH_TYPE_CUSTOM_JWT,
+                    "description": "OAuth2/JWT authentication",
+                },
+            ],
+        },
+    )
     runtime_apikey_name: str = field(
         default=AUTO_CREATE_VE,
         metadata={
@@ -223,6 +239,20 @@ class HybridStrategyConfig(AutoSerializableMixin):
             "aliases": ["ve_runtime_apikey"],
         },
     )
+    runtime_jwt_discovery_url: str = field(
+        default="",
+        metadata={
+            "description": "OIDC Discovery URL for JWT validation (required when auth_type is custom_jwt)",
+            "examples": "https://userpool-xxx.userpool.auth.id.cn-beijing.volces.com/.well-known/openid-configuration",
+        },
+    )
+    runtime_jwt_allowed_clients: List[str] = field(
+        default_factory=list,
+        metadata={
+            "description": "Allowed OAuth2 client IDs (required when auth_type is custom_jwt)",
+            "examples": "['fa99ec54-8a1c-49b2-9a9e-3f3ba31d9a33']",
+        },
+    )
     runtime_endpoint: str = field(
         default="",
         metadata={
@@ -403,6 +433,20 @@ class CloudStrategyConfig(AutoSerializableMixin):
             "aliases": ["ve_runtime_role_name"],
         },
     )
+    runtime_auth_type: str = field(
+        default=AUTH_TYPE_KEY_AUTH,
+        metadata={
+            "description": "Runtime authentication type",
+            "icon": "🔑",
+            "choices": [
+                {"value": AUTH_TYPE_KEY_AUTH, "description": "API Key authentication"},
+                {
+                    "value": AUTH_TYPE_CUSTOM_JWT,
+                    "description": "OAuth2/JWT authentication",
+                },
+            ],
+        },
+    )
     runtime_apikey_name: str = field(
         default=AUTO_CREATE_VE,
         metadata={
@@ -419,6 +463,20 @@ class CloudStrategyConfig(AutoSerializableMixin):
             "aliases": ["ve_runtime_apikey"],
         },
     )
+    runtime_jwt_discovery_url: str = field(
+        default="",
+        metadata={
+            "description": "OIDC Discovery URL for JWT validation (required when auth_type is custom_jwt)",
+            "examples": "https://userpool-xxx.userpool.auth.id.cn-beijing.volces.com/.well-known/openid-configuration",
+        },
+    )
+    runtime_jwt_allowed_clients: List[str] = field(
+        default_factory=list,
+        metadata={
+            "description": "Allowed OAuth2 client IDs (required when auth_type is custom_jwt)",
+            "examples": "['fa99ec54-8a1c-49b2-9a9e-3f3ba31d9a33']",
+        },
+    )
     runtime_endpoint: str = field(
         default="",
         metadata={