feat(identity): Integrate VeIdentity config and region support

Added VeIdentityConfig to global settings and improved region handling for Agent Identity authentication. Updated configuration files and environment variable documentation.

Author: loveyana

docs/content/2.configurations/1.system.md

@@ -44,8 +44,8 @@ model:
     # api_key: 
 
 volcengine:
-  access_key: 
-  secret_key: 
+  access_key:
+  secret_key:
 
 observability:
   opentelemetry:
@@ -70,6 +70,11 @@ database:
     region: cn-beijing
     bucket: 
 
+veidentity:
+  # Agent Identity 服务区域
+  region: cn-beijing
+  # 可选：自定义 Agent Identity 服务端点，不提供时自动生成
+
 logging:
   # ERROR
   # WARNING

docs/content/2.configurations/2.envs.md

@@ -105,3 +105,20 @@ volcengine:
 | 环境变量名称 | 释义 |
 | :- | :- |
 | `PROMPT_PILOT_API_KEY` | Prompt Pilot 产品密钥 |
+
+## Agent Identity 身份认证
+
+统一前缀： `VEIDENTITY_`
+
+| 环境变量名称 | 释义 |
+| :- | :- |
+| `VEIDENTITY_REGION` | Agent Identity 服务区域，默认 cn-beijing |
+| `VEIDENTITY_ENDPOINT` | Agent Identity 服务端点（可选，不提供时自动生成） |
+
+对应 `yaml` 文件格式：
+
+```yaml [config.yaml]
+veidentity:
+  region: cn-beijing
+  endpoint:  # 可选，不提供时自动生成
+```

veadk/agent.py

@@ -33,6 +33,7 @@
     DEFAULT_MODEL_EXTRA_CONFIG,
 )
 from veadk.evaluation import EvalSetRecorder
+from veadk.integrations.ve_identity import AuthRequestProcessor
 from veadk.knowledgebase import KnowledgeBase
 from veadk.memory.long_term_memory import LongTermMemory
 from veadk.memory.short_term_memory import ShortTermMemory
@@ -167,9 +168,11 @@ async def _run(
         session_id: str,
         message: types.Content,
         stream: bool,
+        auth_request_processor: AuthRequestProcessor,
     ):
         stream_mode = StreamingMode.SSE if stream else StreamingMode.NONE
 
+        @auth_request_processor.with_auth_loop(runner=runner, message=message)
         async def event_generator():
             async for event in runner.run_async(
                 user_id=user_id,
@@ -245,6 +248,7 @@ async def run(
         collect_runtime_data: bool = False,
         eval_set_id: str = "",
         save_session_to_memory: bool = False,
+        auth_request_processor: AuthRequestProcessor = AuthRequestProcessor(),
     ):
         """Running the agent. The runner and session service will be created automatically.
 
@@ -294,13 +298,15 @@ async def run(
         final_output = ""
         for _prompt in prompt:
             message = types.Content(role="user", parts=[types.Part(text=_prompt)])
-            final_output = await self._run(runner, user_id, session_id, message, stream)
+            final_output = await self._run(
+                runner, user_id, session_id, message, stream, auth_request_processor
+            )
 
         # VeADK features
         if save_session_to_memory:
-            assert self.long_term_memory is not None, (
-                "Long-term memory is not initialized in agent"
-            )
+            assert (
+                self.long_term_memory is not None
+            ), "Long-term memory is not initialized in agent"
             session = await session_service.get_session(
                 app_name=app_name,
                 user_id=user_id,

veadk/config.py

@@ -18,6 +18,7 @@
 from dotenv import find_dotenv, load_dotenv
 from pydantic import BaseModel, Field
 
+from veadk.configs.auth_configs import VeIdentityConfig
 from veadk.configs.database_configs import (
     MysqlConfig,
     OpensearchConfig,
@@ -64,6 +65,8 @@ class VeADKConfig(BaseModel):
         default_factory=VikingKnowledgebaseConfig
     )
 
+    veidentity: VeIdentityConfig = Field(default_factory=VeIdentityConfig)
+
 
 def getenv(
     env_name: str, default_value: Any = "", allow_false_values: bool = False
@@ -103,4 +106,4 @@ def getenv(
 else:
     logger.warning("No `config.yaml` file found.")
 
-settings = VeADKConfig()
+settings = VeADKConfig()

veadk/configs/auth_configs.py

@@ -0,0 +1,58 @@
+# Copyright (c) 2025 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+
+class VeIdentityConfig(BaseSettings):
+    """Configuration for VolcEngine Identity Service.
+    
+    This configuration class manages settings for Agent Identity service,
+    including region and endpoint information.
+    
+    Attributes:
+        region: The VolcEngine region for Identity service.
+        endpoint: The endpoint URL for Identity service API.
+                  If not provided, will be auto-generated based on region.
+    """
+    
+    model_config = SettingsConfigDict(env_prefix="VEIDENTITY_")
+    
+    region: str = "cn-beijing"
+    """The VolcEngine region for Identity service.
+    """
+    
+    endpoint: str = ""
+    """The endpoint URL for Identity service API.
+    
+    If not provided, the endpoint will be auto-generated based on the region.
+    """
+    
+    def get_endpoint(self) -> str:
+        """Get the endpoint URL for Identity service.
+        
+        Returns the configured endpoint if provided, otherwise generates
+        the endpoint based on the region.
+        
+        Returns:
+            The endpoint URL for Identity service API.
+            
+        Raises:
+            ValueError: If region is not supported.
+        """
+        if self.endpoint:
+            return self.endpoint
+        
+        return f"id.{self.region}.volces.com"
+

veadk/integrations/ve_identity/auth_config.py

@@ -27,14 +27,34 @@
 from veadk.integrations.ve_identity.identity_client import IdentityClient
 
 
+def _get_default_region() -> str:
+    """Get the default region from VeADK configuration.
+
+    Returns:
+        The configured region from VeIdentityConfig, or "cn-beijing" as fallback.
+    """
+    try:
+        from veadk.config import settings
+        return settings.veidentity.region
+    except Exception:
+        # Fallback to default if config loading fails
+        return "cn-beijing"
+
+
 class AuthConfig(BaseModel, ABC):
     """Base authentication configuration."""
 
     model_config = {"arbitrary_types_allowed": True}
 
     provider_name: str
     identity_client: Optional[IdentityClient] = None
-    region: str = "cn-beijing"
+    region: str = None  # Will be set to default from config if not provided
+
+    def __init__(self, **data):
+        """Initialize AuthConfig with default region from VeADK config if not provided."""
+        if 'region' not in data or data['region'] is None:
+            data['region'] = _get_default_region()
+        super().__init__(**data)
 
     @field_validator("provider_name")
     @classmethod
@@ -138,9 +158,20 @@ def auth_type(self) -> str:
 def api_key_auth(
     provider_name: str,
     identity_client: Optional[IdentityClient] = None,
-    region: str = "cn-beijing",
+    region: Optional[str] = None,
 ) -> ApiKeyAuthConfig:
-    """Create an API key authentication configuration."""
+    """Create an API key authentication configuration.
+
+    Args:
+        provider_name: Name of the credential provider.
+        identity_client: Optional IdentityClient instance.
+        region: VolcEngine region. If not provided, uses the region from VeADK config.
+
+    Returns:
+        ApiKeyAuthConfig instance.
+    """
+    if region is None:
+        region = _get_default_region()
     return ApiKeyAuthConfig(
         provider_name=provider_name, identity_client=identity_client, region=region
     )
@@ -149,9 +180,20 @@ def api_key_auth(
 def workload_auth(
     provider_name: str,
     identity_client: Optional[IdentityClient] = None,
-    region: str = "cn-beijing",
+    region: Optional[str] = None,
 ) -> WorkloadAuthConfig:
-    """Create a workload authentication configuration."""
+    """Create a workload authentication configuration.
+
+    Args:
+        provider_name: Name of the credential provider.
+        identity_client: Optional IdentityClient instance.
+        region: VolcEngine region. If not provided, uses the region from VeADK config.
+
+    Returns:
+        WorkloadAuthConfig instance.
+    """
+    if region is None:
+        region = _get_default_region()
     return WorkloadAuthConfig(
         provider_name=provider_name, identity_client=identity_client, region=region
     )
@@ -167,9 +209,27 @@ def oauth2_auth(
     on_auth_url: Optional[Callable[[str], Any]] = None,
     oauth2_auth_poller: Optional[Callable[[Any], OAuth2AuthPoller]] = None,
     identity_client: Optional[IdentityClient] = None,
-    region: str = "cn-beijing",
+    region: Optional[str] = None,
 ) -> OAuth2AuthConfig:
-    """Create an OAuth2 authentication configuration."""
+    """Create an OAuth2 authentication configuration.
+
+    Args:
+        provider_name: Name of the credential provider.
+        scopes: List of OAuth2 scopes.
+        auth_flow: Authentication flow type ("M2M" or "USER_FEDERATION").
+        callback_url: Optional callback URL for OAuth2.
+        force_authentication: Whether to force authentication.
+        response_for_auth_required: Response to return when auth is required.
+        on_auth_url: Callback function for auth URL.
+        oauth2_auth_poller: Callback function for auth polling.
+        identity_client: Optional IdentityClient instance.
+        region: VolcEngine region. If not provided, uses the region from VeADK config.
+
+    Returns:
+        OAuth2AuthConfig instance.
+    """
+    if region is None:
+        region = _get_default_region()
     return OAuth2AuthConfig(
         provider_name=provider_name,
         scopes=scopes,

veadk/integrations/ve_identity/auth_mixins.py

@@ -44,6 +44,7 @@
     ApiKeyAuthConfig,
     OAuth2AuthConfig,
     WorkloadAuthConfig,
+    _get_default_region,
 )
 from veadk.integrations.ve_identity.token_manager import get_workload_token
 
@@ -86,15 +87,16 @@ def __init__(
         *,
         provider_name: str,
         identity_client: Optional[IdentityClient] = None,
-        region: str = "cn-beijing",
+        region: Optional[str] = None,
         **kwargs,
     ):
         """Initialize the Identity authentication mixin.
 
         Args:
             provider_name: Name of the credential provider configured in identity service.
             identity_client: Optional IdentityClient instance. If not provided, creates a new one.
-            region: VolcEngine region for the identity client. Defaults to "cn-beijing".
+            region: VolcEngine region for the identity client. If not provided, uses the region
+                   from VeADK config. Defaults to "cn-beijing" if config is not available.
             **kwargs: Additional arguments passed to parent classes.
         """
         # Only pass kwargs to super() if we're in a multiple inheritance scenario
@@ -106,6 +108,10 @@ def __init__(
             # call it without arguments
             super().__init__()
 
+        # Use provided region or get from config
+        if region is None:
+            region = _get_default_region()
+
         self._identity_client = identity_client or IdentityClient(region=region)
         self._provider_name = provider_name
 
@@ -207,7 +213,7 @@ async def _get_credential(
             )
 
             # Fetch API key from identity service
-            api_key = await self._identity_client.get_api_key(
+            api_key = self._identity_client.get_api_key(
                 provider_name=self._provider_name,
                 agent_identity_token=workload_token,
             )
@@ -386,7 +392,7 @@ async def _get_oauth2_token_or_auth_url(
         )
 
         # Request OAuth2 token or auth URL
-        return await self._identity_client.get_oauth2_token_or_auth_url(
+        return self._identity_client.get_oauth2_token_or_auth_url(
             provider_name=self._provider_name,
             agent_identity_token=workload_token,
             auth_flow=self._auth_flow,
@@ -512,7 +518,7 @@ def _create_default_oauth2_poller(self, auth_uri: str, request_dict: dict):
         from veadk.integrations.ve_identity.auth_processor import _DefaultOauth2AuthPoller
 
         async def async_token_fetcher():
-            response = await self._identity_client.get_oauth2_token_or_auth_url(
+            response = self._identity_client.get_oauth2_token_or_auth_url(
                 **request_dict
             )
             return (