-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: move AuthSources to new docsite (#236)
Migrations the AuthSources parts of the documentation to the new docsite.
- Loading branch information
Showing
7 changed files
with
154 additions
and
113 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,6 @@ | ||
| github.com/FortAwesome/Font-Awesome v0.0.0-20240716171331-37eff7fa00de/go.mod h1:IUgezN/MFpCDIlFezw3L8j83oeiIuYoj28Miwr/KUYo= | ||
| github.com/google/docsy v0.11.0 h1:QnV40cc28QwS++kP9qINtrIv4hlASruhC/K3FqkHAmM= | ||
| github.com/google/docsy v0.11.0/go.mod h1:hGGW0OjNuG5ZbH5JRtALY3yvN8ybbEP/v2iaK4bwOUI= | ||
| github.com/martignoni/hugo-notice v0.0.0-20240707105359-40327ac00cc4 h1:lxS0B1ta9/uW+orrnvsGHMCC0TgN4DymEgdlb0PL/uU= | ||
| github.com/martignoni/hugo-notice v0.0.0-20240707105359-40327ac00cc4/go.mod h1:MIQPOMgEcbyRC0gNLzQFSgrS+wIy3RuQ/HbaZYtTOKU= | ||
| github.com/twbs/bootstrap v5.3.3+incompatible/go.mod h1:fZTSrkpSf0/HkL0IIJzvVspTt1r9zuf7XlZau8kpcY0= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| --- | ||
| title: "AuthSources" | ||
| type: docs | ||
| weight: 1 | ||
| description: > | ||
| AuthSources represent services that handle authentication and authorization. | ||
| --- | ||
|
|
||
| AuthSources represent services that handle authentication and authorization. It | ||
| can primarily be used by [Tools](../tools) in two different ways: | ||
|
|
||
| - [**Authorized Invocation**][auth-invoke] is when a tool | ||
| to be validate by the auth service before the call can be invoked. Toolbox | ||
| will rejected an calls that fail to validate or have an invalid token. | ||
| - [**Authenticated Parameters**][auth-paramsgit ] replace the | ||
| value of a parameter with a field from an [OIDC][openid-claims] claim. Toolbox | ||
| will automatically resolve the ID token provided by the client and replace the | ||
| parameter in the tool call. | ||
|
|
||
| [openid-claims]: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims | ||
| [auth-invoke]: ../tools/#authorized-invocations | ||
| [auth-params]: ../tools/#authenticated-parameters | ||
|
|
||
| ## Example | ||
|
|
||
| The following configurations are placed at the top level of a `tools.yaml` file. | ||
|
|
||
| {{< notice tip >}} | ||
| If you are accessing Toolbox with multiple applications, each | ||
| application should register their own Client ID even if they use the same | ||
| "kind" of auth provider. | ||
| {{< /notice >}} | ||
|
|
||
| ```yaml | ||
| authSources: | ||
| my_auth_app_1: | ||
| kind: google | ||
| clientId: YOUR_CLIENT_ID_1 | ||
| my_auth_app_2: | ||
| kind: google | ||
| clientId: YOUR_CLIENT_ID_2 | ||
| ``` | ||
| After you've configured an `authSource` you'll, need to reference it in the | ||
| configuration for each tool that should use it: | ||
| - **Authorized Invocations** for authorizing a tool call, [use the | ||
| `requiredAuth` field in a tool config][auth-invoke] | ||
| - **Authenticated Parameters** for using the value from a ODIC claim, [use the | ||
| `authSources` field in a parameter config][auth-params] | ||
|
|
||
|
|
||
| ## Specifying ID Tokens from Clients | ||
|
|
||
| After [configuring](#example) your `authSources` section, use a Toolbox SDK to | ||
| add your ID tokens to the header of a Tool invocation request. When specifying a | ||
| token you will provide a function (that returns an id). This function is called | ||
| when the tool is invoked. This allows you to cache and refresh the ID token as | ||
| needed. | ||
|
|
||
| ### Specifying tokens during load | ||
| {{< tabpane >}} | ||
| {{< tab header="LangChain" lang="Python" >}} | ||
| async def get_auth_token(): | ||
| # ... Logic to retrieve ID token (e.g., from local storage, OAuth flow) | ||
| # This example just returns a placeholder. Replace with your actual token retrieval. | ||
| return "YOUR_ID_TOKEN" # Placeholder | ||
|
|
||
| # for a single tool use: | ||
| authorized_tool = await toolbox.load_tool("my-tool-name", auth_tokens={"my_auth": get_auth_token}) | ||
|
|
||
| # for a toolset use: | ||
| authorized_tools = await toolbox.load_toolset("my-toolset-name", auth_tokens={"my_auth": get_auth_token}) | ||
| {{< /tab >}} | ||
| {{< /tabpane >}} | ||
|
|
||
|
|
||
| ### Specifying tokens for existing tools | ||
|
|
||
| {{< tabpane >}} | ||
| {{< tab header="LangChain" lang="Python" >}} | ||
| tools = await toolbox.load_toolset() | ||
| # for a single token | ||
| auth_tools = [tool.add_auth_token("my_auth", get_auth_token) for tool in tools] | ||
| # OR, if multiple tokens are needed | ||
| authorized_tool = tools[0].add_auth_tokens({ | ||
| "my_auth1": get_auth1_token, | ||
| "my_auth2": get_auth2_token, | ||
| }) | ||
| {{< /tab >}} | ||
| {{< /tabpane >}} | ||
|
|
||
| ## Kinds of Auth Sources |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| --- | ||
| title: "Google Sign-In" | ||
| type: docs | ||
| weight: 1 | ||
| description: > | ||
| Use Google Sign-In for Oauth 2.0 flow and token lifecycle. | ||
| --- | ||
|
|
||
| ## Getting Started | ||
|
|
||
| Google Sign-In manages the OAuth 2.0 flow and token lifecycle. To integrate the | ||
| Google Sign-In workflow to your web app [follow this guide][gsi-setup]. | ||
|
|
||
| After setting up the Google Sign-In workflow, you should have registered your | ||
| application and retrieved a [Client ID][client-id]. Configure your auth source | ||
| in with the `Client ID`. | ||
|
|
||
| [gsi-setup]: https://developers.google.com/identity/sign-in/web/sign-in | ||
| [client-id]: https://developers.google.com/identity/sign-in/web/sign-in#create_authorization_credentials | ||
|
|
||
| ## Behavior | ||
|
|
||
| ### Authorized Invocations | ||
|
|
||
| When using [Authorized Invocations][auth-invoke], a tool will be | ||
| considered authorized if it has a valid Oauth 2.0 token that matches the Client | ||
| ID. | ||
|
|
||
| [auth-invoke]: ../tools/#authorized-invocations | ||
|
|
||
| ### Authenticated Parameters | ||
|
|
||
| When using [Authenticated Parameters][auth-params], any [claim provided by the | ||
| id-token][provided-claims] can be used as a source for the parameter. | ||
|
|
||
| [auth-params]: ../tools/#authenticated-phugarameters | ||
| [provided-claims]: | ||
| https://developers.google.com/identity/openid-connect/openid-connect#obtaininguserprofileinformation | ||
|
|
||
| ## Example | ||
|
|
||
| ```yaml | ||
| authSources: | ||
| my-google-auth: | ||
| kind: google | ||
| clientId: YOUR_GOOGLE_CLIENT_ID | ||
| ``` | ||
| ## Reference | ||
| | **field** | **type** | **required** | **description** | | ||
| |-----------|:--------:|:------------:|------------------------------------------------------------------| | ||
| | kind | string | true | Must be "google". | | ||
| | clientId | string | true | Client ID of your application from registering your application. | |