Add OAuth 2.0 Device Flow backend for CLI authentication (#11984)

Co-authored-by: openhands <openhands@all-hands.dev> Co-authored-by: Xingyao Wang <xingyao@all-hands.dev>
2026-01-09 14:57:59 -05:00 · 2025-12-16 11:54:01 -05:00
parent 2a98c95557
commit 7853b41add
15 changed files with 1901 additions and 5 deletions
--- a/enterprise/server/middleware.py
+++ b/enterprise/server/middleware.py
@@ -152,17 +152,22 @@ class SetAuthCookieMiddleware:
            return False
        path = request.url.path

-        is_api_that_should_attach = path.startswith('/api') and path not in (
+        ignore_paths = (
            '/api/options/config',
            '/api/keycloak/callback',
            '/api/billing/success',
            '/api/billing/cancel',
            '/api/billing/customer-setup-success',
            '/api/billing/stripe-webhook',
+            '/oauth/device/authorize',
+            '/oauth/device/token',
        )
+        if path in ignore_paths:
+            return False

        is_mcp = path.startswith('/mcp')
-        return is_api_that_should_attach or is_mcp
+        is_api_route = path.startswith('/api')
+        return is_api_route or is_mcp

    async def _logout(self, request: Request):
        # Log out of keycloak - this prevents issues where you did not log in with the idp you believe you used