github/genai-toolbox
1
0
Fork 0
mirror of https://github.com/googleapis/genai-toolbox.git synced 2026-02-11 23:55:07 -05:00
Code Issues Packages Projects Releases 14 Wiki Activity

feat!: deprecate authsource in favor of authservice (#297)

Browse Source 
Rename existing `authSource` to `authService` through deprecation.
`AuthService` more clearly distinguishes it from `Sources` objects.

`authSources` will be converted into `authServices` after the
unmarshalling process. A warning log is shown if `authSources` are used
(for both within tools parameters and defining auth services):
```
2025-02-20T13:57:51.156025-08:00 WARN "`authSources` is deprecated, use `authServices` for parameters instead"
2025-02-20T13:57:51.156569-08:00 WARN "`authSources` is deprecated, use `authServices` instead"
2025-02-20T13:57:52.047584-08:00 INFO "Initialized 1 sources."
...
```

The manifest generated will continue to use `authSources` to keep
compatibility with the sdks:
```
{
"serverVersion":"0.1.0",
"tools":{
  "test_tool2":{
    "description":"Use this tool to test\n",
    "parameters":[{
      "name":"user_id",
      "type":"string",
      "description":"Auto-populated from Google login",
      "authSources":["my-google-auth"]
      }]
    }
  }
}
```



Test cases with `authSources` are kept for compatibility. Will be
removed when `authSources` are no longer supported.
This commit is contained in:
Yuan
2025-02-21 18:36:04 -08:00
committed by GitHub
parent df28036b84
commit 04cb5fbc3e
28 changed files with 561 additions and 248 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docs/en/resources/authSources/_index.md → docs/en/resources/authServices/_index.md
View File

@@ -1,12 +1,12 @@
---
title: "AuthSources"
title: "AuthServices"
type: docs
weight: 1
description: >
AuthSources represent services that handle authentication and authorization.
AuthServices represent services that handle authentication and authorization.
---
AuthSources represent services that handle authentication and authorization. It
AuthServices represent services that handle authentication and authorization. It
can primarily be used by [Tools](../tools) in two different ways:
- [**Authorized Invocation**][auth-invoke] is when a tool
@@ -32,7 +32,7 @@ If you are accessing Toolbox with multiple applications, each
{{< /notice >}}
```yaml
authSources:
authServices:
my_auth_app_1:
kind: google
clientId: YOUR_CLIENT_ID_1
@@ -41,17 +41,17 @@ authSources:
clientId: YOUR_CLIENT_ID_2
```
After you've configured an `authSource` you'll, need to reference it in the
After you've configured an `authService` you'll, need to reference it in the
configuration for each tool that should use it:
- **Authorized Invocations** for authorizing a tool call, [use the
`requiredAuth` field in a tool config][auth-invoke]
- **Authenticated Parameters** for using the value from a ODIC claim, [use the
`authSources` field in a parameter config][auth-params]
`authServices` field in a parameter config][auth-params]
## Specifying ID Tokens from Clients
After [configuring](#example) your `authSources` section, use a Toolbox SDK to
After [configuring](#example) your `authServices` section, use a Toolbox SDK to
add your ID tokens to the header of a Tool invocation request. When specifying a
token you will provide a function (that returns an id). This function is called
when the tool is invoked. This allows you to cache and refresh the ID token as
@@ -89,4 +89,4 @@ authorized_tool = tools[0].add_auth_tokens({
{{< /tab >}}
{{< /tabpane >}}
## Kinds of Auth Sources
## Kinds of Auth Services

6
docs/en/resources/authSources/google.md → docs/en/resources/authServices/google.md
View File

@@ -12,7 +12,7 @@ Google Sign-In manages the OAuth 2.0 flow and token lifecycle. To integrate the
Google Sign-In workflow to your web app [follow this guide][gsi-setup].
After setting up the Google Sign-In workflow, you should have registered your
application and retrieved a [Client ID][client-id]. Configure your auth source
application and retrieved a [Client ID][client-id]. Configure your auth service
in with the `Client ID`.
[gsi-setup]: https://developers.google.com/identity/sign-in/web/sign-in
@@ -31,7 +31,7 @@ ID.
### Authenticated Parameters
When using [Authenticated Parameters][auth-params], any [claim provided by the
id-token][provided-claims] can be used as a source for the parameter.
id-token][provided-claims] can be used for the parameter.
[auth-params]: ../tools/#authenticated-phugarameters
[provided-claims]:
@@ -40,7 +40,7 @@ id-token][provided-claims] can be used as a source for the parameter.
## Example
```yaml
authSources:
authServices:
my-google-auth:
kind: google
clientId: YOUR_GOOGLE_CLIENT_ID

12
docs/en/resources/tools/_index.md
View File

@@ -115,7 +115,7 @@ Authenticated parameters are automatically populated with user
information decoded from [ID tokens](../authsources/#specifying-id-tokens-from-clients) that
are passed in request headers. They do not take input values in request bodies
like other parameters. To use authenticated parameters, you must configure
the tool to map the required [authSources](../authsources) to
the tool to map the required [authServices](../authservices) to
specific claims within the user's ID token.
```yaml
@@ -129,8 +129,8 @@ specific claims within the user's ID token.
- name: user_id
type: string
description: Auto-populated from Google login
authSources:
# Refer to one of the `authSources` defined
authServices:
# Refer to one of the `authServices` defined
- name: my-google-auth
# `sub` is the OIDC claim field for user ID
field: sub
@@ -138,14 +138,14 @@ specific claims within the user's ID token.
| **field** | **type** | **required** | **description** |
|-----------|:--------:|:------------:|-----------------------------------------------------------------------------------------|
| name | string | true | Name of the [authSources](../authsources) used to verify the OIDC auth token. |
| name | string | true | Name of the [authServices](../authservices) used to verify the OIDC auth token. |
| field | string | true | Claim field decoded from the OIDC token used to auto-populate this parameter. |
## Authorized Invocations
You can require an authorization check for any Tool invocation request by
specifying an `authRequired` field. Specify a list of
[authSources](../authsources) defined in the previous section.
[authServices](../authservices) defined in the previous section.
```yaml
tools:
@@ -154,7 +154,7 @@ tools:
source: my-pg-instance
statement: |
SELECT * FROM flights
# A list of `authSources` defined previously
# A list of `authServices` defined previously
authRequired:
- my-google-auth
- other-auth-service