8b68764ef6
The wording for `Authorized Invocations` reads a bit funny and has a typo. Updating it to make a bit more sense and fixing a couple other typos around auth.
4.2 KiB
title, type, weight, description
| title | type | weight | description |
|---|---|---|---|
| AuthServices | docs | 1 | AuthServices represent services that handle authentication and authorization. |
AuthServices represent services that handle authentication and authorization. It can primarily be used by Tools in two different ways:
- Authorized Invocation is when a tool is validated by the auth service before the call can be invoked. Toolbox will reject any calls that fail to validate or have an invalid token.
- Authenticated Parameters replace the value of a parameter with a field from an OIDC claim. Toolbox will automatically resolve the ID token provided by the client and replace the parameter in the tool call.
Example
The following configurations are placed at the top level of a tools.yaml file.
{{< notice tip >}} If you are accessing Toolbox with multiple applications, each application should register their own Client ID even if they use the same "kind" of auth provider. {{< /notice >}}
authServices:
my_auth_app_1:
kind: google
clientId: ${YOUR_CLIENT_ID_1}
my_auth_app_2:
kind: google
clientId: ${YOUR_CLIENT_ID_2}
{{< notice tip >}} Use environment variable replacement with the format ${ENV_NAME} instead of hardcoding your secrets into the configuration file. {{< /notice >}}
After you've configured an authService you'll, need to reference it in the
configuration for each tool that should use it:
- Authorized Invocations for authorizing a tool call, use the
authRequiredfield in a tool config - Authenticated Parameters for using the value from a OIDC claim, use the
authServicesfield in a parameter config
Specifying ID Tokens from Clients
After configuring your authServices section, use a Toolbox SDK to
add your ID tokens to the header of a Tool invocation request. When specifying a
token you will provide a function (that returns an id). This function is called
when the tool is invoked. This allows you to cache and refresh the ID token as
needed.
Specifying tokens during load
{{< tabpane persist=header >}} {{< tab header="LangChain" lang="Python" >}} async def get_auth_token(): # ... Logic to retrieve ID token (e.g., from local storage, OAuth flow) # This example just returns a placeholder. Replace with your actual token retrieval. return "YOUR_ID_TOKEN" # Placeholder
for a single tool use
authorized_tool = toolbox.load_tool("my-tool-name", auth_tokens={"my_auth": get_auth_token})
for a toolset use
authorized_tools = toolbox.load_toolset("my-toolset-name", auth_tokens={"my_auth": get_auth_token}) {{< /tab >}} {{< tab header="Llamaindex" lang="Python" >}} async def get_auth_token(): # ... Logic to retrieve ID token (e.g., from local storage, OAuth flow) # This example just returns a placeholder. Replace with your actual token retrieval. return "YOUR_ID_TOKEN" # Placeholder
for a single tool use
authorized_tool = toolbox.load_tool("my-tool-name", auth_tokens={"my_auth": get_auth_token})
for a toolset use
authorized_tools = toolbox.load_toolset("my-toolset-name", auth_tokens={"my_auth": get_auth_token}) {{< /tab >}} {{< /tabpane >}}
Specifying tokens for existing tools
{{< tabpane persist=header >}} {{< tab header="LangChain" lang="Python" >}} tools = toolbox.load_toolset()
for a single token
auth_tools = [tool.add_auth_token("my_auth", get_auth_token) for tool in tools]
OR, if multiple tokens are needed
authorized_tool = tools[0].add_auth_tokens({ "my_auth1": get_auth1_token, "my_auth2": get_auth2_token, }) {{< /tab >}} {{< tab header="Llamaindex" lang="Python" >}} tools = toolbox.load_toolset()
for a single token
auth_tools = [tool.add_auth_token("my_auth", get_auth_token) for tool in tools]
OR, if multiple tokens are needed
authorized_tool = tools[0].add_auth_tokens({ "my_auth1": get_auth1_token, "my_auth2": get_auth2_token, }) {{< /tab >}} {{< /tabpane >}}