[SC-15741] Pluggable OIDC credentials backend for library auth#532
[SC-15741] Pluggable OIDC credentials backend for library auth#532jamadriz wants to merge 1 commit into
Conversation
|
|
…oyments Optional enterprise security enhancement: deployments can store OIDC device-flow tokens in a custom secret store (keychain, Vault, etc.) or use memory-only sessions, while the default ~/.validmind/credentials.json file cache remains unchanged for standard notebook use. - OidcCredentialsBackend protocol with File and Memory backends - credentials_backend on vm.init(), env-based registration, clear_oidc_credentials() - Tests and docs (oidc-device-flow-release-notes, docs/local design note) Co-authored-by: Cursor <cursoragent@cursor.com>
3f368d4 to
bbff5cc
Compare
PR SummaryThis pull request introduces a pluggable backend adapter for persisting OIDC credentials in the ValidMind library. The core change allows users to swap out the default filesystem storage (using Key functional changes include: • The introduction of the OIDC credentials backend protocol which defines a simple storage interface with • Multiple built-in backend implementations:
• Enhanced configuration and resolution logic that supports explicit backend specification as a parameter, a process-wide default, or via environment variables (e.g., • Updates to the token obtaining and caching workflow in the API client. The new backend adapter is now threaded through token retrieval, caching, and clearing functions, ensuring consistency in how tokens are stored and removed. • Comprehensive updates to tests to verify the functionality and integration of the new backend implementations. These tests cover token storage roundtrips, environment variable based backend resolution, and the proper handling of token cleanup. Overall, these changes provide enhanced flexibility and security for deployments with different credential storage requirements, without altering the underlying OIDC device flow and refresh logic. Test Suggestions
|
What and why?
This PR adds an enterprise security enhancement: pluggable OIDC credential storage for deployments that need tokens in an approved secret store (OS keychain, Vault, etc.) or memory-only sessions on shared Jupyter hosts — rather than the default local file cache.
The default remains
~/.validmind/credentials.jsonwith user-only permissions, which continues to work well for individual development and notebook use. Organizations with stricter policies can opt in without forking the library.This PR introduces a storage-only adapter. OIDC discovery, device flow, refresh, and Bearer headers remain owned by the SDK.
Before: OIDC tokens always persisted to
~/.validmind/credentials.json.After: Default behavior unchanged. Deployments that need it can also:
credentials_backend=tovm.init()VM_OIDC_CREDENTIALS_BACKEND=module.path:ClassName(+ optionalVM_OIDC_CREDENTIALS_BACKEND_KWARGS)VM_OIDC_NO_PERSIST=1for memory-only storage (re-auth each process)clear_oidc_credentials()to wipe the active session cacheHow to test
cd validmind-library uv run python -m unittest tests.test_credentials_backend tests.test_credentials_store tests.test_api_client.TestAPIClientOIDC -vManual: implement a trivial backend, pass it to
vm.init(..., credentials_backend=...), confirm tokens round-trip without creating~/.validmind/credentials.json.What needs special review?
get/put/deletekeyed bycredential_key) — sufficient for Vault/keychain integrations?VM_OIDC_CREDENTIALS_BACKEND) for JupyterHub injectiondocs/local/oidc_credentials_backend_adapter.mdshould stay in-repo or move to product docsDependencies, breaking changes, and deployment notes
vm.init()(no backend changes required).~/.validmind/credentials.json.VM_OIDC_CREDENTIALS_BACKEND,VM_OIDC_CREDENTIALS_BACKEND_KWARGS,VM_OIDC_NO_PERSIST.Release notes
Enhancement: OIDC library authentication supports an optional pluggable credentials backend for enterprise deployments. Store device-flow tokens in a custom secret store via
credentials_backendorVM_OIDC_CREDENTIALS_BACKEND, or use memory-only storage withVM_OIDC_NO_PERSIST=1. Default local file caching is unchanged.Checklist