legate 0.1.0

data/public/docs/authentication/guides/oidc.md

@@ -0,0 +1,241 @@
+# OpenID Connect Authentication
+
+OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that allows clients to verify the identity of end-users. The Legate Ruby library provides comprehensive support for OpenID Connect authentication.
+
+## Overview
+
+OpenID Connect extends OAuth 2.0 with identity verification functionality, allowing applications to:
+
+- Authenticate users with an identity provider
+- Obtain basic profile information about the user
+- Receive verified identity information via a JWT (JSON Web Token) called an ID token
+- Access additional user information via standardized endpoints
+
+## Configuration
+
+### Creating an OpenID Connect Scheme
+
+There are two main ways to configure an OpenID Connect scheme:
+
+#### Using Discovery
+
+The simplest approach is to use OpenID Connect Discovery, which automatically fetches configuration:
+
+```ruby
+# Configure using the provider's discovery URL
+scheme = Legate::Auth::Schemes::OpenIDConnect.new(
+  discovery_url: 'https://accounts.google.com/.well-known/openid-configuration'
+)
+
+# Alternatively, specify the provider URI
+scheme = Legate::Auth::Schemes::OpenIDConnect.new(
+  provider_uri: 'https://accounts.google.com'
+)
+```
+
+#### Manual Configuration
+
+You can also manually specify all the necessary endpoints:
+
+```ruby
+# Configure by explicitly providing all endpoints
+scheme = Legate::Auth::Schemes::OpenIDConnect.new(
+  authorization_url: 'https://accounts.google.com/o/oauth2/auth',
+  token_url: 'https://oauth2.googleapis.com/token',
+  userinfo_url: 'https://openidconnect.googleapis.com/v1/userinfo',
+  jwks_url: 'https://www.googleapis.com/oauth2/v3/certs',
+  scopes: ['openid', 'profile', 'email']
+)
+```
+
+### Creating an OpenID Connect Credential
+
+```ruby
+# Basic OpenID Connect credential (use :oidc — :openid_connect is not a
+# valid credential auth_type and would raise CredentialError)
+credential = Legate::Auth::Credential.new(
+  auth_type: :oidc,
+  client_id: ENV['CLIENT_ID'],
+  client_secret: ENV['CLIENT_SECRET']
+)
+
+# With additional options
+credential = Legate::Auth::Credential.new(
+  auth_type: :oidc,
+  client_id: ENV['CLIENT_ID'],
+  client_secret: ENV['CLIENT_SECRET'],
+  additional_params: {
+    'prompt' => 'login'  # Force user to re-authenticate
+  }
+)
+```
+
+## Authentication Flow
+
+The OpenID Connect authentication flow is similar to the OAuth 2.0 authorization code flow, with added identity verification:
+
+```ruby
+# 1. Configure the OpenID Connect scheme using discovery
+scheme = Legate::Auth::Schemes::OpenIDConnect.new(
+  discovery_url: 'https://accounts.google.com/.well-known/openid-configuration',
+  scopes: ['openid', 'profile', 'email']
+)
+
+# 2. Configure the credential (use :oidc — :openid_connect is not a valid
+#    credential auth_type and would raise CredentialError)
+credential = Legate::Auth::Credential.new(
+  auth_type: :oidc,
+  client_id: ENV['CLIENT_ID'],
+  client_secret: ENV['CLIENT_SECRET']
+)
+
+# 3. Build the authorization URI via a Config and redirect the user
+config = Legate::Auth::Config.new(scheme: scheme, credential: credential)
+state = SecureRandom.hex(16)
+auth_url = config.build_authorization_uri('https://your-app.com/callback', state)
+# redirect_to auth_url
+
+# 4. On the callback, set the response URI on the config
+config.response_uri = 'https://your-app.com/callback?code=12345&state=abcde'
+
+# 5. Exchange the authorization code for tokens (includes an ID token)
+token = scheme.exchange_token(config, credential)
+puts token[:access_token]
+puts token[:id_token]
+```
+
+> This shows the direct `Config`/scheme flow. Tools can also drive OIDC
+> interactively via `context.with_authentication` (see
+> [`ToolContextExtension`](../api_reference/tool_context_extension)).
+
+## Key OpenID Connect Features
+
+### ID Token
+
+The ID token is a JWT containing verified information about the user:
+
+```ruby
+# The token exchange process returns an ID token automatically
+# In an ExchangedCredential, you can access it as:
+id_token = exchanged_credential[:id_token]
+
+# To decode and verify the token
+require 'jwt'
+decoded_token = JWT.decode(id_token, nil, false)[0]
+
+# To access claims
+user_email = decoded_token['email']
+name = decoded_token['name']
+```
+
+### UserInfo Endpoint
+
+For more detailed user information, you can call the UserInfo endpoint:
+
+```ruby
+# Get an access token
+access_token = exchanged_credential[:access_token]
+
+# Create the scheme (or use existing one)
+scheme = Legate::Auth::Schemes::OpenIDConnect.new(
+  discovery_url: 'https://accounts.google.com/.well-known/openid-configuration'
+)
+
+# Fetch user information
+user_info = scheme.get_userinfo(access_token)
+
+# Access user data
+email = user_info['email']
+name = user_info['name']
+picture = user_info['picture']
+```
+
+## Provider-Specific Configurations
+
+### Google OpenID Connect
+
+```ruby
+scheme = Legate::Auth::Schemes::OpenIDConnect.new(
+  discovery_url: 'https://accounts.google.com/.well-known/openid-configuration',
+  scopes: ['openid', 'profile', 'email'],
+  additional_params: {
+    'prompt' => 'consent',
+    'access_type' => 'offline'
+  }
+)
+```
+
+### Microsoft Azure OpenID Connect
+
+```ruby
+tenant_id = 'common'  # Use 'common' for multi-tenant, or a specific tenant ID
+
+scheme = Legate::Auth::Schemes::OpenIDConnect.new(
+  discovery_url: "https://login.microsoftonline.com/#{tenant_id}/v2.0/.well-known/openid-configuration",
+  scopes: ['openid', 'profile', 'email', 'offline_access']
+)
+```
+
+### Auth0
+
+```ruby
+domain = 'your-domain.auth0.com'
+
+scheme = Legate::Auth::Schemes::OpenIDConnect.new(
+  discovery_url: "https://#{domain}/.well-known/openid-configuration",
+  scopes: ['openid', 'profile', 'email']
+)
+```
+
+## Security Considerations
+
+- **Nonce Verification**: The library automatically adds a nonce parameter to prevent replay attacks
+- **ID Token Validation**: Always verify the ID token signature, issuer, audience, and expiration
+- **Scopes**: Request only the scopes your application needs
+- **Secure Storage**: Tokens are cached in scoped session state as plaintext; for at-rest encryption, apply the opt-in `Legate::Auth::Encryption` module yourself
+
+## Advanced Features
+
+### PKCE (Proof Key for Code Exchange)
+
+```ruby
+# PKCE is enabled by default
+scheme = Legate::Auth::Schemes::OpenIDConnect.new(
+  discovery_url: 'https://accounts.google.com/.well-known/openid-configuration',
+  use_pkce: true  # This is the default
+)
+```
+
+### Prompt Parameter
+
+Control the authentication experience using the prompt parameter:
+
+```ruby
+scheme = Legate::Auth::Schemes::OpenIDConnect.new(
+  discovery_url: 'https://accounts.google.com/.well-known/openid-configuration',
+  additional_params: {
+    'prompt' => 'login'  # Options: none, login, consent, select_account
+  }
+)
+```
+
+## Troubleshooting
+
+If you encounter issues with OpenID Connect authentication:
+
+- Ensure 'openid' is included in the requested scopes
+- Verify that your client is properly registered with the identity provider
+- Check that redirect URIs exactly match those registered with the provider
+- See the [OpenID Connect Troubleshooting Guide](../troubleshooting/oidc_issues) for detailed solutions
+
+## Related Topics
+
+- [OAuth2 Authentication](./oauth2) - Learn more about the underlying OAuth2 protocol
+- [Service Account Authentication](./service_account) - Use service accounts for server-to-server authentication
+- [Token Lifecycle Management](./token_lifecycle) - Advanced token management techniques
+
+## Next Steps
+
+- [OAuth2 Authentication](./oauth2): Learn more about the underlying OAuth2 protocol
+- [Service Account Authentication](./service_account): Use service accounts for server-to-server authentication
+- [Token Lifecycle Management](./token_lifecycle): Advanced token management techniques 

data/public/docs/authentication/guides/overview.md

@@ -0,0 +1,155 @@
+# Authentication Overview
+
+## Introduction
+
+The Legate Ruby authentication system provides a comprehensive framework for handling authentication with external APIs. It supports various authentication methods including:
+
+- API Key authentication
+- HTTP Bearer token authentication
+- OAuth2 authentication
+- OpenID Connect (OIDC) authentication
+- Service Account authentication
+
+The system is designed to handle both interactive authentication flows (like OAuth2, which requires user consent) and non-interactive flows (like API Keys), with a unified interface.
+
+## Core Concepts
+
+### Authentication Schemes
+
+An authentication scheme (`Legate::Auth::Scheme`) defines how an API expects credentials to be provided. Each scheme implements:
+
+- How to apply authentication to requests
+- How to exchange initial credentials for tokens (if applicable)
+- How to refresh tokens (if applicable)
+- How to build authorization URIs for interactive flows
+
+The Legate Ruby library includes the following authentication schemes:
+
+- `Legate::Auth::Schemes::ApiKey`: For API key authentication (in header, query, or cookie)
+- `Legate::Auth::Schemes::HTTPBearer`: For Bearer token authentication
+- `Legate::Auth::Schemes::OAuth2`: For OAuth2 authentication flows
+- `Legate::Auth::Schemes::OpenIDConnect`: For OpenID Connect authentication
+- `Legate::Auth::Schemes::ServiceAccount`: For service account authentication
+- `Legate::Auth::Schemes::GoogleServiceAccount`: For Google Cloud service accounts
+
+### Credentials
+
+A credential (`Legate::Auth::Credential`) contains the initial information needed to start authentication:
+
+- API Keys
+- OAuth2 client ID and client secret
+- Bearer tokens
+- Service account keys
+
+Credentials can be provided directly or through environment variables, which is recommended for sensitive information.
+
+### Token Exchange
+
+For authentication methods like OAuth2, the initial credential must be exchanged for a token:
+
+1. The initial credential (e.g., client ID and secret) is used to start the authentication flow
+2. The flow results in an exchanged credential (`Legate::Auth::ExchangedCredential`)
+3. The exchanged credential contains access tokens, refresh tokens, and expiry information
+
+### Authentication Flows
+
+#### Non-Interactive Flow (API Key, Bearer Token)
+
+```ruby
+# Create an API Key scheme (no constructor arguments)
+scheme = Legate::Auth::Schemes::ApiKey.new
+
+# Create a credential with the API key. The key's location ('header',
+# 'query', or 'cookie') and name live on the credential, not the scheme.
+credential = Legate::Auth::Credential.new(
+  auth_type: :api_key,
+  api_key: ENV['API_KEY'],
+  location: 'header',   # default
+  name: 'X-API-Key'     # default
+)
+
+# Attach the scheme/credential to your outbound HTTP client. The simplest
+# path is the Excon connection helper, which applies the API key for you:
+connection = Legate::Auth.create_connection('https://api.example.com',
+  scheme: scheme,
+  credential: credential
+)
+response = connection.get(path: '/protected-resource')
+```
+
+#### Interactive Flow (OAuth2, OIDC)
+
+```ruby
+# Create an OAuth2 scheme
+scheme = Legate::Auth::Schemes::OAuth2.new(
+  authorization_url: 'https://auth.example.com/authorize',
+  token_url: 'https://auth.example.com/token',
+  scopes: ['profile', 'email']
+)
+
+# Create a credential with client ID and secret
+credential = Legate::Auth::Credential.new(
+  auth_type: :oauth2,
+  client_id: ENV['CLIENT_ID'],
+  client_secret: ENV['CLIENT_SECRET']
+)
+
+# Drive the interactive flow via Config:
+# 1. Build the authorization URI and redirect the user to it
+config = Legate::Auth::Config.new(scheme: scheme, credential: credential)
+state = SecureRandom.hex(16)
+auth_uri = config.build_authorization_uri('https://your-app.com/callback', state)
+# redirect_to auth_uri
+
+# 2. When the user is redirected back, set the response URI on the config
+config.response_uri = 'https://your-app.com/callback?code=12345&state=abcde'
+
+# 3. Exchange the authorization code for tokens
+token = scheme.exchange_token(config, credential)
+
+# `token` is an ExchangedCredential you can store and apply to requests.
+```
+
+> The fiber-based, tool-driven flow (where a tool's `with_authentication`
+> block yields an auth request to the caller) is also supported; see
+> [`Legate::Auth::ToolContextExtension`](../api_reference/tool_context_extension).
+
+#### Service Account Flow
+
+```ruby
+# Create a Service Account scheme
+scheme = Legate::Auth::Schemes::GoogleServiceAccount.new(
+  scopes: ['https://www.googleapis.com/auth/cloud-platform']
+)
+
+# Create a credential with the service account key (raw JSON string)
+credential = Legate::Auth::Credential.new(
+  auth_type: :google_service_account,
+  service_account_key: File.read('service-account.json')
+)
+
+# Exchange for an access token and apply it to outbound requests
+token = scheme.exchange_token(credential)
+connection = Legate::Auth.create_connection('https://api.example.com',
+  scheme: scheme,
+  credential: token
+)
+result = connection.get(path: '/resource')
+```
+
+## Security Considerations
+
+The Legate Ruby library implements several security measures:
+
+- Tokens are cached in scoped session state; for at-rest encryption, the opt-in `Legate::Auth::Encryption` module is available (it is not applied automatically)
+- Access tokens have limited lifetimes, with automatic expiry checks
+- Refresh tokens are handled by the `TokenManager`
+- Environment variable resolution (the `ENV:` prefix) keeps sensitive values out of source code
+- Outbound auth/token URLs are validated by `Legate::Auth::UrlGuard` to block SSRF to private/loopback addresses
+
+## Next Steps
+
+- [Authentication Configuration](./configuration) - How to configure authentication for different scenarios
+- [API Key Authentication](./api_key) - Detailed guide for API key authentication
+- [OAuth2 Authentication](./oauth2) - Complete guide for implementing OAuth2 flows
+- [Token Lifecycle Management](./token_lifecycle) - Managing token expiration and refresh 

data/public/docs/authentication/guides/secure_storage.md

@@ -0,0 +1,301 @@
+# Secure Credential Storage
+
+## Overview
+
+Secure storage of authentication credentials and tokens is critical for maintaining the security of your Legate Ruby applications. This guide explains best practices for storing and handling sensitive authentication data.
+
+## Security Considerations
+
+When working with authentication, you need to protect several types of sensitive information:
+
+- **API Keys**: Direct access tokens that grant API access
+- **Client Secrets**: OAuth2/OIDC secrets used to authenticate your application
+- **Bearer Tokens**: Tokens that provide access to protected resources
+- **Access Tokens**: Short-lived tokens obtained through authentication flows
+- **Refresh Tokens**: Long-lived tokens used to obtain new access tokens
+- **Service Account Keys**: JSON credentials that authenticate as a service account
+
+## Legate Security Architecture
+
+The Legate Ruby library provides several measures to help protect sensitive authentication data:
+
+1. **Optional Encryption**: An opt-in `Legate::Auth::Encryption` module is available for encrypting data at rest
+2. **Scoped Storage**: Tokens are cached in scoped session state via the token store
+3. **Environment Variables**: Credential values can be sourced from environment variables (the `ENV:` prefix)
+4. **Minimal Exposure**: Access tokens are short-lived and refreshed automatically by the `TokenManager`
+
+## Encryption in Legate
+
+> **Important:** Encryption is **opt-in** and is **not** wired into `TokenStore`. `TokenStore#store` persists plaintext token data (`token.to_h`) in scoped state. To encrypt at rest, call the `Legate::Auth::Encryption` module yourself.
+
+The `Legate::Auth::Encryption` module uses the `rbnacl` gem (libsodium SecretBox) for authenticated encryption. `rbnacl` is an optional dependency: the module lazily requires it and raises `LoadError` if it (or libsodium) is missing.
+
+### Using the Encryption Module
+
+`Encryption` is a module (not instantiable). Call its module methods directly. Keys are Base64-encoded; with no key argument it reads `LEGATE_AUTH_ENCRYPTION_KEY`.
+
+```ruby
+require 'legate/auth/encryption'
+
+# Generate a Base64 key once and store it securely
+key = Legate::Auth::Encryption.generate_key
+
+# Encrypt / decrypt (output is "LGTAUTH" + Base64)
+ciphertext = Legate::Auth::Encryption.encrypt(JSON.dump(token.to_h), key)
+plaintext  = Legate::Auth::Encryption.decrypt(ciphertext, key)
+```
+
+### Applying Encryption to Stored Tokens
+
+Because `TokenStore` does not encrypt, apply encryption in your own storage layer:
+
+```ruby
+key = ENV['LEGATE_AUTH_ENCRYPTION_KEY']
+
+# Encrypt before persisting through storage you control
+ciphertext = Legate::Auth::Encryption.encrypt(JSON.dump(token.to_h), key)
+
+# Decrypt on read, then rebuild the token
+data = JSON.parse(Legate::Auth::Encryption.decrypt(ciphertext, key), symbolize_names: true)
+token = Legate::Auth::ExchangedCredential.from_h(data)
+```
+
+## Environment Variable Handling
+
+The Legate Ruby library supports sourcing credential values from environment variables, which is a security best practice.
+
+### Direct Environment Variable Usage
+
+```ruby
+# Read environment variables at construction time
+api_key_credential = Legate::Auth::Credential.new(
+  auth_type: :api_key,
+  api_key: ENV['API_KEY']
+)
+
+oauth2_credential = Legate::Auth::Credential.new(
+  auth_type: :oauth2,
+  client_id: ENV['OAUTH2_CLIENT_ID'],
+  client_secret: ENV['OAUTH2_CLIENT_SECRET']
+)
+```
+
+### Environment Variable References
+
+The only reference mechanism is the `ENV:` prefix inside a string value
+(resolved lazily when the attribute is read). There are no `*_env` attributes.
+
+```ruby
+api_key_credential = Legate::Auth::Credential.new(
+  auth_type: :api_key,
+  api_key: 'ENV:API_KEY'
+)
+
+oauth2_credential = Legate::Auth::Credential.new(
+  auth_type: :oauth2,
+  client_id: 'ENV:OAUTH2_CLIENT_ID',
+  client_secret: 'ENV:OAUTH2_CLIENT_SECRET'
+)
+```
+
+## Secure Token Storage
+
+The Legate Ruby library provides the `TokenStore` class for secure storage of authentication tokens.
+
+### Creating a Token Store
+
+```ruby
+# Create a token store with the session service (positional argument)
+token_store = Legate::Auth::TokenStore.new(session_service)
+```
+
+### Storing Tokens
+
+`store(key, token)` accepts a string key and an `ExchangedCredential` (it
+serializes `token.to_h` into scoped state; it does not encrypt):
+
+```ruby
+token = Legate::Auth::ExchangedCredential.new(
+  auth_type: :oauth2,
+  access_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...',
+  refresh_token: 'rtok_abc123...',
+  expires_in: 3600
+)
+
+token_store.store('client123', token)
+```
+
+### Retrieving Tokens
+
+```ruby
+# Returns an ExchangedCredential, or nil if missing/expired
+token = token_store.get('client123')
+```
+
+## Service Account Key Security
+
+Service account keys (especially Google Service Account JSON keys) require special security consideration.
+
+### Store Service Account Keys Securely
+
+```ruby
+# Option 1: Store the JSON in an environment variable (recommended).
+# service_account_key takes the raw JSON string.
+ENV['GOOGLE_SERVICE_ACCOUNT_JSON'] = '{"type":"service_account","project_id":"..."}'
+
+credential = Legate::Auth::Credential.new(
+  auth_type: :google_service_account,
+  service_account_key: ENV['GOOGLE_SERVICE_ACCOUNT_JSON']
+)
+
+# Option 2: Reference the env var lazily with the ENV: prefix
+credential = Legate::Auth::Credential.new(
+  auth_type: :google_service_account,
+  service_account_key: 'ENV:GOOGLE_SERVICE_ACCOUNT_JSON'
+)
+
+# Option 3: Reference a file path with service_account_key_file
+credential = Legate::Auth::Credential.new(
+  auth_type: :google_service_account,
+  service_account_key_file: '/secure/path/to/service-account.json'
+)
+```
+
+## Deployment Security Best Practices
+
+### Environment Variables in Production
+
+For production environments, consider these best practices for handling environment variables:
+
+1. **Use a secrets manager**: Store secrets in a dedicated secrets manager like HashiCorp Vault, AWS Secrets Manager, or Google Secret Manager
+2. **Inject at runtime**: Inject secrets into your application at runtime rather than storing them in configuration files
+3. **Use minimal permissions**: For service accounts, use the principle of least privilege
+4. **Rotate credentials**: Regularly rotate credentials and tokens
+
+### Example with Docker Compose
+
+```yaml
+# docker-compose.yml
+version: '3'
+services:
+  app:
+    build: .
+    environment:
+      - OAUTH2_CLIENT_ID=${OAUTH2_CLIENT_ID}
+      - OAUTH2_CLIENT_SECRET=${OAUTH2_CLIENT_SECRET}
+      - API_KEY=${API_KEY}
+    env_file:
+      - .env.production
+```
+
+### Example with Kubernetes
+
+```yaml
+# deployment.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-credentials
+type: Opaque
+data:
+  oauth2-client-id: <base64-encoded-client-id>
+  oauth2-client-secret: <base64-encoded-client-secret>
+  api-key: <base64-encoded-api-key>
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: legate-app
+spec:
+  template:
+    spec:
+      containers:
+      - name: legate-app
+        image: legate-app:latest
+        env:
+        - name: OAUTH2_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: auth-credentials
+              key: oauth2-client-id
+        - name: OAUTH2_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: auth-credentials
+              key: oauth2-client-secret
+        - name: API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: auth-credentials
+              key: api-key
+```
+
+## Development Security Best Practices
+
+### Local Environment Variables
+
+For development environments, consider these approaches:
+
+1. **Use a .env file**: Store environment variables in a .env file that is not committed to source control
+2. **Use a development-only secrets manager**: Set up a development instance of your secrets manager
+3. **Use dummy credentials for development**: Use separate credentials for development environments
+
+### Example .env File
+
+```
+# .env (add to .gitignore)
+OAUTH2_CLIENT_ID=dev-client-id
+OAUTH2_CLIENT_SECRET=dev-client-secret
+API_KEY=dev-api-key
+GOOGLE_SERVICE_ACCOUNT_JSON={"type":"service_account","project_id":"..."}
+```
+
+### Loading Environment Variables
+
+```ruby
+# Load environment variables
+require 'dotenv'
+Dotenv.load
+
+# Use in credential creation
+oauth2_credential = Legate::Auth::Credential.new(
+  auth_type: :oauth2,
+  client_id: ENV['OAUTH2_CLIENT_ID'],
+  client_secret: ENV['OAUTH2_CLIENT_SECRET']
+)
+```
+
+## Session Service Security
+
+The Legate session service stores authentication tokens in memory as plaintext (unless you apply opt-in encryption yourself). Ensure proper security:
+
+1. **Use HTTPS**: Ensure all communication is over HTTPS
+2. **Session isolation**: Use proper session management practices
+3. **Process lifecycle**: Be aware that in-memory sessions are lost on process restart
+
+```ruby
+# Create the in-memory session service
+session_service = Legate::SessionService::InMemory.new
+```
+
+## Security Checklist
+
+Use this checklist to ensure you're following security best practices:
+
+- [ ] Store credentials in environment variables, not in code
+- [ ] Use HTTPS for all API and authentication endpoints
+- [ ] Configure proper token expiration and refresh thresholds
+- [ ] Implement proper error handling for authentication failures
+- [ ] Ensure session service is properly configured
+- [ ] Rotate credentials regularly
+- [ ] Use the principle of least privilege for service accounts
+- [ ] Implement proper logging for authentication events (but don't log sensitive data)
+- [ ] Keep the Legate Ruby library updated to get security fixes
+
+## Related Topics
+- [Authentication Configuration](./configuration)
+- [Token Lifecycle Management](./token_lifecycle)
+- [OAuth2 Authentication](./oauth2)
+- [Service Account Authentication](./service_account)
+- [`Legate::Auth::TokenStore` API Reference](../api_reference/token_store)
+- [`Legate::Auth::Encryption` API Reference](../api_reference/encryption)