@m1a0rz/agent-identity 0.2.2 → 0.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/dist/index.js +4 -4
  2. package/dist/src/actions/identity-actions.js +1 -1
  3. package/dist/src/hooks/before-agent-start.d.ts.map +1 -1
  4. package/dist/src/hooks/before-agent-start.js +12 -11
  5. package/dist/src/hooks/before-tool-call.d.ts.map +1 -1
  6. package/dist/src/hooks/before-tool-call.js +3 -1
  7. package/dist/src/services/identity-client.js +1 -1
  8. package/dist/src/services/oidc-client.d.ts +2 -0
  9. package/dist/src/services/oidc-client.d.ts.map +1 -1
  10. package/dist/src/services/oidc-client.js +11 -1
  11. package/dist/src/services/tip-with-refresh.d.ts.map +1 -1
  12. package/dist/src/services/tip-with-refresh.js +5 -5
  13. package/dist/src/tools/identity-config-suggest.d.ts +2 -2
  14. package/dist/src/tools/identity-config-suggest.js +2 -2
  15. package/dist/src/utils/derive-session-key.d.ts.map +1 -1
  16. package/dist/src/utils/derive-session-key.js +4 -0
  17. package/dist/src/utils/token-errors.d.ts.map +1 -1
  18. package/dist/src/utils/token-errors.js +1 -1
  19. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -148,7 +148,7 @@ export default function register(api) {
148
148
  userPoolName: userpool.userPoolName,
149
149
  clientName: userpool.clientName,
150
150
  redirectUri: userpool.callbackUrl,
151
- scope: userpool.scope,
151
+ scope: userpool.scope ?? "openid profile email offline_access",
152
152
  autoCreate: userpool.autoCreate ?? true,
153
153
  });
154
154
  return cached;
@@ -159,7 +159,7 @@ export default function register(api) {
159
159
  discoveryUrl: userpool.discoveryUrl,
160
160
  clientId: userpool.clientId,
161
161
  clientSecret: userpool.clientSecret,
162
- scope: userpool.scope,
162
+ scope: userpool.scope ?? "openid profile email offline_access",
163
163
  callbackUrl: userpool.callbackUrl,
164
164
  });
165
165
  }
@@ -236,7 +236,7 @@ export default function register(api) {
236
236
  discoveryUrl: userpool.discoveryUrl,
237
237
  clientId: userpool.clientId,
238
238
  clientSecret: userpool.clientSecret,
239
- scope: userpool.scope,
239
+ scope: userpool.scope ?? "openid profile email offline_access",
240
240
  callbackUrl: userpool.callbackUrl,
241
241
  };
242
242
  api.registerHttpRoute({
@@ -257,7 +257,7 @@ export default function register(api) {
257
257
  discoveryUrl: userpool.discoveryUrl,
258
258
  clientId: userpool.clientId,
259
259
  clientSecret: userpool.clientSecret,
260
- scope: userpool.scope,
260
+ scope: userpool.scope ?? "openid profile email offline_access",
261
261
  callbackUrl: userpool.callbackUrl,
262
262
  })
263
263
  : async () => {
package/dist/src/actions/identity-actions.js CHANGED
@@ -138,7 +138,7 @@ export async function runLogin(deps, sessionKey, options) {
138
138
  authorizationEndpoint: discovery.authorization_endpoint,
139
139
  clientId: oidcConfig.clientId,
140
140
  redirectUri: oidcConfig.callbackUrl,
141
- scope: oidcConfig.scope ?? "openid profile email",
141
+ scope: oidcConfig.scope ?? "openid profile email offline_access",
142
142
  state,
143
143
  });
144
144
  logInfo(logger, `login returning IdP URL for sessionKey=${sessionKey.slice(0, 24)}...`);
package/dist/src/hooks/before-agent-start.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAgBA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAO3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACxE,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAcpE,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,KAC7C,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA2B/C"}
1
+ {"version":3,"file":"before-agent-start.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-agent-start.ts"],"names":[],"mappings":"AAgBA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAO3E,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACxE,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAapE,QAAQ;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;CAAE,EAChD,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,KAC7C,OAAO,CAAC;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA4B/C"}
package/dist/src/hooks/before-agent-start.js CHANGED
@@ -20,14 +20,14 @@ import { getCredential, resolveCredentialValue } from "../store/credential-store
20
20
  import { isSubagentSessionKey } from "../utils/derive-session-key.js";
21
21
  export function createBeforeAgentStartHandler(deps) {
22
22
  const { storeDir, identityService, configWorkloadName, getOidcConfigForRefresh, logger } = deps;
23
- const tipRefreshOptions = getOidcConfigForRefresh
24
- ? {
25
- identityService,
26
- getOidcConfigForRefresh,
27
- configWorkloadName,
28
- logger,
29
- }
30
- : undefined;
23
+ // Always pass identityService so we can try fetch with session.userToken when TIP is missing/expired.
24
+ // getOidcConfigForRefresh is only needed for refresh when userToken itself has expired.
25
+ const tipRefreshOptions = {
26
+ identityService,
27
+ getOidcConfigForRefresh,
28
+ configWorkloadName,
29
+ logger,
30
+ };
31
31
  return async (_event, ctx) => {
32
32
  const sessionKey = ctx.sessionKey;
33
33
  if (!sessionKey)
@@ -49,9 +49,10 @@ export function createBeforeAgentStartHandler(deps) {
49
49
  /* best-effort */
50
50
  }
51
51
  try {
52
- const tip = await getOrRefreshTIPToken(storeDir, sessionKey, tipRefreshOptions
53
- ? { ...tipRefreshOptions, ctxAgentId: ctx.agentId }
54
- : undefined);
52
+ const tip = await getOrRefreshTIPToken(storeDir, sessionKey, {
53
+ ...tipRefreshOptions,
54
+ ctxAgentId: ctx.agentId,
55
+ });
55
56
  if (!tip)
56
57
  return;
57
58
  }
package/dist/src/hooks/before-tool-call.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"before-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-tool-call.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUhD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,uGAAuG;IACvG,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACxE,sEAAsE;IACtE,aAAa,CAAC,EAAE,CAAC,kBAAkB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5E,oBAAoB;IACpB,KAAK,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,+EAA+E;IAC/E,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAwCF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,kBAAkB,IA6BhE,OAAO;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC5D,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAyK7D"}
1
+ {"version":3,"file":"before-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-tool-call.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUhD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,uGAAuG;IACvG,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACxE,sEAAsE;IACtE,aAAa,CAAC,EAAE,CAAC,kBAAkB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5E,oBAAoB;IACpB,KAAK,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,+EAA+E;IAC/E,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAwCF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,kBAAkB,IA8BhE,OAAO;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC5D,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAyK7D"}
package/dist/src/hooks/before-tool-call.js CHANGED
@@ -47,7 +47,9 @@ function isSkillReadPath(pathStr) {
47
47
  export function createBeforeToolCallHandler(deps) {
48
48
  const { storeDir, identityClient, namespaceName = "default", logger, sendToSession, authz, approvalTtlMs, identityService, getOidcConfigForRefresh, configWorkloadName, } = deps;
49
49
  const flags = resolveAuthzFlags(authz);
50
- const tipRefreshOptions = identityService && getOidcConfigForRefresh
50
+ // Pass identityService when available so we can try fetch with session.userToken when TIP is missing/expired.
51
+ // getOidcConfigForRefresh is only needed for refresh when userToken itself has expired.
52
+ const tipRefreshOptions = identityService
51
53
  ? {
52
54
  identityService,
53
55
  getOidcConfigForRefresh,
package/dist/src/services/identity-client.js CHANGED
@@ -497,7 +497,7 @@ export class IdentityClient {
497
497
  * Returns discoveryUrl, clientId, clientSecret, callbackUrl for OIDC flow.
498
498
  */
499
499
  export async function resolveOIDCConfig(client, params) {
500
- const { userPoolName, userPoolUid, clientName, clientUid, redirectUri, scope = "openid profile email", autoCreate = true, clientType = "WEB_APPLICATION", } = params;
500
+ const { userPoolName, userPoolUid, clientName, clientUid, redirectUri, scope = "openid profile email offline_access", autoCreate = true, clientType = "WEB_APPLICATION", } = params;
501
501
  if (!userPoolName && !userPoolUid) {
502
502
  throw new Error("Either userPoolName or userPoolUid must be provided");
503
503
  }
package/dist/src/services/oidc-client.d.ts CHANGED
@@ -6,6 +6,8 @@
6
6
  *
7
7
  * Reference: veadk auth/middleware/oauth2_auth.py
8
8
  */
9
+ /** Default OIDC scope for login. Includes offline_access for refresh_token support. */
10
+ export declare const DEFAULT_OIDC_SCOPE = "openid profile email offline_access";
9
11
  export type OIDCDiscovery = {
10
12
  issuer: string;
11
13
  authorization_endpoint: string;
package/dist/src/services/oidc-client.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oidc-client.d.ts","sourceRoot":"","sources":["../../../src/services/oidc-client.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AAEH,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;CACrC,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,SAAS,SAAS,GACjB,OAAO,CAAC,aAAa,CAAC,CAoBxB;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,GAAG,MAAM,CA0BT;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC,CA6CD;AAED,yDAAyD;AACzD,wBAAsB,kBAAkB,CAAC,MAAM,EAAE;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC,CAwCD;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAGrD"}
1
+ {"version":3,"file":"oidc-client.d.ts","sourceRoot":"","sources":["../../../src/services/oidc-client.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AAEH,uFAAuF;AACvF,eAAO,MAAM,kBAAkB,wCAAwC,CAAC;AAExE,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;CACrC,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EACpB,SAAS,SAAS,GACjB,OAAO,CAAC,aAAa,CAAC,CAoBxB;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B,GAAG,MAAM,CA0BT;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC,CA6CD;AAED,yDAAyD;AACzD,wBAAsB,kBAAkB,CAAC,MAAM,EAAE;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,OAAO,CAAC;IACV,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC,CAwCD;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAGrD"}
package/dist/src/services/oidc-client.js CHANGED
@@ -13,6 +13,16 @@
13
13
  * See the License for the specific language governing permissions and
14
14
  * limitations under the License.
15
15
  */
16
+ /**
17
+ * OIDC client for UserPool login flow.
18
+ * Fetches .well-known/openid-configuration from data plane, then:
19
+ * - Build authorization URL for login
20
+ * - Exchange code for tokens
21
+ *
22
+ * Reference: veadk auth/middleware/oauth2_auth.py
23
+ */
24
+ /** Default OIDC scope for login. Includes offline_access for refresh_token support. */
25
+ export const DEFAULT_OIDC_SCOPE = "openid profile email offline_access";
16
26
  export async function fetchOIDCDiscovery(discoveryUrl, timeoutMs = 10_000) {
17
27
  const controller = new AbortController();
18
28
  const timer = setTimeout(() => controller.abort(), timeoutMs);
@@ -36,7 +46,7 @@ export async function fetchOIDCDiscovery(discoveryUrl, timeoutMs = 10_000) {
36
46
  }
37
47
  }
38
48
  export function buildAuthorizationUrl(params) {
39
- const { authorizationEndpoint, clientId, redirectUri, scope = "openid profile email", state, responseType = "code", codeChallenge, codeChallengeMethod, } = params;
49
+ const { authorizationEndpoint, clientId, redirectUri, scope = DEFAULT_OIDC_SCOPE, state, responseType = "code", codeChallenge, codeChallengeMethod, } = params;
40
50
  const search = new URLSearchParams({
41
51
  response_type: responseType,
42
52
  client_id: clientId,
package/dist/src/services/tip-with-refresh.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"tip-with-refresh.d.ts","sourceRoot":"","sources":["../../../src/services/tip-with-refresh.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAMpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,eAAe,EAAE,eAAe,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC,CAAC,CA6DlD"}
1
+ {"version":3,"file":"tip-with-refresh.d.ts","sourceRoot":"","sources":["../../../src/services/tip-with-refresh.ts"],"names":[],"mappings":"AAgBA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAMpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,eAAe,EAAE,eAAe,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CAC1E,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC,CAAC,CAgElD"}
package/dist/src/services/tip-with-refresh.js CHANGED
@@ -27,10 +27,11 @@ export async function getOrRefreshTIPToken(storeDir, sessionKey, options) {
27
27
  const cached = await getTIPToken(storeDir, sessionKey);
28
28
  if (cached)
29
29
  return cached;
30
- if (!options)
30
+ if (!options) {
31
31
  return null;
32
+ }
32
33
  const { identityService, getOidcConfigForRefresh, configWorkloadName, ctxAgentId, logger, } = options;
33
- let session = await getSession(storeDir, sessionKey);
34
+ const session = await getSession(storeDir, sessionKey);
34
35
  if (!session)
35
36
  return null;
36
37
  try {
@@ -47,9 +48,8 @@ export async function getOrRefreshTIPToken(storeDir, sessionKey, options) {
47
48
  return getTIPToken(storeDir, sessionKey);
48
49
  }
49
50
  catch (err) {
50
- if (!isTokenExpiredError(err) ||
51
- !getOidcConfigForRefresh ||
52
- !session.refreshToken) {
51
+ const canRefresh = isTokenExpiredError(err) && !!getOidcConfigForRefresh && !!session.refreshToken;
52
+ if (!canRefresh) {
53
53
  return null;
54
54
  }
55
55
  const refreshed = await refreshSessionUserToken(storeDir, sessionKey, getOidcConfigForRefresh);
package/dist/src/tools/identity-config-suggest.d.ts CHANGED
@@ -23,7 +23,7 @@ declare const INTENTS: {
23
23
  readonly clientId: "<your-client-id>";
24
24
  readonly clientSecret: "<optional-for-public-clients>";
25
25
  readonly callbackUrl: "https://your-gateway/identity/oauth/callback";
26
- readonly scope: "openid profile email";
26
+ readonly scope: "openid profile email offline_access";
27
27
  };
28
28
  };
29
29
  readonly instructions: {
@@ -80,7 +80,7 @@ declare const INTENTS: {
80
80
  readonly discoveryUrl: "https://your-idp.com/.well-known/openid-configuration";
81
81
  readonly clientId: "<your-client-id>";
82
82
  readonly callbackUrl: "https://your-gateway/identity/oauth/callback";
83
- readonly scope: "openid profile email";
83
+ readonly scope: "openid profile email offline_access";
84
84
  };
85
85
  readonly authz: {
86
86
  readonly toolCheck: false;
package/dist/src/tools/identity-config-suggest.js CHANGED
@@ -73,7 +73,7 @@ const INTENTS = {
73
73
  clientId: "<your-client-id>",
74
74
  clientSecret: "<optional-for-public-clients>",
75
75
  callbackUrl: "https://your-gateway/identity/oauth/callback",
76
- scope: "openid profile email",
76
+ scope: "openid profile email offline_access",
77
77
  },
78
78
  },
79
79
  instructions: {
@@ -130,7 +130,7 @@ const INTENTS = {
130
130
  discoveryUrl: "https://your-idp.com/.well-known/openid-configuration",
131
131
  clientId: "<your-client-id>",
132
132
  callbackUrl: "https://your-gateway/identity/oauth/callback",
133
- scope: "openid profile email",
133
+ scope: "openid profile email offline_access",
134
134
  },
135
135
  authz: {
136
136
  toolCheck: false,
package/dist/src/utils/derive-session-key.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"derive-session-key.d.ts","sourceRoot":"","sources":["../../../src/utils/derive-session-key.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,yFAAyF;AACzF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/B,MAAM,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE;YAAE,EAAE,CAAC,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC;CAC3D,CAAC;AAEF,KAAK,sBAAsB,GAAG;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAUF;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAE/D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAM/F;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,qFAAqF;IACrF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B,CAAC;AAEF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CASnE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAKnF;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,yBAAyB,GAAG,MAAM,CAiBvF;AAyBD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,sBAAsB,GAAG,MAAM,GAAG,IAAI,CA4B9E;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,iFAAiF;IACjF,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAaF,8DAA8D;AAC9D,MAAM,MAAM,yBAAyB,GAAG;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,+BAA+B,CAC7C,GAAG,EAAE,yBAAyB,GAC7B,wBAAwB,GAAG,IAAI,CAmBjC;AAED;;;;GAIG;AACH,wBAAgB,+BAA+B,CAC7C,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GACpC,wBAAwB,GAAG,IAAI,CAyDjC"}
1
+ {"version":3,"file":"derive-session-key.d.ts","sourceRoot":"","sources":["../../../src/utils/derive-session-key.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,yFAAyF;AACzF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/B,MAAM,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE;YAAE,EAAE,CAAC,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC;CAC3D,CAAC;AAEF,KAAK,sBAAsB,GAAG;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,iBAAiB,CAAC;CAC3B,CAAC;AAUF;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAE/D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAM/F;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,qFAAqF;IACrF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B,CAAC;AAEF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CASnE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAKnF;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,yBAAyB,GAAG,MAAM,CAiBvF;AAyBD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,sBAAsB,GAAG,MAAM,GAAG,IAAI,CAiC9E;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,iFAAiF;IACjF,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAaF,8DAA8D;AAC9D,MAAM,MAAM,yBAAyB,GAAG;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,+BAA+B,CAC7C,GAAG,EAAE,yBAAyB,GAC7B,wBAAwB,GAAG,IAAI,CAmBjC;AAED;;;;GAIG;AACH,wBAAgB,+BAA+B,CAC7C,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GACpC,wBAAwB,GAAG,IAAI,CAyDjC"}
package/dist/src/utils/derive-session-key.js CHANGED
@@ -120,6 +120,10 @@ export function deriveSessionKey(params) {
120
120
  const agentId = deriveAgentId(config);
121
121
  const dmScope = config.session?.dmScope;
122
122
  const ch = (channel ?? "").trim().toLowerCase() || "unknown";
123
+ // If channel is webchat or tui, they are not sendable, so use main session.
124
+ if (ch == "webchat" || ch == "tui") {
125
+ return `agent:${agentId}:main`;
126
+ }
123
127
  const groupPeerId = extractGroupPeerId(ch, from, to);
124
128
  const isGroup = Boolean(groupPeerId);
125
129
  if (isGroup && groupPeerId) {
package/dist/src/utils/token-errors.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"token-errors.d.ts","sourceRoot":"","sources":["../../../src/utils/token-errors.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAGzD"}
1
+ {"version":3,"file":"token-errors.d.ts","sourceRoot":"","sources":["../../../src/utils/token-errors.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAOzD"}
package/dist/src/utils/token-errors.js CHANGED
@@ -18,5 +18,5 @@
18
18
  */
19
19
  export function isTokenExpiredError(err) {
20
20
  const msg = err instanceof Error ? err.message : String(err);
21
- return /token has expired|Invalid token/i.test(msg);
21
+ return (/token has expired|Invalid token|JWT expired|access token expired|id_token expired|token expired/i.test(msg));
22
22
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@m1a0rz/agent-identity",
3
- "version": "0.2.2",
3
+ "version": "0.2.4",
4
4
  "description": "Agent Identity: UserPool (用户池) login, TIP token (工作负载令牌), credential hosting (凭据托管 OAuth2/API key), optional tool/skill permission control (CheckPermission) and risk approval. Integrates with Volcengine 智能体身份和权限管理平台.",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",