arize-phoenix 4.36.0__py3-none-any.whl → 5.0.0__py3-none-any.whl

phoenix/server/jwt_store.py

@@ -0,0 +1,504 @@
+import logging
+from abc import ABC, abstractmethod
+from asyncio import create_task, gather, sleep
+from copy import deepcopy
+from dataclasses import replace
+from datetime import datetime, timezone
+from functools import cached_property, singledispatchmethod
+from typing import Any, Callable, Coroutine, Dict, Generic, List, Optional, Tuple, Type, TypeVar
+
+from authlib.jose import jwt
+from authlib.jose.errors import JoseError
+from sqlalchemy import Select, delete, select
+
+from phoenix.auth import (
+    JWT_ALGORITHM,
+    ClaimSet,
+    Token,
+)
+from phoenix.config import get_env_enable_prometheus
+from phoenix.db import models
+from phoenix.db.enums import UserRole
+from phoenix.server.types import (
+    AccessToken,
+    AccessTokenAttributes,
+    AccessTokenClaims,
+    AccessTokenId,
+    ApiKey,
+    ApiKeyAttributes,
+    ApiKeyClaims,
+    ApiKeyId,
+    DaemonTask,
+    DbSessionFactory,
+    PasswordResetToken,
+    PasswordResetTokenAttributes,
+    PasswordResetTokenClaims,
+    PasswordResetTokenId,
+    RefreshToken,
+    RefreshTokenAttributes,
+    RefreshTokenClaims,
+    RefreshTokenId,
+    TokenId,
+    UserId,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class JwtStore:
+    def __init__(
+        self,
+        db: DbSessionFactory,
+        secret: str,
+        algorithm: str = JWT_ALGORITHM,
+        sleep_seconds: int = 10,
+        **kwargs: Any,
+    ) -> None:
+        assert secret
+        super().__init__(**kwargs)
+        self._db = db
+        self._secret = secret
+        args = (db, secret, algorithm, sleep_seconds)
+        self._password_reset_token_store = _PasswordResetTokenStore(*args, **kwargs)
+        self._access_token_store = _AccessTokenStore(*args, **kwargs)
+        self._refresh_token_store = _RefreshTokenStore(*args, **kwargs)
+        self._api_key_store = _ApiKeyStore(*args, **kwargs)
+
+    @cached_property
+    def _stores(self) -> Tuple[DaemonTask, ...]:
+        return tuple(dt for dt in self.__dict__.values() if isinstance(dt, _Store))
+
+    async def __aenter__(self) -> None:
+        await gather(*(s.__aenter__() for s in self._stores))
+
+    async def __aexit__(self, *args: Any, **kwargs: Any) -> None:
+        await gather(*(s.__aexit__(*args, **kwargs) for s in self._stores))
+
+    async def read(self, token: Token) -> Optional[ClaimSet]:
+        try:
+            payload = jwt.decode(
+                s=token,
+                key=self._secret,
+            )
+        except JoseError:
+            return None
+        if (jti := payload.get("jti")) is None:
+            return None
+        if (token_id := TokenId.parse(jti)) is None:
+            return None
+        return await self._get(token_id)
+
+    @singledispatchmethod
+    async def _get(self, _: TokenId) -> Optional[ClaimSet]:
+        return None
+
+    @_get.register
+    async def _(self, token_id: PasswordResetTokenId) -> Optional[ClaimSet]:
+        return await self._password_reset_token_store.get(token_id)
+
+    @_get.register
+    async def _(self, token_id: AccessTokenId) -> Optional[ClaimSet]:
+        return await self._access_token_store.get(token_id)
+
+    @_get.register
+    async def _(self, token_id: RefreshTokenId) -> Optional[ClaimSet]:
+        return await self._refresh_token_store.get(token_id)
+
+    @_get.register
+    async def _(self, token_id: ApiKeyId) -> Optional[ClaimSet]:
+        return await self._api_key_store.get(token_id)
+
+    @singledispatchmethod
+    async def _evict(self, _: TokenId) -> Optional[ClaimSet]:
+        return None
+
+    @_evict.register
+    async def _(self, token_id: PasswordResetTokenId) -> Optional[ClaimSet]:
+        return await self._password_reset_token_store.evict(token_id)
+
+    @_evict.register
+    async def _(self, token_id: AccessTokenId) -> Optional[ClaimSet]:
+        return await self._access_token_store.evict(token_id)
+
+    @_evict.register
+    async def _(self, token_id: RefreshTokenId) -> Optional[ClaimSet]:
+        return await self._refresh_token_store.evict(token_id)
+
+    @_evict.register
+    async def _(self, token_id: ApiKeyId) -> Optional[ClaimSet]:
+        return await self._api_key_store.evict(token_id)
+
+    async def create_password_reset_token(
+        self,
+        claim: PasswordResetTokenClaims,
+    ) -> Tuple[PasswordResetToken, PasswordResetTokenId]:
+        return await self._password_reset_token_store.create(claim)
+
+    async def create_access_token(
+        self,
+        claim: AccessTokenClaims,
+    ) -> Tuple[AccessToken, AccessTokenId]:
+        return await self._access_token_store.create(claim)
+
+    async def create_refresh_token(
+        self,
+        claim: RefreshTokenClaims,
+    ) -> Tuple[RefreshToken, RefreshTokenId]:
+        return await self._refresh_token_store.create(claim)
+
+    async def create_api_key(
+        self,
+        claim: ApiKeyClaims,
+    ) -> Tuple[ApiKey, ApiKeyId]:
+        return await self._api_key_store.create(claim)
+
+    async def revoke(self, *token_ids: TokenId) -> None:
+        if not token_ids:
+            return
+        password_reset_token_ids: List[PasswordResetTokenId] = []
+        access_token_ids: List[AccessTokenId] = []
+        refresh_token_ids: List[RefreshTokenId] = []
+        api_key_ids: List[ApiKeyId] = []
+        for token_id in token_ids:
+            if isinstance(token_id, PasswordResetTokenId):
+                password_reset_token_ids.append(token_id)
+            if isinstance(token_id, AccessTokenId):
+                access_token_ids.append(token_id)
+            elif isinstance(token_id, RefreshTokenId):
+                refresh_token_ids.append(token_id)
+            elif isinstance(token_id, ApiKeyId):
+                api_key_ids.append(token_id)
+        coroutines: List[Coroutine[None, None, None]] = []
+        if password_reset_token_ids:
+            coroutines.append(self._password_reset_token_store.revoke(*password_reset_token_ids))
+        if access_token_ids:
+            coroutines.append(self._access_token_store.revoke(*access_token_ids))
+        if refresh_token_ids:
+            coroutines.append(self._refresh_token_store.revoke(*refresh_token_ids))
+        if api_key_ids:
+            coroutines.append(self._api_key_store.revoke(*api_key_ids))
+        await gather(*coroutines)
+
+    async def log_out(self, user_id: UserId) -> None:
+        for cls in (AccessTokenId, RefreshTokenId):
+            table = cls.table
+            stmt = delete(table).where(table.user_id == int(user_id)).returning(table.id)
+            async with self._db() as session:
+                async for id_ in await session.stream_scalars(stmt):
+                    await self._evict(cls(id_))
+
+
+_TokenT = TypeVar("_TokenT", bound=Token)
+_TokenIdT = TypeVar("_TokenIdT", bound=TokenId)
+_ClaimSetT = TypeVar("_ClaimSetT", bound=ClaimSet)
+_RecordT = TypeVar(
+    "_RecordT",
+    models.PasswordResetToken,
+    models.AccessToken,
+    models.RefreshToken,
+    models.ApiKey,
+)
+
+
+class _Claims(Generic[_TokenIdT, _ClaimSetT]):
+    def __init__(self) -> None:
+        self._cache: Dict[_TokenIdT, _ClaimSetT] = {}
+
+    def __getitem__(self, token_id: _TokenIdT) -> Optional[_ClaimSetT]:
+        claim = self._cache.get(token_id)
+        return deepcopy(claim) if claim else None
+
+    def __setitem__(self, token_id: _TokenIdT, claim: _ClaimSetT) -> None:
+        self._cache[token_id] = deepcopy(claim)
+
+    def get(self, token_id: _TokenIdT) -> Optional[_ClaimSetT]:
+        claim = self._cache.get(token_id)
+        return deepcopy(claim) if claim else None
+
+    def pop(
+        self, token_id: _TokenIdT, default: Optional[_ClaimSetT] = None
+    ) -> Optional[_ClaimSetT]:
+        claim = self._cache.pop(token_id, default)
+        return deepcopy(claim) if claim else None
+
+
+class _Store(DaemonTask, Generic[_ClaimSetT, _TokenT, _TokenIdT, _RecordT], ABC):
+    _table: Type[_RecordT]
+    _token_id: Callable[[int], _TokenIdT]
+    _token: Callable[[str], _TokenT]
+
+    def __init__(
+        self,
+        db: DbSessionFactory,
+        secret: str,
+        algorithm: str = JWT_ALGORITHM,
+        sleep_seconds: int = 10,
+        **kwargs: Any,
+    ) -> None:
+        assert secret
+        super().__init__(**kwargs)
+        self._db = db
+        self._seconds = sleep_seconds
+        self._claims: _Claims[_TokenIdT, _ClaimSetT] = _Claims()
+        self._secret = secret
+        self._algorithm = algorithm
+
+    def _encode(self, claim: ClaimSet) -> str:
+        payload: Dict[str, Any] = dict(jti=claim.token_id)
+        header = {"alg": self._algorithm}
+        jwt_bytes: bytes = jwt.encode(header=header, payload=payload, key=self._secret)
+        return jwt_bytes.decode()
+
+    async def get(self, token_id: _TokenIdT) -> Optional[_ClaimSetT]:
+        if claims := self._claims.get(token_id):
+            return claims
+        stmt = self._update_stmt.where(self._table.id == int(token_id))
+        async with self._db() as session:
+            record = (await session.execute(stmt)).first()
+        if not record:
+            return None
+        token, role = record
+        _, claims = self._from_db(token, UserRole(role))
+        self._claims[token_id] = claims
+        return claims
+
+    async def evict(self, token_id: _TokenIdT) -> Optional[_ClaimSetT]:
+        return self._claims.pop(token_id, None)
+
+    async def revoke(self, *token_ids: _TokenIdT) -> None:
+        if not token_ids:
+            return
+        for token_id in token_ids:
+            await self.evict(token_id)
+        stmt = delete(self._table).where(self._table.id.in_(map(int, token_ids)))
+        async with self._db() as session:
+            await session.execute(stmt)
+
+    @abstractmethod
+    def _from_db(self, record: _RecordT, role: UserRole) -> Tuple[_TokenIdT, _ClaimSetT]: ...
+
+    @abstractmethod
+    def _to_db(self, claims: _ClaimSetT) -> _RecordT: ...
+
+    async def create(self, claim: _ClaimSetT) -> Tuple[_TokenT, _TokenIdT]:
+        record = self._to_db(claim)
+        async with self._db() as session:
+            session.add(record)
+            await session.flush()
+        token_id = self._token_id(record.id)
+        claim = replace(claim, token_id=token_id)
+        self._claims[token_id] = claim
+        token = self._token(self._encode(claim))
+        return token, token_id
+
+    async def _update(self) -> None:
+        claims: _Claims[_TokenIdT, _ClaimSetT] = _Claims()
+        async with self._db() as session:
+            async with session.begin_nested():
+                await self._delete_expired_tokens(session)
+            async with session.begin_nested():
+                async for record, role in await session.stream(self._update_stmt):
+                    token_id, claim_set = self._from_db(record, UserRole(role))
+                    claims[token_id] = claim_set
+        self._claims = claims
+
+    @cached_property
+    def _update_stmt(self) -> Select[Tuple[_RecordT, str]]:
+        return (
+            select(self._table, models.UserRole.name)
+            .join_from(self._table, models.User)
+            .join_from(models.User, models.UserRole)
+        )
+
+    async def _delete_expired_tokens(self, session: Any) -> None:
+        now = datetime.now(timezone.utc)
+        await session.execute(delete(self._table).where(self._table.expires_at < now))
+
+    async def _run(self) -> None:
+        while self._running:
+            self._tasks.append(create_task(self._update()))
+            await self._tasks[-1]
+            self._tasks.pop()
+            self._tasks.append(create_task(sleep(self._seconds)))
+            await self._tasks[-1]
+            self._tasks.pop()
+
+
+class _PasswordResetTokenStore(
+    _Store[
+        PasswordResetTokenClaims,
+        PasswordResetToken,
+        PasswordResetTokenId,
+        models.PasswordResetToken,
+    ]
+):
+    _table = models.PasswordResetToken
+    _token_id = PasswordResetTokenId
+    _token = PasswordResetToken
+
+    def _from_db(
+        self,
+        record: models.PasswordResetToken,
+        user_role: UserRole,
+    ) -> Tuple[PasswordResetTokenId, PasswordResetTokenClaims]:
+        token_id = PasswordResetTokenId(record.id)
+        return token_id, PasswordResetTokenClaims(
+            token_id=token_id,
+            subject=UserId(record.user_id),
+            issued_at=record.created_at,
+            expiration_time=record.expires_at,
+            attributes=PasswordResetTokenAttributes(
+                user_role=user_role,
+            ),
+        )
+
+    def _to_db(self, claim: PasswordResetTokenClaims) -> models.PasswordResetToken:
+        assert claim.expiration_time
+        assert claim.subject
+        user_id = int(claim.subject)
+        return models.PasswordResetToken(
+            user_id=user_id,
+            created_at=claim.issued_at,
+            expires_at=claim.expiration_time,
+        )
+
+
+class _AccessTokenStore(
+    _Store[
+        AccessTokenClaims,
+        AccessToken,
+        AccessTokenId,
+        models.AccessToken,
+    ]
+):
+    _table = models.AccessToken
+    _token_id = AccessTokenId
+    _token = AccessToken
+
+    def _from_db(
+        self,
+        record: models.AccessToken,
+        user_role: UserRole,
+    ) -> Tuple[AccessTokenId, AccessTokenClaims]:
+        token_id = AccessTokenId(record.id)
+        refresh_token_id = RefreshTokenId(record.refresh_token_id)
+        return token_id, AccessTokenClaims(
+            token_id=token_id,
+            subject=UserId(record.user_id),
+            issued_at=record.created_at,
+            expiration_time=record.expires_at,
+            attributes=AccessTokenAttributes(
+                user_role=user_role,
+                refresh_token_id=refresh_token_id,
+            ),
+        )
+
+    def _to_db(self, claim: AccessTokenClaims) -> models.AccessToken:
+        assert claim.expiration_time
+        assert claim.subject
+        user_id = int(claim.subject)
+        assert claim.attributes
+        refresh_token_id = int(claim.attributes.refresh_token_id)
+        return models.AccessToken(
+            user_id=user_id,
+            created_at=claim.issued_at,
+            expires_at=claim.expiration_time,
+            refresh_token_id=refresh_token_id,
+        )
+
+
+class _RefreshTokenStore(
+    _Store[
+        RefreshTokenClaims,
+        RefreshToken,
+        RefreshTokenId,
+        models.RefreshToken,
+    ]
+):
+    _table = models.RefreshToken
+    _token_id = RefreshTokenId
+    _token = RefreshToken
+
+    def _from_db(
+        self,
+        record: models.RefreshToken,
+        user_role: UserRole,
+    ) -> Tuple[RefreshTokenId, RefreshTokenClaims]:
+        token_id = RefreshTokenId(record.id)
+        return token_id, RefreshTokenClaims(
+            token_id=token_id,
+            subject=UserId(record.user_id),
+            issued_at=record.created_at,
+            expiration_time=record.expires_at,
+            attributes=RefreshTokenAttributes(
+                user_role=user_role,
+            ),
+        )
+
+    def _to_db(self, claims: RefreshTokenClaims) -> models.RefreshToken:
+        assert claims.expiration_time
+        assert claims.subject
+        user_id = int(claims.subject)
+        return models.RefreshToken(
+            user_id=user_id,
+            created_at=claims.issued_at,
+            expires_at=claims.expiration_time,
+        )
+
+    async def _update(self) -> None:
+        await super()._update()
+        if get_env_enable_prometheus():
+            from phoenix.server.prometheus import JWT_STORE_TOKENS_ACTIVE
+
+            JWT_STORE_TOKENS_ACTIVE.set(len(self._claims._cache))
+
+
+class _ApiKeyStore(
+    _Store[
+        ApiKeyClaims,
+        ApiKey,
+        ApiKeyId,
+        models.ApiKey,
+    ]
+):
+    _table = models.ApiKey
+    _token_id = ApiKeyId
+    _token = ApiKey
+
+    def _from_db(
+        self,
+        record: models.ApiKey,
+        user_role: UserRole,
+    ) -> Tuple[ApiKeyId, ApiKeyClaims]:
+        token_id = ApiKeyId(record.id)
+        return token_id, ApiKeyClaims(
+            token_id=token_id,
+            subject=UserId(record.user_id),
+            issued_at=record.created_at,
+            expiration_time=record.expires_at,
+            attributes=ApiKeyAttributes(
+                user_role=user_role,
+                name=record.name,
+                description=record.description,
+            ),
+        )
+
+    def _to_db(self, claims: ApiKeyClaims) -> models.ApiKey:
+        assert claims.attributes
+        assert claims.attributes.name
+        assert claims.subject
+        user_id = int(claims.subject)
+        return models.ApiKey(
+            user_id=user_id,
+            name=claims.attributes.name,
+            description=claims.attributes.description or None,
+            created_at=claims.issued_at,
+            expires_at=claims.expiration_time or None,
+        )
+
+    async def _update(self) -> None:
+        await super()._update()
+        if get_env_enable_prometheus():
+            from phoenix.server.prometheus import JWT_STORE_API_KEYS_ACTIVE
+
+            JWT_STORE_API_KEYS_ACTIVE.set(len(self._claims._cache))

phoenix/server/main.py

@@ -10,13 +10,15 @@ from time import sleep, time
 from typing import List, Optional
 from urllib.parse import urljoin
 
+from fastapi_mail import ConnectionConfig
 from jinja2 import BaseLoader, Environment
 from uvicorn import Config, Server
 
 import phoenix.trace.v1 as pb
 from phoenix.config import (
     EXPORT_DIR,
-    get_auth_settings,
+    get_env_access_token_expiry,
+    get_env_auth_settings,
     get_env_database_connection_str,
     get_env_database_schema,
     get_env_db_logging_level,
@@ -27,7 +29,16 @@ from phoenix.config import (
     get_env_log_migrations,
     get_env_logging_level,
     get_env_logging_mode,
+    get_env_oauth2_settings,
+    get_env_password_reset_token_expiry,
     get_env_port,
+    get_env_refresh_token_expiry,
+    get_env_smtp_hostname,
+    get_env_smtp_mail_from,
+    get_env_smtp_password,
+    get_env_smtp_port,
+    get_env_smtp_username,
+    get_env_smtp_validate_certs,
     get_pids_path,
 )
 from phoenix.core.model_schema_adapter import create_model_from_inferences
@@ -48,6 +59,7 @@ from phoenix.server.app import (
     create_engine_and_run_migrations,
     instrument_engine_if_enabled,
 )
+from phoenix.server.email.sender import EMAIL_TEMPLATE_FOLDER, FastMailSender
 from phoenix.server.types import DbSessionFactory
 from phoenix.settings import Settings
 from phoenix.trace.fixtures import (
@@ -83,6 +95,7 @@ _WELCOME_MESSAGE = Environment(loader=BaseLoader()).from_string("""
 |
 |  🚀 Phoenix Server 🚀
 |  Phoenix UI: {{ ui_path }}
+|  Authentication: {{ auth_enabled }}
 |  Log traces:
 |    - gRPC: {{ grpc_path }}
 |    - HTTP: {{ http_path }}
@@ -92,11 +105,6 @@ _WELCOME_MESSAGE = Environment(loader=BaseLoader()).from_string("""
 {% endif -%}
 """)
 
-_EXPERIMENTAL_WARNING = """
-🚨 WARNING: Phoenix is running in experimental mode. 🚨
-|  Authentication enabled: {auth_enabled}
-"""
-
 
 def _write_pid_file_when_ready(
     server: Server,
@@ -298,7 +306,7 @@ def main() -> None:
         reference_inferences,
     )
 
-    authentication_enabled, secret = get_auth_settings()
+    authentication_enabled, secret = get_env_auth_settings()
 
     fixture_spans: List[Span] = []
     fixture_evals: List[pb.Evaluation] = []
@@ -345,9 +353,8 @@ def main() -> None:
         http_path=urljoin(root_path, "v1/traces"),
         storage=get_printable_db_url(db_connection_str),
         schema=get_env_database_schema(),
+        auth_enabled=authentication_enabled,
     )
-    if authentication_enabled:
-        msg += _EXPERIMENTAL_WARNING.format(auth_enabled=True)
     if sys.platform.startswith("win"):
         msg = codecs.encode(msg, "ascii", errors="ignore").decode("ascii").strip()
     scaffolder_config = ScaffolderConfig(
@@ -357,6 +364,25 @@ def main() -> None:
         scaffold_datasets=scaffold_datasets,
         phoenix_url=root_path,
     )
+    email_sender = None
+    if mail_sever := get_env_smtp_hostname():
+        assert (mail_username := get_env_smtp_username()), "SMTP username is required"
+        assert (mail_password := get_env_smtp_password()), "SMTP password is required"
+        assert (mail_from := get_env_smtp_mail_from()), "SMTP mail_from is required"
+        email_sender = FastMailSender(
+            ConnectionConfig(
+                MAIL_USERNAME=mail_username,
+                MAIL_PASSWORD=mail_password,
+                MAIL_FROM=mail_from,
+                MAIL_SERVER=mail_sever,
+                MAIL_PORT=get_env_smtp_port(),
+                VALIDATE_CERTS=get_env_smtp_validate_certs(),
+                USE_CREDENTIALS=True,
+                MAIL_STARTTLS=True,
+                MAIL_SSL_TLS=False,
+                TEMPLATE_FOLDER=EMAIL_TEMPLATE_FOLDER,
+            )
+        )
     app = create_app(
         db=factory,
         export_path=export_path,
@@ -374,7 +400,12 @@ def main() -> None:
         startup_callbacks=[lambda: print(msg)],
         shutdown_callbacks=instrumentation_cleanups,
         secret=secret,
+        password_reset_token_expiry=get_env_password_reset_token_expiry(),
+        access_token_expiry=get_env_access_token_expiry(),
+        refresh_token_expiry=get_env_refresh_token_expiry(),
         scaffolder_config=scaffolder_config,
+        email_sender=email_sender,
+        oauth2_client_configs=get_env_oauth2_settings(),
     )
     server = Server(config=Config(app, host=host, port=port, root_path=host_root_path))  # type: ignore
     Thread(target=_write_pid_file_when_ready, args=(server,), daemon=True).start()

phoenix/server/oauth2.py

@@ -0,0 +1,51 @@
+from typing import Any, Dict, Iterable
+
+from authlib.integrations.base_client import BaseApp
+from authlib.integrations.base_client.async_app import AsyncOAuth2Mixin
+from authlib.integrations.base_client.async_openid import AsyncOpenIDMixin
+from authlib.integrations.httpx_client import AsyncOAuth2Client as AsyncHttpxOAuth2Client
+
+from phoenix.config import OAuth2ClientConfig
+
+
+class OAuth2Client(AsyncOAuth2Mixin, AsyncOpenIDMixin, BaseApp):  # type:ignore[misc]
+    """
+    An OAuth2 client class that supports OpenID Connect. Adapted from authlib's
+    `StarletteOAuth2App` to be useable without integration with Starlette.
+
+    https://github.com/lepture/authlib/blob/904d66bebd79bf39fb8814353a22bab7d3e092c4/authlib/integrations/starlette_client/apps.py#L58
+    """
+
+    client_cls = AsyncHttpxOAuth2Client
+
+    def __init__(self, *args: Any, **kwargs: Any) -> None:
+        super().__init__(framework=None, *args, **kwargs)
+
+
+class OAuth2Clients:
+    def __init__(self) -> None:
+        self._clients: Dict[str, OAuth2Client] = {}
+
+    def add_client(self, config: OAuth2ClientConfig) -> None:
+        if (idp_name := config.idp_name) in self._clients:
+            raise ValueError(f"oauth client already registered: {idp_name}")
+        client = OAuth2Client(
+            client_id=config.client_id,
+            client_secret=config.client_secret,
+            server_metadata_url=config.oidc_config_url,
+            client_kwargs={"scope": "openid email profile"},
+        )
+        assert isinstance(client, OAuth2Client)
+        self._clients[config.idp_name] = client
+
+    def get_client(self, idp_name: str) -> OAuth2Client:
+        if (client := self._clients.get(idp_name)) is None:
+            raise ValueError(f"unknown or unregistered OAuth2 client: {idp_name}")
+        return client
+
+    @classmethod
+    def from_configs(cls, configs: Iterable[OAuth2ClientConfig]) -> "OAuth2Clients":
+        oauth2_clients = cls()
+        for config in configs:
+            oauth2_clients.add_client(config)
+        return oauth2_clients

phoenix/server/prometheus.py

@@ -50,6 +50,26 @@ BULK_LOADER_EXCEPTIONS = Counter(
     documentation="Total count of bulk loader exceptions",
 )
 
+RATE_LIMITER_CACHE_SIZE = Gauge(
+    name="rate_limiter_cache_size",
+    documentation="Current size of the rate limiter cache",
+)
+
+RATE_LIMITER_THROTTLES = Counter(
+    name="rate_limiter_throttles_total",
+    documentation="Total count of rate limiter throttles",
+)
+
+JWT_STORE_TOKENS_ACTIVE = Gauge(
+    name="jwt_store_tokens_active",
+    documentation="Current number of refresh tokens in the JWT store",
+)
+
+JWT_STORE_API_KEYS_ACTIVE = Gauge(
+    name="jwt_store_api_keys_active",
+    documentation="Current number of API keys in the JWT store",
+)
+
 
 class PrometheusMiddleware(BaseHTTPMiddleware):
     async def dispatch(self, request: Request, call_next: RequestResponseEndpoint) -> Response: