Comment on page
Gateway authentication
You can require authentication when someone attempts a connection to produce, consume, and chat gateways.
To fully implement this, there is quite a bit left up to the developer. The focus of gateway authentication is to provide transportation and validation. An identity provider facilitates authentication through a series of handshakes based on a provided token. Someone wanting to produce or consume a message provides an id that was created by the identity provider. The gateway handshakes with the identity provider using the provided token. Use parameters, headers, and clientId to configure the gateway to successfully handshake.
This gateway manifest is selectively adding authentication to the user-input and bot-output gateways.
The gateways are filtering messages by two key-value pairs in the message headers: the sessionID parameter value, and the "subject" value from the langstream-client-user-id key.
sessionId is a UUID generated by the CLI at runtime. Here, let's assume sessionId=123.value-from-parameters defines what value is being used for filtering. Since it's sessionId, the sessionId value is 123.Once a parameter is defined for a gateway, that parameter is required for every subsequent connection.
The producer will produce to the
questions-topic with two header values:- 1.
langstream-client-session-id,with the arbitrary value "123" from the gateway parameters - 2.
langstream-client-user-idwith the "subject" value from Google authentication
The consumer will watch for messages with these values in the headers on the
questions-topic.gateways:
- id: "user-input"
type: produce
topic: "questions-topic"
parameters:
- sessionId
authentication:
provider: google
configuration:
clientId: "{{ secrets.google.client-id }}"
produce-options:
headers:
- key: langstream-client-user-id
value-from-authentication: subject
- key: langstream-client-session-id
value-from-parameters: sessionId
- id: "bot-output"
type: consume
topic: "questions-topic"
parameters:
- sessionId
authentication:
provider: google
configuration:
clientId: "{{ secrets.google.client-id }}"
produce-options:
headers:
- key: langstream-client-user-id
value-from-authentication: subject
- key: langstream-client-session-id
value-from-parameters: sessionId
Set
provider: google to use a Google client ID to authenticate LangStream gateway connections.The Google field that is exposed for authentication is "subject".
The Google client ID looks like this:
99840107278-4363876v0hker43roujaubqom5g07or8.apps.googleusercontent.com
To set it as a secret env variable:
export GOOGLE_CLIENT_ID=99840107278-4363876v0hker43roujaubqom5g07or8.apps.googleusercontent.com
Set
provider: github to use a GitHub login to authenticate LangStream gateway connections.The Github field that is exposed for authentication is "login".
Label | Type | Description |
|---|---|---|
provider | string | The name of the identity provider. Supported values are:
|
configuration |
Map | For the github provider, follow the “Building a "Login with GitHub" button with a GitHub App” guide. |
clientId
| string | The token to use for interacting with the given identity provider. Typically this is a pointer to a secret. Example: clientId: "${secrets.google.client-id}" |
Last modified 28d ago