Gateway authentication
You can require authentication when someone attempts a connection to produce, consume, and chat gateways.
To fully implement this, there is quite a bit left up to the developer. The focus of gateway authentication is to provide transportation and validation. An identity provider facilitates authentication through a series of handshakes based on a provided token. Someone wanting to produce or consume a message provides an id that was created by the identity provider. The gateway handshakes with the identity provider using the provided token. Use parameters, headers, and clientId to configure the gateway to successfully handshake.
This authentication example application provides more explanation and a working example.
Example gateways.yaml
This gateway manifest is selectively adding authentication to the user-input and bot-output gateways.
The gateways are filtering messages by two key-value pairs in the message headers: the sessionID parameter value, and the "subject" value from the langstream-client-user-id key.sessionId
is a UUID generated by the CLI at runtime. Here, let's assume sessionId=123.
value-from-parameters
defines what value is being used for filtering. Since it's sessionId, the sessionId value is 123.
Once a parameter is defined for a gateway, that parameter is required for every subsequent connection.
The producer will produce to the questions-topic
with two header values:
langstream-client-session-id,
with the arbitrary value "123" from the gateway parameterslangstream-client-user-id
with the "subject" value from Google authentication
The consumer will watch for messages with these values in the headers on the questions-topic
.
Google authentication
Set provider: google
to use a Google client ID to authenticate LangStream gateway connections.
The Google field that is exposed for authentication is "subject".
Follow the “Get your Google API client ID” guide to create your client ID.
The Google client ID looks like this:
To set it as a secret env variable:
Github authentication
Set provider: github
to use a GitHub login to authenticate LangStream gateway connections.
The Github field that is exposed for authentication is "login".
Follow the “Building a "Login with GitHub" button with a GitHub App” guide to create your login.
Configuration
provider
string
The name of the identity provider. Supported values are:
“google”
“github”
configuration
Map
clientId
string
The token to use for interacting with the given identity provider. Typically this is a pointer to a secret.
Example: clientId: "${secrets.google.client-id}"
Last updated