Gateway authentication
Last updated
Last updated
You can require authentication when someone attempts a connection to produce, consume, and chat gateways.
To fully implement this, there is quite a bit left up to the developer. The focus of gateway authentication is to provide transportation and validation. An identity provider facilitates authentication through a series of handshakes based on a provided token. Someone wanting to produce or consume a message provides an id that was created by the identity provider. The gateway handshakes with the identity provider using the provided token. Use parameters, headers, and clientId to configure the gateway to successfully handshake.
application provides more explanation and a working example.
This gateway manifest is selectively adding authentication to the user-input and bot-output gateways.
The gateways are filtering messages by two key-value pairs in the message headers: the sessionID parameter value, and the "subject" value from the langstream-client-user-id key.sessionId
is a UUID generated by the CLI at runtime. Here, let's assume sessionId=123.
value-from-parameters
defines what value is being used for filtering. Since it's sessionId, the sessionId value is 123.
The producer will produce to the questions-topic
with two header values:
langstream-client-session-id,
with the arbitrary value "123" from the gateway parameters
langstream-client-user-id
with the "subject" value from Google authentication
The consumer will watch for messages with these values in the headers on the questions-topic
.
Set provider: google
to use a Google client ID to authenticate LangStream gateway connections.
The Google field that is exposed for authentication is "subject".
The Google client ID looks like this:
To set it as a secret env variable:
Set provider: github
to use a GitHub login to authenticate LangStream gateway connections.
The Github field that is exposed for authentication is "login".
provider
string
The name of the identity provider. Supported values are:
βgoogleβ
βgithubβ
configuration
Map
clientId
string
The token to use for interacting with the given identity provider. Typically this is a pointer to a secret.
Example: clientId: "${secrets.google.client-id}"
Follow the ββ guide to create your client ID.
Follow the ββ guide to create your login.
For the google provider, follow the ββ guide.
For the github provider, follow the ββ guide.