[ML-62918] Auto-detect OBO endpoints and forward user token#145
Merged
[ML-62918] Auto-detect OBO endpoints and forward user token#145
Conversation
dhruv0811
force-pushed
the
obo-auto-detection
branch
from
eb21e57 to
0e82c5b
Compare
dhruv0811
changed the title
bbqiu
reviewed
Mar 12, 2026
dhruv0811
commented
Mar 17, 2026
bbqiu
reviewed
Mar 19, 2026
bbqiu
reviewed
Mar 19, 2026
e2e-chatbot-app-next/packages/ai-sdk-providers/src/providers-server.ts
Outdated
Show resolved
Hide resolved
bbqiu
reviewed
Mar 19, 2026
bbqiu
reviewed
Mar 19, 2026
e2e-chatbot-app-next/packages/ai-sdk-providers/src/providers-server.ts
Outdated
Show resolved
Hide resolved
bbqiu
reviewed
Mar 19, 2026
Contributor
bbqiu
left a comment
bbqiu
left a comment
There was a problem hiding this comment.
overall looks great! just a few nits to address, sorry for the dealy in reviewing
Contributor
Author
|
New SA banner: All the same configuration as the PR summary also still work, comments addressed. |
bbqiu
reviewed
Mar 20, 2026
dhruv0811
force-pushed
the
obo-auto-detection
branch
2 times, most recently
from
c757dbd to
f9bc45d
Compare
When the serving endpoint has auth_policy.user_auth_policy.api_scopes (OBO-enabled), the chat template now: 1. Detects OBO via the serving-endpoints API response 2. Logs a warning with required scopes for the user to configure 3. Exposes OBO status via GET /api/config 4. Forwards x-forwarded-access-token header to the endpoint Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When the serving endpoint has OBO scopes (auth_policy.user_auth_policy), display an amber badge in the chat header listing the required scopes and linking to the auth docs. Also notes that UC function scopes are not yet supported. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Always include serving.serving-endpoints in required OBO scopes - Detect Supervisor Agents via tile_endpoint_metadata.problem_type - Decode user JWT server-side to check which scopes are present - Only show banner for MISSING scopes (disappears when all configured) - Parent scope matching (e.g. "sql" satisfies "sql.statement-execution") - Full-width red banner with error icon and doc link - Use user's OBO token as Authorization when endpoint supports OBO - Remove debug logging Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Supervisor Agents may require scopes beyond serving.serving-endpoints for their downstream tools (Genie, SQL, etc.). Full scope discovery for SAs is not yet available. Updated banner and log to communicate this limitation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…docs link - Always use user token for Authorization when present (remove cachedOboEnabled) - Keep x-forwarded-access-token header for downstream agent apps - Store isSupervisorAgent in cache to fix broken length === 0 detection - Update docs link to specific OBO section Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dhruv0811
force-pushed
the
obo-auto-detection
branch
from
f9bc45d to
e1ca982
Compare
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bbqiu
reviewed
Mar 23, 2026
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bbqiu
reviewed
Mar 23, 2026
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bbqiu
reviewed
Mar 23, 2026
bbqiu
reviewed
Mar 23, 2026
- Rename enabled -> isEndpointOboEnabled, requiredScopes -> endpointRequiredScopes - Add tests: OBO scope detection, missing/present scopes, parent scope matching - SA-aware mock handler for supervisor agent testing Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Only expose missingScopes and isSupervisorAgent in the JSON response. isEndpointOboEnabled and endpointRequiredScopes are kept server-side only as implementation details. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Banner visible when user token lacks required scopes - Banner shows correct scope names and Learn more link - Banner hidden when user token has all required scopes Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Export clearEndpointDetailsCache for test cache busting - Add /api/test/set-supervisor-mode endpoint to toggle SA mock - Add e2e test verifying SA-specific banner messaging Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bbqiu
reviewed
Mar 23, 2026
| // If the user's OBO token is present, use it for Authorization so the | ||
| // endpoint sees the user's identity. Keep the header around so | ||
| // downstream agent apps can also read it directly. | ||
| const userToken = headers.get('x-forwarded-access-token'); |
Contributor
There was a problem hiding this comment.
let's test that:
- if given a user token, we fwd that along to the backend
- the header is not stripped even if given a user token
bbqiu
approved these changes
Mar 23, 2026
Contributor
bbqiu
left a comment
bbqiu
left a comment
There was a problem hiding this comment.
overall looks great! feel free to merge after codifying that behaviro for user tokens
Verify that: 1. User token from x-forwarded-access-token is used for Authorization 2. x-forwarded-access-token header is kept (not stripped) 3. SP token is used when no user token is present Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Auto-detect OBO-enabled serving endpoints and surface scope configuration to the user.
This is a followup to #152 which only addressed the Agents on Apps token forwarding. In this PR, we also address apps connected directly to a model serving endpoint.
Detection:
auth_policy.user_auth_policy.api_scopes(custom endpoints) ortile_endpoint_metadata.problem_type === "MULTI_AGENT_SUPERVISOR"(Supervisor Agents)serving.serving-endpointsin required scopes (needed to call the endpoint as the user)Token forwarding:
Authorizationheader with the user'sx-forwarded-access-tokenso the endpoint sees the user's identityx-forwarded-access-tokenthroughstreamTextheaders in the chat routeSmart banner:
sqlsatisfiessql.statement-executionandsql.warehousesGET /api/config→obo.missingScopesNote: UC function scopes are not yet supported in the Apps scope configuration UI.
No scopes enabled on app connected to serving endpoint that requires scopes:
Logs:
After adding partially required scopes (error message updates after checking whats on the token):
After adding ALL required scopes:
Still works for OBO on Agents on Apps:
