Implement comprehensive OAuth2 improvements based on code review feedback

- Add custom OAuth2 error classes (OAuth2Error, OAuth2ConfigurationError, OAuth2AuthenticationError, OAuth2ValidationError) - Implement URL and scope validation in OAuth2Config using pydantic field_validator - Add retry mechanism with exponential backoff (3 attempts, 1s/2s/4s delays) to OAuth2TokenManager - Implement thread safety using threading.Lock for concurrent token access - Add provider validation in LLM integration with _validate_oauth2_provider method - Enhance testing with validation, retry, thread safety, and error class tests - Improve documentation with comprehensive error handling examples and feature descriptions - Maintain backward compatibility while significantly improving robustness and security Co-Authored-By: João <joao@crewai.com>
2026-01-22 14:48:13 +00:00 · 2025-07-07 18:10:30 +00:00
parent 03ee4c59eb
commit 4379ad26d1
7 changed files with 322 additions and 22 deletions
--- a/docs/oauth2_llm_providers.md
+++ b/docs/oauth2_llm_providers.md
@@ -2,6 +2,74 @@

 CrewAI supports OAuth2 authentication for custom LiteLLM providers through configuration files.

+## Features
+
+- **Automatic Token Management**: Handles OAuth2 token acquisition and refresh automatically
+- **Multiple Provider Support**: Configure multiple OAuth2 providers in a single configuration file
+- **Secure Credential Storage**: Keep OAuth2 credentials separate from your code
+- **Seamless Integration**: Works with existing LiteLLM provider configurations
+- **Error Handling**: Comprehensive error handling for authentication failures
+- **Retry Mechanism**: Automatic retry with exponential backoff for token acquisition
+- **Thread Safety**: Concurrent access protection for token caching
+- **Configuration Validation**: Automatic validation of URLs and scope formats
+
+## Error Handling
+
+The OAuth2 implementation provides specific error classes for different failure scenarios:
+
+### OAuth2ConfigurationError
+Raised when there are issues with the OAuth2 configuration:
+- Invalid configuration file format
+- Missing required fields
+- Unknown OAuth2 providers
+
+### OAuth2AuthenticationError  
+Raised when OAuth2 authentication fails:
+- Network errors during token acquisition
+- Invalid credentials
+- Token endpoint errors
+
+### OAuth2ValidationError
+Raised when configuration validation fails:
+- Invalid URL formats
+- Malformed scope values
+
+### Example Error Handling
+
+```python
+from crewai import LLM
+from crewai.llms.oauth2_errors import OAuth2ConfigurationError, OAuth2AuthenticationError
+
+try:
+    llm = LLM(
+        model="my_custom_provider/my-model",
+        oauth2_config_path="./litellm_config.json"
+    )
+    result = llm.call("test message")
+except OAuth2ConfigurationError as e:
+    print(f"Configuration error: {e}")
+except OAuth2AuthenticationError as e:
+    print(f"Authentication failed: {e}")
+    if e.original_error:
+        print(f"Original error: {e.original_error}")
+```
+
+## Configuration Validation
+
+The OAuth2 configuration is automatically validated:
+
+- **URL Validation**: `token_url` must be a valid HTTP/HTTPS URL
+- **Scope Validation**: `scope` cannot contain empty values when split by spaces
+- **Required Fields**: `client_id`, `client_secret`, `token_url`, and `provider_name` are required
+
+## Retry Mechanism
+
+Token acquisition includes automatic retry with exponential backoff:
+- 3 retry attempts by default
+- Exponential backoff: 1s, 2s, 4s delays
+- Detailed logging of retry attempts
+- Thread-safe token caching
+
 ## Configuration

 Create a `litellm_config.json` file in your project directory:
@@ -98,11 +166,12 @@ The `litellm_config.json` file should follow this schema:
 }
 ```

-## Error Handling
+## Legacy Error Handling

- If OAuth2 authentication fails, a `RuntimeError` will be raised with details
- Invalid configuration files will raise a `ValueError` with specifics
- Network errors during token acquisition are wrapped in `RuntimeError`
+For backward compatibility, the following error types are still supported:
+- OAuth2 authentication failures raise `OAuth2AuthenticationError` (previously `RuntimeError`)
+- Invalid configuration files raise `OAuth2ConfigurationError` (previously `ValueError`)
+- Network errors during token acquisition are wrapped in `OAuth2AuthenticationError`

 ## Examples