Support Device authorization with Okta (#3271)

* feat: support oauth2 config for authentication * refactor: improve OAuth2 settings management The CLI now supports seamless integration with other authentication providers, since the client_id, issue, domain are now manage by the user * feat: support okta Device Authorization flow * chore: resolve linter issues * test: fix tests * test: adding tests for auth providers * test: fix broken test * refator: adding WorkOS paramenters as default settings auth * chore: improve oauth2 attributes description * refactor: simplify WorkOS getting values * fix: ensure Auth0 parameters is set when overrinding default auth provider * chore: remove TODO Auth0 no longer provides default values --------- Co-authored-by: Heitor Carvalho <heitor.scz@gmail.com>
2026-01-11 09:08:31 +00:00 · 2025-08-05 13:16:21 -03:00
parent 0b31bbe957
commit 66567bdc2f
15 changed files with 548 additions and 83 deletions
--- a/src/crewai/cli/authentication/constants.py
+++ b/src/crewai/cli/authentication/constants.py
@@ -1,8 +1,6 @@
 ALGORITHMS = ["RS256"]
+
+#TODO: The AUTH0 constants should be removed after WorkOS migration is completed
 AUTH0_DOMAIN = "crewai.us.auth0.com"
 AUTH0_CLIENT_ID = "DEVC5Fw6NlRoSzmDCcOhVq85EfLBjKa8"
 AUTH0_AUDIENCE = "https://crewai.us.auth0.com/api/v2/"
-
-WORKOS_DOMAIN = "login.crewai.com"
-WORKOS_CLI_CONNECT_APP_ID = "client_01JYT06R59SP0NXYGD994NFXXX"
-WORKOS_ENVIRONMENT_ID = "client_01JNJQWBJ4SPFN3SWJM5T7BDG8"
--- a/src/crewai/cli/authentication/main.py
+++ b/src/crewai/cli/authentication/main.py
@@ -1,76 +1,92 @@
 import time
 import webbrowser
-from typing import Any, Dict
+from typing import Any, Dict, Optional

 import requests
 from rich.console import Console
+from pydantic import BaseModel, Field

-from .constants import (
-    AUTH0_AUDIENCE,
-    AUTH0_CLIENT_ID,
-    AUTH0_DOMAIN,
-    WORKOS_DOMAIN,
-    WORKOS_CLI_CONNECT_APP_ID,
-    WORKOS_ENVIRONMENT_ID,
-)

 from .utils import TokenManager, validate_jwt_token
 from urllib.parse import quote
 from crewai.cli.plus_api import PlusAPI
 from crewai.cli.config import Settings
+from crewai.cli.authentication.constants import (
+    AUTH0_AUDIENCE,
+    AUTH0_CLIENT_ID,
+    AUTH0_DOMAIN,
+)

 console = Console()


+class Oauth2Settings(BaseModel):
+    provider: str = Field(description="OAuth2 provider used for authentication (e.g., workos, okta, auth0).")
+    client_id: str = Field(description="OAuth2 client ID issued by the provider, used during authentication requests.")
+    domain: str = Field(description="OAuth2 provider's domain (e.g., your-org.auth0.com) used for issuing tokens.")
+    audience: Optional[str] = Field(description="OAuth2 audience value, typically used to identify the target API or resource.", default=None)
+
+    @classmethod
+    def from_settings(cls):
+        settings = Settings()
+
+        return cls(
+            provider=settings.oauth2_provider,
+            domain=settings.oauth2_domain,
+            client_id=settings.oauth2_client_id,
+            audience=settings.oauth2_audience,
+        )
+
+
+class ProviderFactory:
+    @classmethod
+    def from_settings(cls, settings: Optional[Oauth2Settings] = None):
+        settings = settings or Oauth2Settings.from_settings()
+
+        import importlib
+        module = importlib.import_module(f"crewai.cli.authentication.providers.{settings.provider.lower()}")
+        provider = getattr(module, f"{settings.provider.capitalize()}Provider")
+
+        return provider(settings)
+
 class AuthenticationCommand:
-    AUTH0_DEVICE_CODE_URL = f"https://{AUTH0_DOMAIN}/oauth/device/code"
-    AUTH0_TOKEN_URL = f"https://{AUTH0_DOMAIN}/oauth/token"
-
-    WORKOS_DEVICE_CODE_URL = f"https://{WORKOS_DOMAIN}/oauth2/device_authorization"
-    WORKOS_TOKEN_URL = f"https://{WORKOS_DOMAIN}/oauth2/token"
-
    def __init__(self):
        self.token_manager = TokenManager()
-        # TODO: WORKOS - This variable is temporary until migration to WorkOS is complete.
-        self.user_provider = "workos"
+        self.oauth2_provider = ProviderFactory.from_settings()

    def login(self) -> None:
        """Sign up to CrewAI+"""
-
-        device_code_url = self.WORKOS_DEVICE_CODE_URL
-        token_url = self.WORKOS_TOKEN_URL
-        client_id = WORKOS_CLI_CONNECT_APP_ID
-        audience = None
-
        console.print("Signing in to CrewAI Enterprise...\n", style="bold blue")

        # TODO: WORKOS - Next line and conditional are temporary until migration to WorkOS is complete.
        user_provider = self._determine_user_provider()
        if user_provider == "auth0":
-            device_code_url = self.AUTH0_DEVICE_CODE_URL
-            token_url = self.AUTH0_TOKEN_URL
-            client_id = AUTH0_CLIENT_ID
-            audience = AUTH0_AUDIENCE
-            self.user_provider = "auth0"
+            settings = Oauth2Settings(
+                provider="auth0",
+                client_id=AUTH0_CLIENT_ID,
+                domain=AUTH0_DOMAIN,
+                audience=AUTH0_AUDIENCE
+            )
+            self.oauth2_provider = ProviderFactory.from_settings(settings)
        # End of temporary code.

-        device_code_data = self._get_device_code(client_id, device_code_url, audience)
+        device_code_data = self._get_device_code()
        self._display_auth_instructions(device_code_data)

-        return self._poll_for_token(device_code_data, client_id, token_url)
+        return self._poll_for_token(device_code_data)

    def _get_device_code(
-        self, client_id: str, device_code_url: str, audience: str | None = None
+        self
    ) -> Dict[str, Any]:
        """Get the device code to authenticate the user."""

        device_code_payload = {
-            "client_id": client_id,
+            "client_id": self.oauth2_provider.get_client_id(),
            "scope": "openid",
-            "audience": audience,
+            "audience": self.oauth2_provider.get_audience(),
        }
        response = requests.post(
-            url=device_code_url, data=device_code_payload, timeout=20
+            url=self.oauth2_provider.get_authorize_url(), data=device_code_payload, timeout=20
        )
        response.raise_for_status()
        return response.json()
@@ -82,21 +98,21 @@ class AuthenticationCommand:
        webbrowser.open(device_code_data["verification_uri_complete"])

    def _poll_for_token(
-        self, device_code_data: Dict[str, Any], client_id: str, token_poll_url: str
+        self, device_code_data: Dict[str, Any]
    ) -> None:
        """Polls the server for the token until it is received, or max attempts are reached."""

        token_payload = {
            "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
            "device_code": device_code_data["device_code"],
-            "client_id": client_id,
+            "client_id": self.oauth2_provider.get_client_id(),
        }

        console.print("\nWaiting for authentication... ", style="bold blue", end="")

        attempts = 0
        while True and attempts < 10:
-            response = requests.post(token_poll_url, data=token_payload, timeout=30)
+            response = requests.post(self.oauth2_provider.get_token_url(), data=token_payload, timeout=30)
            token_data = response.json()

            if response.status_code == 200:
@@ -128,19 +144,14 @@ class AuthenticationCommand:
        """Validates the JWT token and saves the token to the token manager."""

        jwt_token = token_data["access_token"]
+        issuer = self.oauth2_provider.get_issuer()
        jwt_token_data = {
            "jwt_token": jwt_token,
-            "jwks_url": f"https://{WORKOS_DOMAIN}/oauth2/jwks",
-            "issuer": f"https://{WORKOS_DOMAIN}",
-            "audience": WORKOS_ENVIRONMENT_ID,
+            "jwks_url": self.oauth2_provider.get_jwks_url(),
+            "issuer": issuer,
+            "audience": self.oauth2_provider.get_audience(),
        }

-        # TODO: WORKOS - The following conditional is temporary until migration to WorkOS is complete.
-        if self.user_provider == "auth0":
-            jwt_token_data["jwks_url"] = f"https://{AUTH0_DOMAIN}/.well-known/jwks.json"
-            jwt_token_data["issuer"] = f"https://{AUTH0_DOMAIN}/"
-            jwt_token_data["audience"] = AUTH0_AUDIENCE
-
        decoded_token = validate_jwt_token(**jwt_token_data)

        expires_at = decoded_token.get("exp", 0)
--- a/src/crewai/cli/authentication/providers/auth0.py
+++ b/src/crewai/cli/authentication/providers/auth0.py
@@ -0,0 +1,26 @@
+from crewai.cli.authentication.providers.base_provider import BaseProvider
+
+class Auth0Provider(BaseProvider):
+    def get_authorize_url(self) -> str:
+        return f"https://{self._get_domain()}/oauth/device/code"
+
+    def get_token_url(self) -> str:
+        return f"https://{self._get_domain()}/oauth/token"
+
+    def get_jwks_url(self) -> str:
+        return f"https://{self._get_domain()}/.well-known/jwks.json"
+
+    def get_issuer(self) -> str:
+        return f"https://{self._get_domain()}/"
+
+    def get_audience(self) -> str:
+        assert self.settings.audience is not None, "Audience is required"
+        return self.settings.audience
+
+    def get_client_id(self) -> str:
+        assert self.settings.client_id is not None, "Client ID is required"
+        return self.settings.client_id
+
+    def _get_domain(self) -> str:
+        assert self.settings.domain is not None, "Domain is required"
+        return self.settings.domain
--- a/src/crewai/cli/authentication/providers/base_provider.py
+++ b/src/crewai/cli/authentication/providers/base_provider.py
@@ -0,0 +1,30 @@
+from abc import ABC, abstractmethod
+from crewai.cli.authentication.main import Oauth2Settings
+
+class BaseProvider(ABC):
+    def __init__(self, settings: Oauth2Settings):
+        self.settings = settings
+
+    @abstractmethod
+    def get_authorize_url(self) -> str:
+        ...
+
+    @abstractmethod
+    def get_token_url(self) -> str:
+        ...
+
+    @abstractmethod
+    def get_jwks_url(self) -> str:
+        ...
+
+    @abstractmethod
+    def get_issuer(self) -> str:
+        ...
+
+    @abstractmethod
+    def get_audience(self) -> str:
+        ...
+
+    @abstractmethod
+    def get_client_id(self) -> str:
+        ...
--- a/src/crewai/cli/authentication/providers/okta.py
+++ b/src/crewai/cli/authentication/providers/okta.py
@@ -0,0 +1,22 @@
+from crewai.cli.authentication.providers.base_provider import BaseProvider
+
+class OktaProvider(BaseProvider):
+    def get_authorize_url(self) -> str:
+        return f"https://{self.settings.domain}/oauth2/default/v1/device/authorize"
+
+    def get_token_url(self) -> str:
+        return f"https://{self.settings.domain}/oauth2/default/v1/token"
+
+    def get_jwks_url(self) -> str:
+        return f"https://{self.settings.domain}/oauth2/default/v1/keys"
+
+    def get_issuer(self) -> str:
+        return f"https://{self.settings.domain}/oauth2/default"
+
+    def get_audience(self) -> str:
+        assert self.settings.audience is not None
+        return self.settings.audience
+
+    def get_client_id(self) -> str:
+        assert self.settings.client_id is not None
+        return self.settings.client_id
--- a/src/crewai/cli/authentication/providers/workos.py
+++ b/src/crewai/cli/authentication/providers/workos.py
@@ -0,0 +1,25 @@
+from crewai.cli.authentication.providers.base_provider import BaseProvider
+
+class WorkosProvider(BaseProvider):
+    def get_authorize_url(self) -> str:
+        return f"https://{self._get_domain()}/oauth2/device_authorization"
+
+    def get_token_url(self) -> str:
+        return f"https://{self._get_domain()}/oauth2/token"
+
+    def get_jwks_url(self) -> str:
+        return f"https://{self._get_domain()}/oauth2/jwks"
+
+    def get_issuer(self) -> str:
+        return f"https://{self._get_domain()}"
+
+    def get_audience(self) -> str:
+        return self.settings.audience or ""
+
+    def get_client_id(self) -> str:
+        assert self.settings.client_id is not None, "Client ID is required"
+        return self.settings.client_id
+
+    def _get_domain(self) -> str:
+        assert self.settings.domain is not None, "Domain is required"
+        return self.settings.domain
--- a/src/crewai/cli/config.py
+++ b/src/crewai/cli/config.py
@@ -4,7 +4,13 @@ from typing import Optional

 from pydantic import BaseModel, Field

-from crewai.cli.constants import DEFAULT_CREWAI_ENTERPRISE_URL
+from crewai.cli.constants import (
+    DEFAULT_CREWAI_ENTERPRISE_URL,
+    CREWAI_ENTERPRISE_DEFAULT_OAUTH2_PROVIDER,
+    CREWAI_ENTERPRISE_DEFAULT_OAUTH2_AUDIENCE,
+    CREWAI_ENTERPRISE_DEFAULT_OAUTH2_CLIENT_ID,
+    CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN,
+)

 DEFAULT_CONFIG_PATH = Path.home() / ".config" / "crewai" / "settings.json"

@@ -19,11 +25,19 @@ USER_SETTINGS_KEYS = [
 # Settings that are related to the CLI
 CLI_SETTINGS_KEYS = [
    "enterprise_base_url",
+    "oauth2_provider",
+    "oauth2_audience",
+    "oauth2_client_id",
+    "oauth2_domain",
 ]

 # Default values for CLI settings
 DEFAULT_CLI_SETTINGS = {
    "enterprise_base_url": DEFAULT_CREWAI_ENTERPRISE_URL,
+    "oauth2_provider": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_PROVIDER,
+    "oauth2_audience": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_AUDIENCE,
+    "oauth2_client_id": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_CLIENT_ID,
+    "oauth2_domain": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN,
 }

 # Readonly settings - cannot be set by the user
@@ -39,10 +53,9 @@ HIDDEN_SETTINGS_KEYS = [
    "tool_repository_password",
 ]

-
 class Settings(BaseModel):
    enterprise_base_url: Optional[str] = Field(
-        default=DEFAULT_CREWAI_ENTERPRISE_URL,
+        default=DEFAULT_CLI_SETTINGS["enterprise_base_url"],
        description="Base URL of the CrewAI Enterprise instance",
    )
    tool_repository_username: Optional[str] = Field(
@@ -59,6 +72,26 @@ class Settings(BaseModel):
    )
    config_path: Path = Field(default=DEFAULT_CONFIG_PATH, frozen=True, exclude=True)

+    oauth2_provider: str = Field(
+        description="OAuth2 provider used for authentication (e.g., workos, okta, auth0).",
+        default=DEFAULT_CLI_SETTINGS["oauth2_provider"]
+    )
+
+    oauth2_audience: Optional[str] = Field(
+        description="OAuth2 audience value, typically used to identify the target API or resource.",
+        default=DEFAULT_CLI_SETTINGS["oauth2_audience"]
+    )
+
+    oauth2_client_id: str = Field(
+        default=DEFAULT_CLI_SETTINGS["oauth2_client_id"],
+        description="OAuth2 client ID issued by the provider, used during authentication requests.",
+    )
+
+    oauth2_domain: str = Field(
+        description="OAuth2 provider's domain (e.g., your-org.auth0.com) used for issuing tokens.",
+        default=DEFAULT_CLI_SETTINGS["oauth2_domain"]
+    )
+
    def __init__(self, config_path: Path = DEFAULT_CONFIG_PATH, **data):
        """Load Settings from config path"""
        config_path.parent.mkdir(parents=True, exist_ok=True)
@@ -105,4 +138,4 @@ class Settings(BaseModel):
    def _reset_cli_settings(self) -> None:
        """Reset all CLI settings to default values"""
        for key in CLI_SETTINGS_KEYS:
-            setattr(self, key, DEFAULT_CLI_SETTINGS[key])
+            setattr(self, key, DEFAULT_CLI_SETTINGS.get(key))
--- a/src/crewai/cli/constants.py
+++ b/src/crewai/cli/constants.py
@@ -1,4 +1,8 @@
 DEFAULT_CREWAI_ENTERPRISE_URL = "https://app.crewai.com"
+CREWAI_ENTERPRISE_DEFAULT_OAUTH2_PROVIDER = "workos"
+CREWAI_ENTERPRISE_DEFAULT_OAUTH2_AUDIENCE = "client_01JNJQWBJ4SPFN3SWJM5T7BDG8"
+CREWAI_ENTERPRISE_DEFAULT_OAUTH2_CLIENT_ID = "client_01JYT06R59SP0NXYGD994NFXXX"
+CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN = "login.crewai.com"

 ENV_VARS = {
    "openai": [