Support Device authorization with Okta (#3271)

* feat: support oauth2 config for authentication * refactor: improve OAuth2 settings management The CLI now supports seamless integration with other authentication providers, since the client_id, issue, domain are now manage by the user * feat: support okta Device Authorization flow * chore: resolve linter issues * test: fix tests * test: adding tests for auth providers * test: fix broken test * refator: adding WorkOS paramenters as default settings auth * chore: improve oauth2 attributes description * refactor: simplify WorkOS getting values * fix: ensure Auth0 parameters is set when overrinding default auth provider * chore: remove TODO Auth0 no longer provides default values --------- Co-authored-by: Heitor Carvalho <heitor.scz@gmail.com>
2026-01-09 16:18:30 +00:00 · 2025-08-05 13:16:21 -03:00
parent 0b31bbe957
commit 66567bdc2f
15 changed files with 548 additions and 83 deletions
--- a/tests/cli/authentication/providers/init.py
+++ b/tests/cli/authentication/providers/init.py
--- a/tests/cli/authentication/providers/test_auth0.py
+++ b/tests/cli/authentication/providers/test_auth0.py
@@ -0,0 +1,91 @@
+import pytest
+from crewai.cli.authentication.main import Oauth2Settings
+from crewai.cli.authentication.providers.auth0 import Auth0Provider
+
+
+
+class TestAuth0Provider:
+
+    @pytest.fixture(autouse=True)
+    def setup_method(self):
+        self.valid_settings = Oauth2Settings(
+            provider="auth0",
+            domain="test-domain.auth0.com",
+            client_id="test-client-id",
+            audience="test-audience"
+        )
+        self.provider = Auth0Provider(self.valid_settings)
+
+    def test_initialization_with_valid_settings(self):
+        provider = Auth0Provider(self.valid_settings)
+        assert provider.settings == self.valid_settings
+        assert provider.settings.provider == "auth0"
+        assert provider.settings.domain == "test-domain.auth0.com"
+        assert provider.settings.client_id == "test-client-id"
+        assert provider.settings.audience == "test-audience"
+
+    def test_get_authorize_url(self):
+        expected_url = "https://test-domain.auth0.com/oauth/device/code"
+        assert self.provider.get_authorize_url() == expected_url
+
+    def test_get_authorize_url_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="auth0",
+            domain="my-company.auth0.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = Auth0Provider(settings)
+        expected_url = "https://my-company.auth0.com/oauth/device/code"
+        assert provider.get_authorize_url() == expected_url
+
+    def test_get_token_url(self):
+        expected_url = "https://test-domain.auth0.com/oauth/token"
+        assert self.provider.get_token_url() == expected_url
+
+    def test_get_token_url_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="auth0",
+            domain="another-domain.auth0.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = Auth0Provider(settings)
+        expected_url = "https://another-domain.auth0.com/oauth/token"
+        assert provider.get_token_url() == expected_url
+
+    def test_get_jwks_url(self):
+        expected_url = "https://test-domain.auth0.com/.well-known/jwks.json"
+        assert self.provider.get_jwks_url() == expected_url
+
+    def test_get_jwks_url_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="auth0",
+            domain="dev.auth0.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = Auth0Provider(settings)
+        expected_url = "https://dev.auth0.com/.well-known/jwks.json"
+        assert provider.get_jwks_url() == expected_url
+
+    def test_get_issuer(self):
+        expected_issuer = "https://test-domain.auth0.com/"
+        assert self.provider.get_issuer() == expected_issuer
+
+    def test_get_issuer_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="auth0",
+            domain="prod.auth0.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = Auth0Provider(settings)
+        expected_issuer = "https://prod.auth0.com/"
+        assert provider.get_issuer() == expected_issuer
+
+    def test_get_audience(self):
+        assert self.provider.get_audience() == "test-audience"
+
+    def test_get_client_id(self):
+        assert self.provider.get_client_id() == "test-client-id"
--- a/tests/cli/authentication/providers/test_okta.py
+++ b/tests/cli/authentication/providers/test_okta.py
@@ -0,0 +1,102 @@
+import pytest
+from crewai.cli.authentication.main import Oauth2Settings
+from crewai.cli.authentication.providers.okta import OktaProvider
+
+
+class TestOktaProvider:
+
+    @pytest.fixture(autouse=True)
+    def setup_method(self):
+        self.valid_settings = Oauth2Settings(
+            provider="okta",
+            domain="test-domain.okta.com",
+            client_id="test-client-id",
+            audience="test-audience"
+        )
+        self.provider = OktaProvider(self.valid_settings)
+
+    def test_initialization_with_valid_settings(self):
+        provider = OktaProvider(self.valid_settings)
+        assert provider.settings == self.valid_settings
+        assert provider.settings.provider == "okta"
+        assert provider.settings.domain == "test-domain.okta.com"
+        assert provider.settings.client_id == "test-client-id"
+        assert provider.settings.audience == "test-audience"
+
+    def test_get_authorize_url(self):
+        expected_url = "https://test-domain.okta.com/oauth2/default/v1/device/authorize"
+        assert self.provider.get_authorize_url() == expected_url
+
+    def test_get_authorize_url_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="okta",
+            domain="my-company.okta.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = OktaProvider(settings)
+        expected_url = "https://my-company.okta.com/oauth2/default/v1/device/authorize"
+        assert provider.get_authorize_url() == expected_url
+
+    def test_get_token_url(self):
+        expected_url = "https://test-domain.okta.com/oauth2/default/v1/token"
+        assert self.provider.get_token_url() == expected_url
+
+    def test_get_token_url_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="okta",
+            domain="another-domain.okta.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = OktaProvider(settings)
+        expected_url = "https://another-domain.okta.com/oauth2/default/v1/token"
+        assert provider.get_token_url() == expected_url
+
+    def test_get_jwks_url(self):
+        expected_url = "https://test-domain.okta.com/oauth2/default/v1/keys"
+        assert self.provider.get_jwks_url() == expected_url
+
+    def test_get_jwks_url_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="okta",
+            domain="dev.okta.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = OktaProvider(settings)
+        expected_url = "https://dev.okta.com/oauth2/default/v1/keys"
+        assert provider.get_jwks_url() == expected_url
+
+    def test_get_issuer(self):
+        expected_issuer = "https://test-domain.okta.com/oauth2/default"
+        assert self.provider.get_issuer() == expected_issuer
+
+    def test_get_issuer_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="okta",
+            domain="prod.okta.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = OktaProvider(settings)
+        expected_issuer = "https://prod.okta.com/oauth2/default"
+        assert provider.get_issuer() == expected_issuer
+
+    def test_get_audience(self):
+        assert self.provider.get_audience() == "test-audience"
+
+    def test_get_audience_assertion_error_when_none(self):
+        settings = Oauth2Settings(
+            provider="okta",
+            domain="test-domain.okta.com",
+            client_id="test-client-id",
+            audience=None
+        )
+        provider = OktaProvider(settings)
+
+        with pytest.raises(AssertionError):
+            provider.get_audience()
+
+    def test_get_client_id(self):
+        assert self.provider.get_client_id() == "test-client-id"
--- a/tests/cli/authentication/providers/test_workos.py
+++ b/tests/cli/authentication/providers/test_workos.py
@@ -0,0 +1,100 @@
+import pytest
+from crewai.cli.authentication.main import Oauth2Settings
+from crewai.cli.authentication.providers.workos import WorkosProvider
+
+
+class TestWorkosProvider:
+
+    @pytest.fixture(autouse=True)
+    def setup_method(self):
+        self.valid_settings = Oauth2Settings(
+            provider="workos",
+            domain="login.company.com",
+            client_id="test-client-id",
+            audience="test-audience"
+        )
+        self.provider = WorkosProvider(self.valid_settings)
+
+    def test_initialization_with_valid_settings(self):
+        provider = WorkosProvider(self.valid_settings)
+        assert provider.settings == self.valid_settings
+        assert provider.settings.provider == "workos"
+        assert provider.settings.domain == "login.company.com"
+        assert provider.settings.client_id == "test-client-id"
+        assert provider.settings.audience == "test-audience"
+
+    def test_get_authorize_url(self):
+        expected_url = "https://login.company.com/oauth2/device_authorization"
+        assert self.provider.get_authorize_url() == expected_url
+
+    def test_get_authorize_url_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="workos",
+            domain="login.example.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = WorkosProvider(settings)
+        expected_url = "https://login.example.com/oauth2/device_authorization"
+        assert provider.get_authorize_url() == expected_url
+
+    def test_get_token_url(self):
+        expected_url = "https://login.company.com/oauth2/token"
+        assert self.provider.get_token_url() == expected_url
+
+    def test_get_token_url_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="workos",
+            domain="api.workos.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = WorkosProvider(settings)
+        expected_url = "https://api.workos.com/oauth2/token"
+        assert provider.get_token_url() == expected_url
+
+    def test_get_jwks_url(self):
+        expected_url = "https://login.company.com/oauth2/jwks"
+        assert self.provider.get_jwks_url() == expected_url
+
+    def test_get_jwks_url_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="workos",
+            domain="auth.enterprise.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = WorkosProvider(settings)
+        expected_url = "https://auth.enterprise.com/oauth2/jwks"
+        assert provider.get_jwks_url() == expected_url
+
+    def test_get_issuer(self):
+        expected_issuer = "https://login.company.com"
+        assert self.provider.get_issuer() == expected_issuer
+
+    def test_get_issuer_with_different_domain(self):
+        settings = Oauth2Settings(
+            provider="workos",
+            domain="sso.company.com",
+            client_id="test-client",
+            audience="test-audience"
+        )
+        provider = WorkosProvider(settings)
+        expected_issuer = "https://sso.company.com"
+        assert provider.get_issuer() == expected_issuer
+
+    def test_get_audience(self):
+        assert self.provider.get_audience() == "test-audience"
+
+    def test_get_audience_fallback_to_default(self):
+        settings = Oauth2Settings(
+            provider="workos",
+            domain="login.company.com",
+            client_id="test-client-id",
+            audience=None
+        )
+        provider = WorkosProvider(settings)
+        assert provider.get_audience() == ""
+
+    def test_get_client_id(self):
+        assert self.provider.get_client_id() == "test-client-id"
--- a/tests/cli/authentication/test_auth_main.py
+++ b/tests/cli/authentication/test_auth_main.py
@@ -6,10 +6,12 @@ from crewai.cli.authentication.main import AuthenticationCommand
 from crewai.cli.authentication.constants import (
    AUTH0_AUDIENCE,
    AUTH0_CLIENT_ID,
-    AUTH0_DOMAIN,
-    WORKOS_DOMAIN,
-    WORKOS_CLI_CONNECT_APP_ID,
-    WORKOS_ENVIRONMENT_ID,
+    AUTH0_DOMAIN
+)
+from crewai.cli.constants import (
+    CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN,
+    CREWAI_ENTERPRISE_DEFAULT_OAUTH2_CLIENT_ID,
+    CREWAI_ENTERPRISE_DEFAULT_OAUTH2_AUDIENCE,
 )


@@ -27,14 +29,17 @@ class TestAuthenticationCommand:
                    "token_url": f"https://{AUTH0_DOMAIN}/oauth/token",
                    "client_id": AUTH0_CLIENT_ID,
                    "audience": AUTH0_AUDIENCE,
+                    "domain": AUTH0_DOMAIN,
                },
            ),
            (
                "workos",
                {
-                    "device_code_url": f"https://{WORKOS_DOMAIN}/oauth2/device_authorization",
-                    "token_url": f"https://{WORKOS_DOMAIN}/oauth2/token",
-                    "client_id": WORKOS_CLI_CONNECT_APP_ID,
+                    "device_code_url": f"https://{CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN}/oauth2/device_authorization",
+                    "token_url": f"https://{CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN}/oauth2/token",
+                    "client_id": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_CLIENT_ID,
+                    "audience": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_AUDIENCE,
+                    "domain": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN,
                },
            ),
        ],
@@ -70,19 +75,16 @@ class TestAuthenticationCommand:
            "Signing in to CrewAI Enterprise...\n", style="bold blue"
        )
        mock_determine_provider.assert_called_once()
-        mock_get_device.assert_called_once_with(
-            expected_urls["client_id"],
-            expected_urls["device_code_url"],
-            expected_urls.get("audience", None),
-        )
+        mock_get_device.assert_called_once()
        mock_display.assert_called_once_with(
            {"device_code": "test_code", "user_code": "123456"}
        )
        mock_poll.assert_called_once_with(
            {"device_code": "test_code", "user_code": "123456"},
-            expected_urls["client_id"],
-            expected_urls["token_url"],
        )
+        assert self.auth_command.oauth2_provider.get_client_id() == expected_urls["client_id"]
+        assert self.auth_command.oauth2_provider.get_audience() == expected_urls["audience"]
+        assert self.auth_command.oauth2_provider._get_domain() == expected_urls["domain"]

    @patch("crewai.cli.authentication.main.webbrowser")
    @patch("crewai.cli.authentication.main.console.print")
@@ -115,9 +117,9 @@ class TestAuthenticationCommand:
            (
                "workos",
                {
-                    "jwks_url": f"https://{WORKOS_DOMAIN}/oauth2/jwks",
-                    "issuer": f"https://{WORKOS_DOMAIN}",
-                    "audience": WORKOS_ENVIRONMENT_ID,
+                    "jwks_url": f"https://{CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN}/oauth2/jwks",
+                    "issuer": f"https://{CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN}",
+                    "audience": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_AUDIENCE,
                },
            ),
        ],
@@ -133,7 +135,15 @@ class TestAuthenticationCommand:
        jwt_config,
        has_expiration,
    ):
-        self.auth_command.user_provider = user_provider
+        from crewai.cli.authentication.providers.auth0 import Auth0Provider
+        from crewai.cli.authentication.providers.workos import WorkosProvider
+        from crewai.cli.authentication.main import Oauth2Settings
+
+        if user_provider == "auth0":
+            self.auth_command.oauth2_provider = Auth0Provider(settings=Oauth2Settings(provider=user_provider, client_id="test-client-id", domain=AUTH0_DOMAIN, audience=jwt_config["audience"]))
+        elif user_provider == "workos":
+            self.auth_command.oauth2_provider = WorkosProvider(settings=Oauth2Settings(provider=user_provider, client_id="test-client-id", domain=CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN, audience=jwt_config["audience"]))
+
        token_data = {"access_token": "test_access_token", "id_token": "test_id_token"}

        if has_expiration:
@@ -311,11 +321,12 @@ class TestAuthenticationCommand:
        }
        mock_post.return_value = mock_response

-        result = self.auth_command._get_device_code(
-            client_id="test_client",
-            device_code_url="https://example.com/device",
-            audience="test_audience",
-        )
+        self.auth_command.oauth2_provider = MagicMock()
+        self.auth_command.oauth2_provider.get_client_id.return_value = "test_client"
+        self.auth_command.oauth2_provider.get_authorize_url.return_value = "https://example.com/device"
+        self.auth_command.oauth2_provider.get_audience.return_value = "test_audience"
+
+        result = self.auth_command._get_device_code()

        mock_post.assert_called_once_with(
            url="https://example.com/device",
@@ -354,8 +365,12 @@ class TestAuthenticationCommand:
                self.auth_command, "_login_to_tool_repository"
            ) as mock_tool_login,
        ):
+            self.auth_command.oauth2_provider = MagicMock()
+            self.auth_command.oauth2_provider.get_token_url.return_value = "https://example.com/token"
+            self.auth_command.oauth2_provider.get_client_id.return_value = "test_client"
+
            self.auth_command._poll_for_token(
-                device_code_data, "test_client", "https://example.com/token"
+                device_code_data
            )

            mock_post.assert_called_once_with(
@@ -392,7 +407,7 @@ class TestAuthenticationCommand:
        }

        self.auth_command._poll_for_token(
-            device_code_data, "test_client", "https://example.com/token"
+            device_code_data
        )

        mock_console_print.assert_any_call(
@@ -415,5 +430,14 @@ class TestAuthenticationCommand:

        with pytest.raises(requests.HTTPError):
            self.auth_command._poll_for_token(
-                device_code_data, "test_client", "https://example.com/token"
+                device_code_data
            )
+    # @patch(
+    #     "crewai.cli.authentication.main.AuthenticationCommand._determine_user_provider"
+    # )
+    # def test_login_with_auth0(self, mock_determine_provider):
+    #     from crewai.cli.authentication.providers.auth0 import Auth0Provider
+    #     from crewai.cli.authentication.main import Oauth2Settings
+
+    #     self.auth_command.oauth2_provider = Auth0Provider(settings=Oauth2Settings(provider="auth0", client_id=AUTH0_CLIENT_ID, domain=AUTH0_DOMAIN, audience=AUTH0_AUDIENCE))
+    #     self.auth_command.login()
--- a/tests/cli/config_test.py
+++ b/tests/cli/config_test.py
@@ -79,7 +79,7 @@ class TestSettings(unittest.TestCase):
        for key in user_settings.keys():
            self.assertEqual(getattr(settings, key), None)
        for key in cli_settings.keys():
-            self.assertEqual(getattr(settings, key), DEFAULT_CLI_SETTINGS[key])
+            self.assertEqual(getattr(settings, key), DEFAULT_CLI_SETTINGS.get(key))

    def test_dump_new_settings(self):
        settings = Settings(
--- a/tests/cli/test_settings_command.py
+++ b/tests/cli/test_settings_command.py
@@ -81,11 +81,10 @@ class TestSettingsCommand(unittest.TestCase):

        self.settings_command.reset_all_settings()

-        print(USER_SETTINGS_KEYS)
        for key in USER_SETTINGS_KEYS:
            self.assertEqual(getattr(self.settings_command.settings, key), None)

        for key in CLI_SETTINGS_KEYS:
            self.assertEqual(
-                getattr(self.settings_command.settings, key), DEFAULT_CLI_SETTINGS[key]
+                getattr(self.settings_command.settings, key), DEFAULT_CLI_SETTINGS.get(key)
            )