Support Device authorization with Okta (#3271)

* feat: support oauth2 config for authentication

* refactor: improve OAuth2 settings management

The CLI now supports seamless integration with other authentication providers, since the client_id, issue, domain are now manage by the user

* feat: support okta Device Authorization flow

* chore: resolve linter issues

* test: fix tests

* test: adding tests for auth providers

* test: fix broken test

* refator: adding WorkOS paramenters as default settings auth

* chore: improve oauth2 attributes description

* refactor: simplify WorkOS getting values

* fix: ensure Auth0 parameters is set when overrinding default auth provider

* chore: remove TODO Auth0 no longer provides default values

---------

Co-authored-by: Heitor Carvalho <heitor.scz@gmail.com>

tests/cli/authentication/test_auth_main.py

@@ -6,10 +6,12 @@ from crewai.cli.authentication.main import AuthenticationCommand
 from crewai.cli.authentication.constants import (
     AUTH0_AUDIENCE,
     AUTH0_CLIENT_ID,
-    AUTH0_DOMAIN,
-    WORKOS_DOMAIN,
-    WORKOS_CLI_CONNECT_APP_ID,
-    WORKOS_ENVIRONMENT_ID,
+    AUTH0_DOMAIN
+)
+from crewai.cli.constants import (
+    CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN,
+    CREWAI_ENTERPRISE_DEFAULT_OAUTH2_CLIENT_ID,
+    CREWAI_ENTERPRISE_DEFAULT_OAUTH2_AUDIENCE,
 )
 
 
@@ -27,14 +29,17 @@ class TestAuthenticationCommand:
                     "token_url": f"https://{AUTH0_DOMAIN}/oauth/token",
                     "client_id": AUTH0_CLIENT_ID,
                     "audience": AUTH0_AUDIENCE,
+                    "domain": AUTH0_DOMAIN,
                 },
             ),
             (
                 "workos",
                 {
-                    "device_code_url": f"https://{WORKOS_DOMAIN}/oauth2/device_authorization",
-                    "token_url": f"https://{WORKOS_DOMAIN}/oauth2/token",
-                    "client_id": WORKOS_CLI_CONNECT_APP_ID,
+                    "device_code_url": f"https://{CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN}/oauth2/device_authorization",
+                    "token_url": f"https://{CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN}/oauth2/token",
+                    "client_id": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_CLIENT_ID,
+                    "audience": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_AUDIENCE,
+                    "domain": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN,
                 },
             ),
         ],
@@ -70,19 +75,16 @@ class TestAuthenticationCommand:
             "Signing in to CrewAI Enterprise...\n", style="bold blue"
         )
         mock_determine_provider.assert_called_once()
-        mock_get_device.assert_called_once_with(
-            expected_urls["client_id"],
-            expected_urls["device_code_url"],
-            expected_urls.get("audience", None),
-        )
+        mock_get_device.assert_called_once()
         mock_display.assert_called_once_with(
             {"device_code": "test_code", "user_code": "123456"}
         )
         mock_poll.assert_called_once_with(
             {"device_code": "test_code", "user_code": "123456"},
-            expected_urls["client_id"],
-            expected_urls["token_url"],
         )
+        assert self.auth_command.oauth2_provider.get_client_id() == expected_urls["client_id"]
+        assert self.auth_command.oauth2_provider.get_audience() == expected_urls["audience"]
+        assert self.auth_command.oauth2_provider._get_domain() == expected_urls["domain"]
 
     @patch("crewai.cli.authentication.main.webbrowser")
     @patch("crewai.cli.authentication.main.console.print")
@@ -115,9 +117,9 @@ class TestAuthenticationCommand:
             (
                 "workos",
                 {
-                    "jwks_url": f"https://{WORKOS_DOMAIN}/oauth2/jwks",
-                    "issuer": f"https://{WORKOS_DOMAIN}",
-                    "audience": WORKOS_ENVIRONMENT_ID,
+                    "jwks_url": f"https://{CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN}/oauth2/jwks",
+                    "issuer": f"https://{CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN}",
+                    "audience": CREWAI_ENTERPRISE_DEFAULT_OAUTH2_AUDIENCE,
                 },
             ),
         ],
@@ -133,7 +135,15 @@ class TestAuthenticationCommand:
         jwt_config,
         has_expiration,
     ):
-        self.auth_command.user_provider = user_provider
+        from crewai.cli.authentication.providers.auth0 import Auth0Provider
+        from crewai.cli.authentication.providers.workos import WorkosProvider
+        from crewai.cli.authentication.main import Oauth2Settings
+
+        if user_provider == "auth0":
+            self.auth_command.oauth2_provider = Auth0Provider(settings=Oauth2Settings(provider=user_provider, client_id="test-client-id", domain=AUTH0_DOMAIN, audience=jwt_config["audience"]))
+        elif user_provider == "workos":
+            self.auth_command.oauth2_provider = WorkosProvider(settings=Oauth2Settings(provider=user_provider, client_id="test-client-id", domain=CREWAI_ENTERPRISE_DEFAULT_OAUTH2_DOMAIN, audience=jwt_config["audience"]))
+
         token_data = {"access_token": "test_access_token", "id_token": "test_id_token"}
 
         if has_expiration:
@@ -311,11 +321,12 @@ class TestAuthenticationCommand:
         }
         mock_post.return_value = mock_response
 
-        result = self.auth_command._get_device_code(
-            client_id="test_client",
-            device_code_url="https://example.com/device",
-            audience="test_audience",
-        )
+        self.auth_command.oauth2_provider = MagicMock()
+        self.auth_command.oauth2_provider.get_client_id.return_value = "test_client"
+        self.auth_command.oauth2_provider.get_authorize_url.return_value = "https://example.com/device"
+        self.auth_command.oauth2_provider.get_audience.return_value = "test_audience"
+
+        result = self.auth_command._get_device_code()
 
         mock_post.assert_called_once_with(
             url="https://example.com/device",
@@ -354,8 +365,12 @@ class TestAuthenticationCommand:
                 self.auth_command, "_login_to_tool_repository"
             ) as mock_tool_login,
         ):
+            self.auth_command.oauth2_provider = MagicMock()
+            self.auth_command.oauth2_provider.get_token_url.return_value = "https://example.com/token"
+            self.auth_command.oauth2_provider.get_client_id.return_value = "test_client"
+
             self.auth_command._poll_for_token(
-                device_code_data, "test_client", "https://example.com/token"
+                device_code_data
             )
 
             mock_post.assert_called_once_with(
@@ -392,7 +407,7 @@ class TestAuthenticationCommand:
         }
 
         self.auth_command._poll_for_token(
-            device_code_data, "test_client", "https://example.com/token"
+            device_code_data
         )
 
         mock_console_print.assert_any_call(
@@ -415,5 +430,14 @@ class TestAuthenticationCommand:
 
         with pytest.raises(requests.HTTPError):
             self.auth_command._poll_for_token(
-                device_code_data, "test_client", "https://example.com/token"
+                device_code_data
             )
+    # @patch(
+    #     "crewai.cli.authentication.main.AuthenticationCommand._determine_user_provider"
+    # )
+    # def test_login_with_auth0(self, mock_determine_provider):
+    #     from crewai.cli.authentication.providers.auth0 import Auth0Provider
+    #     from crewai.cli.authentication.main import Oauth2Settings
+
+    #     self.auth_command.oauth2_provider = Auth0Provider(settings=Oauth2Settings(provider="auth0", client_id=AUTH0_CLIENT_ID, domain=AUTH0_DOMAIN, audience=AUTH0_AUDIENCE))
+    #     self.auth_command.login()