feat: add multiple provider support (#3089)

* Remove `crewai signup` command, update docs * Add `Settings.clear()` and clear settings before each login * Add pyjwt * Remove print statement from ToolCommand.login() * Remove auth0 dependency * Update docs
2026-01-28 09:38:17 +00:00 · 2025-07-02 17:44:47 -03:00
parent 68f5bdf0d9
commit a77dcdd419
16 changed files with 760 additions and 213 deletions
--- a/src/crewai/cli/authentication/constants.py
+++ b/src/crewai/cli/authentication/constants.py
@@ -2,3 +2,7 @@ ALGORITHMS = ["RS256"]
 AUTH0_DOMAIN = "crewai.us.auth0.com"
 AUTH0_CLIENT_ID = "DEVC5Fw6NlRoSzmDCcOhVq85EfLBjKa8"
 AUTH0_AUDIENCE = "https://crewai.us.auth0.com/api/v2/"
+
+WORKOS_DOMAIN = "login.crewai.com"
+WORKOS_CLI_CONNECT_APP_ID = "client_01JYT06R59SP0NXYGD994NFXXX"
+WORKOS_ENVIRONMENT_ID = "client_01JNJQWB4HG8T5980R5VHP057C"
--- a/src/crewai/cli/authentication/main.py
+++ b/src/crewai/cli/authentication/main.py
@@ -5,37 +5,72 @@ from typing import Any, Dict
 import requests
 from rich.console import Console

-from .constants import AUTH0_AUDIENCE, AUTH0_CLIENT_ID, AUTH0_DOMAIN
-from .utils import TokenManager, validate_token
+from .constants import (
+    AUTH0_AUDIENCE,
+    AUTH0_CLIENT_ID,
+    AUTH0_DOMAIN,
+    WORKOS_DOMAIN,
+    WORKOS_CLI_CONNECT_APP_ID,
+    WORKOS_ENVIRONMENT_ID,
+)
+
+from .utils import TokenManager, validate_jwt_token
+from urllib.parse import quote
+from crewai.cli.plus_api import PlusAPI
+from crewai.cli.config import Settings

 console = Console()


 class AuthenticationCommand:
-    DEVICE_CODE_URL = f"https://{AUTH0_DOMAIN}/oauth/device/code"
-    TOKEN_URL = f"https://{AUTH0_DOMAIN}/oauth/token"
+    AUTH0_DEVICE_CODE_URL = f"https://{AUTH0_DOMAIN}/oauth/device/code"
+    AUTH0_TOKEN_URL = f"https://{AUTH0_DOMAIN}/oauth/token"
+
+    WORKOS_DEVICE_CODE_URL = f"https://{WORKOS_DOMAIN}/oauth2/device_authorization"
+    WORKOS_TOKEN_URL = f"https://{WORKOS_DOMAIN}/oauth2/token"

    def __init__(self):
        self.token_manager = TokenManager()
+        # TODO: WORKOS - This variable is temporary until migration to WorkOS is complete.
+        self.user_provider = "workos"

-    def signup(self) -> None:
+    def login(self) -> None:
        """Sign up to CrewAI+"""
-        console.print("Signing Up to CrewAI+ \n", style="bold blue")
-        device_code_data = self._get_device_code()
+
+        device_code_url = self.WORKOS_DEVICE_CODE_URL
+        token_url = self.WORKOS_TOKEN_URL
+        client_id = WORKOS_CLI_CONNECT_APP_ID
+        audience = None
+
+        console.print("Signing in to CrewAI Enterprise...\n", style="bold blue")
+
+        # TODO: WORKOS - Next line and conditional are temporary until migration to WorkOS is complete.
+        user_provider = self._determine_user_provider()
+        if user_provider == "auth0":
+            device_code_url = self.AUTH0_DEVICE_CODE_URL
+            token_url = self.AUTH0_TOKEN_URL
+            client_id = AUTH0_CLIENT_ID
+            audience = AUTH0_AUDIENCE
+            self.user_provider = "auth0"
+        # End of temporary code.
+
+        device_code_data = self._get_device_code(client_id, device_code_url, audience)
        self._display_auth_instructions(device_code_data)

-        return self._poll_for_token(device_code_data)
+        return self._poll_for_token(device_code_data, client_id, token_url)

-    def _get_device_code(self) -> Dict[str, Any]:
+    def _get_device_code(
+        self, client_id: str, device_code_url: str, audience: str | None = None
+    ) -> Dict[str, Any]:
        """Get the device code to authenticate the user."""

        device_code_payload = {
-            "client_id": AUTH0_CLIENT_ID,
+            "client_id": client_id,
            "scope": "openid",
-            "audience": AUTH0_AUDIENCE,
+            "audience": audience,
        }
        response = requests.post(
-            url=self.DEVICE_CODE_URL, data=device_code_payload, timeout=20
+            url=device_code_url, data=device_code_payload, timeout=20
        )
        response.raise_for_status()
        return response.json()
@@ -46,38 +81,33 @@ class AuthenticationCommand:
        console.print("2. Enter the following code: ", device_code_data["user_code"])
        webbrowser.open(device_code_data["verification_uri_complete"])

-    def _poll_for_token(self, device_code_data: Dict[str, Any]) -> None:
-        """Poll the server for the token."""
+    def _poll_for_token(
+        self, device_code_data: Dict[str, Any], client_id: str, token_poll_url: str
+    ) -> None:
+        """Polls the server for the token until it is received, or max attempts are reached."""
+
        token_payload = {
            "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
            "device_code": device_code_data["device_code"],
-            "client_id": AUTH0_CLIENT_ID,
+            "client_id": client_id,
        }

+        console.print("\nWaiting for authentication... ", style="bold blue", end="")
+
        attempts = 0
-        while True and attempts < 5:
-            response = requests.post(self.TOKEN_URL, data=token_payload, timeout=30)
+        while True and attempts < 10:
+            response = requests.post(token_poll_url, data=token_payload, timeout=30)
            token_data = response.json()

            if response.status_code == 200:
-                validate_token(token_data["id_token"])
-                expires_in = 360000  # Token expiration time in seconds
-                self.token_manager.save_tokens(token_data["access_token"], expires_in)
+                self._validate_and_save_token(token_data)

-                try:
-                    from crewai.cli.tools.main import ToolCommand
-                    ToolCommand().login()
-                except Exception:
-                    console.print(
-                        "\n[bold yellow]Warning:[/bold yellow] Authentication with the Tool Repository failed.",
-                        style="yellow",
-                    )
-                    console.print(
-                        "Other features will work normally, but you may experience limitations "
-                        "with downloading and publishing tools."
-                        "\nRun [bold]crewai login[/bold] to try logging in again.\n",
-                        style="yellow",
-                    )
+                console.print(
+                    "Success!",
+                    style="bold green",
+                )
+
+                self._login_to_tool_repository()

                console.print(
                    "\n[bold green]Welcome to CrewAI Enterprise![/bold green]\n"
@@ -93,3 +123,88 @@ class AuthenticationCommand:
        console.print(
            "Timeout: Failed to get the token. Please try again.", style="bold red"
        )
+
+    def _validate_and_save_token(self, token_data: Dict[str, Any]) -> None:
+        """Validates the JWT token and saves the token to the token manager."""
+
+        jwt_token = token_data["access_token"]
+        jwt_token_data = {
+            "jwt_token": jwt_token,
+            "jwks_url": f"https://{WORKOS_DOMAIN}/oauth2/jwks",
+            "issuer": f"https://{WORKOS_DOMAIN}",
+            "audience": WORKOS_ENVIRONMENT_ID,
+        }
+
+        # TODO: WORKOS - The following conditional is temporary until migration to WorkOS is complete.
+        if self.user_provider == "auth0":
+            jwt_token_data["jwks_url"] = f"https://{AUTH0_DOMAIN}/.well-known/jwks.json"
+            jwt_token_data["issuer"] = f"https://{AUTH0_DOMAIN}/"
+            jwt_token_data["audience"] = AUTH0_AUDIENCE
+
+        decoded_token = validate_jwt_token(**jwt_token_data)
+
+        expires_at = decoded_token.get("exp", 0)
+        self.token_manager.save_tokens(jwt_token, expires_at)
+
+    def _login_to_tool_repository(self) -> None:
+        """Login to the tool repository."""
+
+        from crewai.cli.tools.main import ToolCommand
+
+        try:
+            console.print(
+                "Now logging you in to the Tool Repository... ",
+                style="bold blue",
+                end="",
+            )
+
+            ToolCommand().login()
+
+            console.print(
+                "Success!\n",
+                style="bold green",
+            )
+
+            settings = Settings()
+            console.print(
+                f"You are authenticated to the tool repository as [bold cyan]'{settings.org_name}'[/bold cyan] ({settings.org_uuid})",
+                style="green",
+            )
+        except Exception:
+            console.print(
+                "\n[bold yellow]Warning:[/bold yellow] Authentication with the Tool Repository failed.",
+                style="yellow",
+            )
+            console.print(
+                "Other features will work normally, but you may experience limitations "
+                "with downloading and publishing tools."
+                "\nRun [bold]crewai login[/bold] to try logging in again.\n",
+                style="yellow",
+            )
+
+    # TODO: WORKOS - This method is temporary until migration to WorkOS is complete.
+    def _determine_user_provider(self) -> str:
+        """Determine which provider to use for authentication."""
+
+        console.print(
+            "Enter your CrewAI Enterprise account email: ", style="bold blue", end=""
+        )
+        email = input()
+        email_encoded = quote(email)
+
+        # It's not correct to call this method directly, but it's temporary until migration is complete.
+        response = PlusAPI("")._make_request(
+            "GET", f"/crewai_plus/api/v1/me/provider?email={email_encoded}"
+        )
+
+        if response.status_code == 200:
+            if response.json().get("provider") == "auth0":
+                return "auth0"
+            else:
+                return "workos"
+        else:
+            console.print(
+                "Error: Failed to authenticate with crewai enterprise. Ensure that you are using the latest crewai version and please try again. If the problem persists, contact support@crewai.com.",
+                style="red",
+            )
+            raise SystemExit
--- a/src/crewai/cli/authentication/utils.py
+++ b/src/crewai/cli/authentication/utils.py
@@ -1,32 +1,63 @@
 import json
 import os
 import sys
-from datetime import datetime, timedelta
+from datetime import datetime
 from pathlib import Path
 from typing import Optional
-
-from auth0.authentication.token_verifier import (
-    AsymmetricSignatureVerifier,
-    TokenVerifier,
-)
+import jwt
+from jwt import PyJWKClient
 from cryptography.fernet import Fernet

-from .constants import AUTH0_CLIENT_ID, AUTH0_DOMAIN

-
-def validate_token(id_token: str) -> None:
+def validate_jwt_token(
+    jwt_token: str, jwks_url: str, issuer: str, audience: str
+) -> dict:
    """
-    Verify the token and its precedence
-
-    :param id_token:
+    Verify the token's signature and claims using PyJWT.
+    :param jwt_token: The JWT (JWS) string to validate.
+    :param jwks_url: The URL of the JWKS endpoint.
+    :param issuer: The expected issuer of the token.
+    :param audience: The expected audience of the token.
+    :return: The decoded token.
+    :raises Exception: If the token is invalid for any reason (e.g., signature mismatch,
+                       expired, incorrect issuer/audience, JWKS fetching error,
+                       missing required claims).
    """
-    jwks_url = f"https://{AUTH0_DOMAIN}/.well-known/jwks.json"
-    issuer = f"https://{AUTH0_DOMAIN}/"
-    signature_verifier = AsymmetricSignatureVerifier(jwks_url)
-    token_verifier = TokenVerifier(
-        signature_verifier=signature_verifier, issuer=issuer, audience=AUTH0_CLIENT_ID
-    )
-    token_verifier.verify(id_token)
+
+    decoded_token = None
+
+    try:
+        jwk_client = PyJWKClient(jwks_url)
+        signing_key = jwk_client.get_signing_key_from_jwt(jwt_token)
+
+        decoded_token = jwt.decode(
+            jwt_token,
+            signing_key.key,
+            algorithms=["RS256"],
+            audience=audience,
+            issuer=issuer,
+            options={
+                "verify_signature": True,
+                "verify_exp": True,
+                "verify_nbf": True,
+                "verify_iat": True,
+                "require": ["exp", "iat", "iss", "aud", "sub"],
+            },
+        )
+        return decoded_token
+
+    except jwt.ExpiredSignatureError:
+        raise Exception("Token has expired.")
+    except jwt.InvalidAudienceError:
+        raise Exception(f"Invalid token audience. Expected: '{audience}'")
+    except jwt.InvalidIssuerError:
+        raise Exception(f"Invalid token issuer. Expected: '{issuer}'")
+    except jwt.MissingRequiredClaimError as e:
+        raise Exception(f"Token is missing required claims: {str(e)}")
+    except jwt.exceptions.PyJWKClientError as e:
+        raise Exception(f"JWKS or key processing error: {str(e)}")
+    except jwt.InvalidTokenError as e:
+        raise Exception(f"Invalid token: {str(e)}")


 class TokenManager:
@@ -56,14 +87,14 @@ class TokenManager:
        self.save_secure_file(key_filename, new_key)
        return new_key

-    def save_tokens(self, access_token: str, expires_in: int) -> None:
+    def save_tokens(self, access_token: str, expires_at: int) -> None:
        """
        Save the access token and its expiration time.

        :param access_token: The access token to save.
-        :param expires_in: The expiration time of the access token in seconds.
+        :param expires_at: The UNIX timestamp of the expiration time.
        """
-        expiration_time = datetime.now() + timedelta(seconds=expires_in)
+        expiration_time = datetime.fromtimestamp(expires_at)
        data = {
            "access_token": access_token,
            "expiration": expiration_time.isoformat(),