Code suggestions: Get a token and send it to model gateway using Mediator
Problems to solve
Code suggestions: Authenticate and authorize WebIDE users to the Model Gateway
💡 Proposals
We have decided to move forward with OPTION 2.
PKCE)
Option 1 - OAuth2 Authorization Code with Proof Key for Code Exchange (- Register Code Suggestions for Web IDE as an instance-wide OAuth2 Application.
On initialisation
- User is redirected to
/oauth/authorize
endpoint. - Since they already signed in and the application is trusted, this will be skipped.
- User is redirected to
/oauth/ide/callback
with theauthorization_code
. - User is redirected to the
/-/ide
with theaccess_token
in the config. - Web IDE stores both tokens on the client side.
On autocomplete (user keystroke)
- Web IDE checks the
access_token
expiry, and calls the refresh endpoint if required. - Web IDE calls Model Gateway API with the
access_token
. - Model Gateway verifies the
access_token
with GitLab API and returns completions.
Pros
- Allow Web IDE to work across domains
- Lean on established authorisation patterns
- Support for refresh token flow
Cons
- Only support stateful tokens, ie. non-JWT
- Require back channel call to GitLab to verify token validity
Option 2: Custom API endpoint to generate an access token
On initialisation
- Web IDE FE calls a GitLab API endpoint to authorise the user via session and returns a JWT token.
- Web IDE FE stores the
access_token
on the client side.
On autocomplete (user keystroke)
- Web IDE FE calls Model Gateway API with the
access_token
. - Model Gateway checks the GitLab API public key cache.
- If the cache is not found or expired, Model Gateway calls the GitLab endpoint
https://gitlab.com/oauth/discovery/keys
to fetch the public key. - Model Gateway verifies the
access_token
(JWT) with the public key and returns completions.
Option 3: GitLab IDE controller to authorise and generate access tokens
On initialisation
- Web IDE BE authorises the user via session and returns a signed JWT token.
- Web IDE FE stores the
access_token
on the client side.
On autocomplete (user keystroke)
- Web IDE FE calls Model Gateway API with the
access_token
. - Model Gateway checks the GitLab API public key cache.
- If the cache is not found or expired, Model Gateway calls the GitLab endpoint
https://gitlab.com/oauth/discovery/keys
to fetch the public key. - Model Gateway verifies the
access_token
(JWT) with the public key and returns completions.
⚔ Implementation plan
We are going ahead with Option 2
since it benefits greatly with the effort of consolidating VS Code Ext and Web IDE experience.
- GitLab API endpoint to issue token - gitlab#404427 (closed)
- Model Gateway authentication with JWT token - gitlab-org/modelops/applied-ml/code-suggestions/ai-assist#56 (closed)
- Authenticate Web IDE to Model Gateway - #140 (closed)
Discussions
- Discussion !147 (comment 1308585839)
Edited by Tan Le