vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-03 21:31:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3d647f14d0da0398ca5c1858ae04dc6cf7af33e6
openclaw/docs/auth-credential-semantics.md
Josh Avant 788f56f30f Secrets: hard-fail unsupported SecretRef policy and fix gateway restart token drift (#58141) 
* Secrets: enforce C2 SecretRef policy and drift resolution

* Tests: add gateway auth startup/reload SecretRef runtime coverage

* Docs: sync C2 SecretRef policy and coverage matrix

* Config: hard-fail parent SecretRef policy writes

* Secrets: centralize unsupported SecretRef policy metadata

* Daemon: test service-env precedence for token drift refs

* Config: keep per-ref dry-run resolvability errors

* Docs: clarify config-set parent-object policy checks

* Gateway: fix drift fallback and schema-key filtering

* Gateway: align drift fallback with credential planner

* changelog

Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>

---------

Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-03-31 02:37:31 -05:00

2.0 KiB
Raw Blame History

title, summary, read_when
title summary read_when
Auth Credential Semantics Canonical credential eligibility and resolution semantics for auth profiles
Working on auth profile resolution or credential routing
Debugging model auth failures or profile order

Auth Credential Semantics

This document defines the canonical credential eligibility and resolution semantics used across:

  • resolveAuthProfileOrder
  • resolveApiKeyForProfile
  • models status --probe
  • doctor-auth

The goal is to keep selection-time and runtime behavior aligned.

Stable Reason Codes

  • ok
  • missing_credential
  • invalid_expires
  • expired
  • unresolved_ref

Token Credentials

Token credentials (type: "token") support inline token and/or tokenRef.

Eligibility rules

  1. A token profile is ineligible when both token and tokenRef are absent.
  2. expires is optional.
  3. If expires is present, it must be a finite number greater than 0.
  4. If expires is invalid (NaN, 0, negative, non-finite, or wrong type), the profile is ineligible with invalid_expires.
  5. If expires is in the past, the profile is ineligible with expired.
  6. tokenRef does not bypass expires validation.

Resolution rules

  1. Resolver semantics match eligibility semantics for expires.
  2. For eligible profiles, token material may be resolved from inline value or tokenRef.
  3. Unresolvable refs produce unresolved_ref in models status --probe output.

OAuth SecretRef Policy Guard

  • SecretRef input is for static credentials only.
  • If a profile credential is type: "oauth", SecretRef objects are not supported for that profile credential material.
  • If auth.profiles.<id>.mode is "oauth", SecretRef-backed keyRef/tokenRef input for that profile is rejected.
  • Violations are hard failures in startup/reload auth resolution paths.

Legacy-Compatible Messaging

For script compatibility, probe errors keep this first line unchanged:

Auth profile credentials are missing or expired.

Human-friendly detail and stable reason codes may be added on subsequent lines.

Reference in New Issue View Git Blame Copy Permalink