How does authentication in workspaces work? #2828
jbauer opened 2 weeks ago

With 16+ an AI user can be assigned to an issue. How does authentication inside the codex/claude/custom container work?

For example in a team everyone has its own personalized Github Copilot credentials and if a team member assigns the OneDev AI user I cannot figure out what needs to be done so that the credentials of that team member is used within the workspace to authenticate the agent.

Every team member can create its own personal fine-grained Github access token which allows copilot requests but how to configure OneDev to use it?

  • Robin Shen commented 2 weeks ago

    AI user has to use its own credential. Run as the AI user and create a workspace to populate the credentials, then delete the workspace. Subsequent workspaces created by the AI user will reuse the user data saved previously.

  • jbauer commented 2 weeks ago

    Hmmm ok, dont like it.

    It is not really scalable to have one AI user per team member (also normal OneDev users cannot impersonate their corresponding AI user to configure the user data) and misusing a team account to configure a shared AI user isn't an option because of usage limits.

    So for now your solution is only usable if you access an AI provider via ordinary API key and not via team accounts with individual usage limits.

    What if every OneDev user account could configure a list of <ai provider, token> in its own user settings? Depending on the ai provider it is either a simple API token or OneDev executes the OAuth flow to obtain the access token (e.g. for ChatGPT/Codex or Github Copilot). The token could then be encrypted with an individual user password (maybe optionally) and stored in OneDev DB. Then in OneDev you continue to assign issues to normal OneDev users but the user then as a button "Delegate to AI" which allows selecting the configured credentials, (maybe optionally) asks for the password to decrypt the token and then spins up a workspace. The token could then be accessible via some env variable and thus can be made available to the agent cli command which launches the agent cli in headless mode. OneDev could also ask which model to use and make that available as env variable as well.

    That way it is more user centric and it allows using subsidized personal team accounts just like in an IDE. I generally prefer if you can transparently see that a user as delegated work to AI and if the AI creates commits that these commits are in the name of the user with an additional footer indicating that AI has assisted. The linux kernel for example requires something like Assisted-by: Claude:claude-3-opus. At the end the user is responsible.

  • Robin Shen commented 2 weeks ago

    AI user has to be created by adminsitrator and shared with the team. The approach you mentioned complicates things a lot, and will not be considered for now.

  • Robin Shen commented 2 weeks ago

    For your case, your team member may just create a workspace on an issue without using AI user, and run below prompt:

    work on this issue and submit your work when complete

    Then everything runs under the team member's own account.

  • Robin Shen changed state to 'Closed' 2 weeks ago
    Previous Value Current Value
    Open
    Closed
1/1
Type
Question
Priority
Normal
Assignee
Labels
No labels
Issue Votes (0)
Watchers (3)
Reference
OD-2828
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover