feat(core): implement OpenID Connect (OIDC) auth provider for remote agents#26559
feat(core): implement OpenID Connect (OIDC) auth provider for remote agents#26559alexandrevarga wants to merge 5 commits into
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces an OpenID Connect (OIDC) authentication provider to the core agent infrastructure, allowing Gemini CLI to authenticate with enterprise-grade remote agents. The implementation includes robust discovery mechanisms, type-safe configuration validation, and an interactive browser-based login flow. Additionally, the PR improves the reliability of the RipGrep tool by adding a system-level binary fallback, ensuring better compatibility across different environments. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
🛑 Action Required: Evaluation ApprovalSteering changes have been detected in this PR. To prevent regressions, a maintainer must approve the evaluation run before this PR can be merged. Maintainers:
Once approved, the evaluation results will be posted here automatically. |
There was a problem hiding this comment.
Code Review
This pull request implements the OpenID Connect (OIDC) authentication provider, including dynamic discovery and interactive PKCE-based authentication. It also adds a fallback mechanism for the ripGrep tool to search for the rg binary in the system PATH if the bundled version is missing. Feedback focuses on improving type safety by replacing any with specific imports, removing redundant validation logic, and addressing security vulnerabilities related to SSRF and MITM by enforcing HTTPS and validating discovery URLs.
f60a36a to
61629a3
Compare
- BerriAI/litellm#27266 handle response.incomplete in Responses->Chat transform [merge-after-nits] - BerriAI/litellm#27259 add module docstring + regression test for render smoke [merge-as-is] - google-gemini/gemini-cli#26559 implement OIDC auth provider for A2A remote agents [merge-after-nits] - QwenLM/qwen-code#3861 preserve comments via comment-json on settings migration [merge-after-nits]
|
Implemented refresh token logic, added UUID fallback for anonymous agents to prevent collisions, hoisted duplicated awaits, and added a positive cache hit test case. |
|
Hi there! Thank you for your interest in contributing to Gemini CLI. To ensure we maintain high code quality and focus on our prioritized roadmap, we only guarantee review and consideration of pull requests for issues that are explicitly labeled as 'help wanted'. This PR will be closed in 7 days if it remains without that designation. We encourage you to find and contribute to existing 'help wanted' issues in our backlog! Thank you for your understanding. |
|
This pull request is being closed as it has been open for 14 days without a 'help wanted' designation. We encourage you to find and contribute to existing 'help wanted' issues in our backlog! Thank you for your understanding. |
Fixes #26562
Description
This PR implements the missing openIdConnect authentication provider for Agent-to-Agent (A2A) communication,
resolving a pending TODO in the auth factory.
By enabling OIDC, Gemini CLI can now securely connect to enterprise-grade remote agents (e.g., corporate Jira,
Slack, or internal tool agents) that require modern identity-based authentication instead of simple API keys.
Key Changes
/.well-known/openid-configuration.
issues during startup.
browser-based login experience.
Testing
auth-provider directory).
discovery phase and browser interaction.
Impact
This change is a prerequisite for Gemini CLI's adoption in enterprise environments, allowing it to act as a secure
client for remote agent ecosystems.