Add quarkus-security-api dependency to modules which require tokens for outbound calls
Opened this issue · 1 comments
quarkus-security-api
, https://github.com/quarkusio/quarkus-security, (to be renamed to quarkus-security-api
in the next 2.0.4
release) contains a few interfaces only which represent key Quarkus security abstractions, it is a light weight dependency.
Specifically, it has TokenCredential
representing the current OIDC access token. How can it be relevant ?
I've noticed two modules (and possibly a few more) require the access tokens in order to access remotely hosted LLMs, such as azure-openai
, Google gemini
.
So, having TokenCredential
injected will let azure-openai
, Google gemini
and other modules which access LLMs hosted as social OIDC provider services, to use the current session's access token.
For example, it would be possible to create variations of #539, which would require a user authentication with either Azure or Google and use an injected TokenCredential
to pick up the current access token to securely access remote LLMs on behalf of the currently authenticated user, as opposed to forwarding the bearer access token which was sent to the Quarkus endpoint. It won't impact the other options, but will add another one.
I can suggest a draft PR to show how it might work.
FYI, WebSockets Next in Quarkus 3.11 will also bring quarkus-security-api
.
Definitely sounds interesting