Inbound
The features of Agent Identity can be divided into two parts based on the workflow direction: inbound and outbound. Agent Identity inbound authentication is a secure authentication service for your AI agents or other applications. Your application or agent can call the Agent Identity API to obtain a short-lived Workload Access Token after successful authentication and authorization.
Inbound authentication methods
The Agent Identity service provides various APIs to perform inbound authentication and obtain a Workload Access Token.
-
OpenAPI signature verification: This is the default authentication mechanism when you call protected Alibaba Cloud OpenAPI operations. The credentials tool in the Alibaba Cloud SDK automatically determines which credentials to use based on the deployment environment, such as an STS token or an AccessKey. If an agent is deployed on an Alibaba Cloud-managed agent runtime platform, such as Model Studio, you can use the platform to perform secure, keyless authentication.
-
JWT token verification: Agent Identity can accept and verify a JWT token issued by a trusted OIDC identity provider. The verification process checks the token's signature, issuer, and audience. When signing in to an application, a user authenticates with their identity provider to obtain a JWT token.
The following table lists the inbound authentication methods for different business scenarios.
|
Business scenario |
API |
Inbound authentication method |
|
With user involvement |
|
OpenAPI signature verification and JWT token verification |
|
|
OpenAPI signature verification |
|
|
Without user involvement |
|
OpenAPI signature verification |
OpenAPI signature verification is required for all API calls that obtain a Workload Access Token. Therefore, you must ensure that your agent's deployment environment has access to Alibaba Cloud access credentials.
Inbound authorization
When you call the Agent Identity GetWorkloadAccessToken* series of APIs, you need to complete inbound authorization.
You can create a custom policy for the agent's runtime identity, such as a RAM role, and grant it the required permissions.
Example policy:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"agentidentitydata:GetWorkloadAccessToken",
"agentidentitydata:GetWorkloadAccessTokenForJWT",
"agentidentitydata:GetWorkloadAccessTokenForUserId",
],
"Resource": "*"
}
],
"Version": "1"
}
Identity provider configuration
You can integrate Agent Identity with any external identity provider (IdP) that is compatible with the OpenID Connect (OIDC) protocol. This allows an agent to authenticate with Agent Identity by presenting a JWT obtained from an external IdP.
To use a JWT from an external identity provider, such as Okta or your own OIDC service, to obtain a Workload Access Token, you must first configure that provider in Agent Identity.
-
To learn how to manage identity providers in Agent Identity, see Identity Provider Management.
-
For instructions on how to configure typical identity providers such as Alibaba Cloud and Okta, see Typical Identity Provider Setup Tutorial.