Inbound

更新时间:
复制 MD 格式

The features of Agent Identity can be divided into two parts based on the workflow direction: inbound and outbound. Agent Identity inbound authentication is a secure authentication service for your AI agents or other applications. Your application or agent can call the Agent Identity API to obtain a short-lived Workload Access Token after successful authentication and authorization.

Inbound authentication methods

The Agent Identity service provides various APIs to perform inbound authentication and obtain a Workload Access Token.

  • OpenAPI signature verification: This is the default authentication mechanism when you call protected Alibaba Cloud OpenAPI operations. The credentials tool in the Alibaba Cloud SDK automatically determines which credentials to use based on the deployment environment, such as an STS token or an AccessKey. If an agent is deployed on an Alibaba Cloud-managed agent runtime platform, such as Model Studio, you can use the platform to perform secure, keyless authentication.

  • JWT token verification: Agent Identity can accept and verify a JWT token issued by a trusted OIDC identity provider. The verification process checks the token's signature, issuer, and audience. When signing in to an application, a user authenticates with their identity provider to obtain a JWT token.

The following table lists the inbound authentication methods for different business scenarios.

Business scenario

API

Inbound authentication method

With user involvement

GetWorkloadAccessTokenForJWT

OpenAPI signature verification and JWT token verification

GetWorkloadAccessTokenForUserId

OpenAPI signature verification

Without user involvement

GetWorkloadAccessToken

OpenAPI signature verification

Note

OpenAPI signature verification is required for all API calls that obtain a Workload Access Token. Therefore, you must ensure that your agent's deployment environment has access to Alibaba Cloud access credentials.

Inbound authorization

When you call the Agent Identity GetWorkloadAccessToken* series of APIs, you need to complete inbound authorization.

You can create a custom policy for the agent's runtime identity, such as a RAM role, and grant it the required permissions.

Example policy:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "agentidentitydata:GetWorkloadAccessToken",
        "agentidentitydata:GetWorkloadAccessTokenForJWT",
        "agentidentitydata:GetWorkloadAccessTokenForUserId",
      ],
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Identity provider configuration

You can integrate Agent Identity with any external identity provider (IdP) that is compatible with the OpenID Connect (OIDC) protocol. This allows an agent to authenticate with Agent Identity by presenting a JWT obtained from an external IdP.

To use a JWT from an external identity provider, such as Okta or your own OIDC service, to obtain a Workload Access Token, you must first configure that provider in Agent Identity.