Skip to content

Add browser-based agent authorization flow#940

Merged
chubes4 merged 2 commits intomainfrom
feature/agent-authorize-flow
Mar 22, 2026
Merged

Add browser-based agent authorization flow#940
chubes4 merged 2 commits intomainfrom
feature/agent-authorize-flow

Conversation

@chubes4
Copy link
Member

@chubes4 chubes4 commented Mar 22, 2026

Summary

OAuth-style consent flow for agents to obtain bearer tokens — no manual token copying needed.

The Flow

Agent                          Browser                    extrachill.com
─────                          ───────                    ──────────────
Opens authorize URL ──────────────────────────────────→  /datamachine/v1/agent/authorize
                                                          ?agent_slug=sarai
                                                          &redirect_uri=http://localhost:9999/callback

                               Not logged in? ──────────→ wp-login.php → back to authorize
                               
                               Consent screen:
                               "Sarai Chinwag wants access"
                               [Authorize] [Deny]
                               
                               User clicks Authorize ───→ Validates nonce + access
                                                          Mints bearer token
                                                          Redirects to callback?token=datamachine_sarai_...

Agent catches callback
Stores token locally
Done.

Security

  • WordPress nonce CSRF protection on the form POST
  • User must be logged in (redirects to wp-login if not)
  • User must be agent owner or have admin access grant
  • redirect_uri validated: only localhost, same-site, or domains registered via datamachine_authorize_allowed_domains filter

Files

  • inc/Core/Auth/AgentAuthorize.php — new file, the full authorize flow (GET consent screen + POST handler)
  • data-machine.php — wires up the new class alongside AgentAuthMiddleware

Testing

  • Unauthenticated request → 302 to wp-login ✅
  • Authenticated request → consent screen renders ✅
  • Same pattern GitHub, Slack, and Stripe use for OAuth consent

@chubes4
Add browser-based agent authorization flow
e3ad9a6 
OAuth-style consent flow for agents to obtain bearer tokens:
1. Agent opens authorize URL with agent_slug + redirect_uri
2. User logs in (if needed) and sees consent screen
3. User clicks Authorize → token minted → redirected to callback with token
4. User clicks Deny → redirected with error

Security: WordPress nonce CSRF protection, redirect_uri validated
against localhost/same-site/registered domains (filterable via
datamachine_authorize_allowed_domains).

Enables self-service token acquisition for local and remote agents
without manual token copying.
@chubes4 chubes4 marked this pull request as draft March 22, 2026 22:29
@chubes4 chubes4 marked this pull request as ready for review March 22, 2026 22:30
@chubes4
Add per-agent redirect URI validation and auth callback handler
47a4de5 
- Redirect URIs validated against agent_config.allowed_redirect_uris
  instead of a global allowlist. Scopes blast radius per-agent.
- Localhost and same-site always allowed (dev + network).
- URI patterns support: exact match, wildcard path, domain-only.
- AgentAuthCallback receives tokens from external DM authorize flows
  and stores them in datamachine_external_tokens option.
- REST endpoints for listing/retrieving stored external tokens.
@chubes4 chubes4 merged commit c926758 into main Mar 22, 2026
1 check failed
@chubes4 chubes4 deleted the feature/agent-authorize-flow branch March 22, 2026 22:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chubes4