The api should not start an oauth callback server

In api mode we are not the ones who manage the callback server, up to
the caller to do it for us and tell us when the auth is granted

Signed-off-by: Djordje Lukic <[email protected]>

Author: rumpl

pkg/oauth/manager.go

@@ -20,6 +20,7 @@ type manager struct {
 	serverMutex              sync.Mutex
 	redirectURI              string
 	port                     int
+	managedServer            bool
 }
 
 // NewManager creates a new OAuth manager with optional port configuration
@@ -29,6 +30,7 @@ func NewManager(emitAuthRequired func(serverURL, serverType, status string), opt
 		resumeAuthorizeOauthFlow: make(chan bool),
 		resumeOauthCodeReceived:  make(chan string),
 		port:                     8083,
+		managedServer:            true,
 	}
 
 	// Apply options
@@ -61,6 +63,12 @@ func WithRedirectURI(uri string) ManagerOption {
 	}
 }
 
+func WithManagedServer(managed bool) ManagerOption {
+	return func(m *manager) {
+		m.managedServer = managed
+	}
+}
+
 // HandleAuthorizationFlow handles a single OAuth authorization flow
 func (m *manager) HandleAuthorizationFlow(ctx context.Context, sessionID string, oauthErr *AuthorizationRequiredError) error {
 	m.emitAuthRequired(oauthErr.ServerURL, oauthErr.ServerType, "pending")
@@ -176,37 +184,41 @@ func (m *manager) performOAuthAuthorization(ctx context.Context, sessionID strin
 		slog.Warn("Failed to start callback server, falling back to manual input", "error", err)
 	}
 
-	// Check if we have a callback server running (either global or our own)
-	if callbackServer := m.getCallbackServer(); callbackServer != nil {
-		slog.Debug("Using callback server for OAuth authorization")
-		// Wait for callback from the browser
-		callbackCtx, cancel := context.WithTimeout(ctx, 5*time.Minute)
-		defer cancel()
+	if m.managedServer {
+		// Check if we have a callback server running (either global or our own)
+		if callbackServer := m.getCallbackServer(); callbackServer != nil {
+			slog.Debug("Using callback server for OAuth authorization")
+			// Wait for callback from the browser
+			callbackCtx, cancel := context.WithTimeout(ctx, 5*time.Minute)
+			defer cancel()
+
+			result, err := callbackServer.WaitForCallback(callbackCtx)
+			if err != nil {
+				if err == context.DeadlineExceeded {
+					return fmt.Errorf("OAuth authorization timed out after 5 minutes")
+				}
+				return fmt.Errorf("failed to wait for OAuth callback: %w", err)
+			}
 
-		result, err := callbackServer.WaitForCallback(callbackCtx)
-		if err != nil {
-			if err == context.DeadlineExceeded {
-				return fmt.Errorf("OAuth authorization timed out after 5 minutes")
+			if result.Error != "" {
+				return fmt.Errorf("OAuth authorization error: %s", result.Error)
 			}
-			return fmt.Errorf("failed to wait for OAuth callback: %w", err)
-		}
 
-		if result.Error != "" {
-			return fmt.Errorf("OAuth authorization error: %s", result.Error)
-		}
+			if result.Code == "" {
+				return fmt.Errorf("no authorization code received from OAuth callback")
+			}
 
-		if result.Code == "" {
-			return fmt.Errorf("no authorization code received from OAuth callback")
-		}
+			// Verify state parameter matches
+			receivedState := result.State
+			if receivedState != state {
+				slog.Warn("OAuth state mismatch", "expected", state, "received", receivedState)
+			}
 
-		// Verify state parameter matches
-		receivedState := result.State
-		if receivedState != state {
-			slog.Warn("OAuth state mismatch", "expected", state, "received", receivedState)
+			code = result.Code
+			slog.Debug("Received OAuth code via callback server", "code_present", code != "")
+		} else {
+			return fmt.Errorf("no callback server available for OAuth authorization")
 		}
-
-		code = result.Code
-		slog.Debug("Received OAuth code via callback server", "code_present", code != "")
 	} else {
 		// Fallback to manual input
 		slog.Debug("No callback server available, waiting for manual input")

pkg/runtime/runtime.go

@@ -67,6 +67,7 @@ type runtime struct {
 	tracer            trace.Tracer
 	modelsStore       modelStore
 	sessionCompaction bool
+	managedOAuth      bool
 }
 
 type Opt func(*runtime)
@@ -77,6 +78,12 @@ func WithCurrentAgent(agentName string) Opt {
 	}
 }
 
+func WithManagedOAuth(managed bool) Opt {
+	return func(r *runtime) {
+		r.managedOAuth = managed
+	}
+}
+
 // WithTracer sets a custom OpenTelemetry tracer; if not provided, tracing is disabled (no-op).
 func WithTracer(t trace.Tracer) Opt {
 	return func(r *runtime) {
@@ -110,6 +117,7 @@ func New(agents *team.Team, opts ...Opt) (Runtime, error) {
 		resumeChan:        make(chan ResumeType),
 		modelsStore:       modelsStore,
 		sessionCompaction: true,
+		managedOAuth:      true,
 	}
 
 	for _, opt := range opts {
@@ -139,7 +147,7 @@ func (r *runtime) handleOAuthAuthorizationFlow(ctx context.Context, sess *sessio
 		emitAuthRequired := func(serverURL, serverType, status string) {
 			events <- AuthorizationRequired(serverURL, serverType, status, r.currentAgent)
 		}
-		r.oauthManager = oauth.NewManager(emitAuthRequired)
+		r.oauthManager = oauth.NewManager(emitAuthRequired, oauth.WithManagedServer(r.managedOAuth))
 		defer func() {
 			if cleanupErr := r.oauthManager.Cleanup(ctx); cleanupErr != nil {
 				slog.Error("Failed to cleanup OAuth manager", "error", cleanupErr)

pkg/server/server.go

@@ -882,6 +882,7 @@ func (s *Server) runAgent(c echo.Context) error {
 	if !exists {
 		var opts []runtime.Opt = []runtime.Opt{
 			runtime.WithCurrentAgent(currentAgent),
+			runtime.WithManagedOAuth(false),
 		}
 		rt, err = runtime.New(t, opts...)
 		if err != nil {