Skip to content

feat: Disable use of private / public keys when IBM_AUTH_ENABLED is true#1409

Open
mpawlow wants to merge 1 commit intorelease-saas-0.1from
mp/feat/saas/GH-1393-disable-private-keys-ibm-auth-enabled
Open

feat: Disable use of private / public keys when IBM_AUTH_ENABLED is true#1409
mpawlow wants to merge 1 commit intorelease-saas-0.1from
mp/feat/saas/GH-1393-disable-private-keys-ibm-auth-enabled

Conversation

@mpawlow
Copy link
Copy Markdown
Collaborator

@mpawlow mpawlow commented Apr 15, 2026
edited
Loading

Issue

Related Pull Requests

Summary

  • Disabled JWT key generation and local token signing/verification when IBM_AUTH_ENABLED is true, delegating all authentication to Traefik in IBM/SaaS deployments.

Session Manager Updates

  • Imported IBM_AUTH_ENABLED at module level in session_manager.py instead of inside individual methods.
  • Set private_key, public_key, public_key_pem, and algorithm to None when IBM auth mode is active and no explicit signing key is configured (RSA key loading skipped).
  • Guarded create_jwt_token to return None early and log an error when private_key is None (IBM auth mode).
  • Guarded verify_token to return None immediately when IBM_AUTH_ENABLED is set, since token verification is handled externally by Traefik.
  • Guarded get_effective_jwt_token to return None when private_key is None, preventing anonymous JWT creation in IBM auth mode.

Startup / Key Generation Updates

  • Skipped generate_jwt_keys() call in initialize_services() when IBM_AUTH_ENABLED is true, preventing unnecessary RSA key file creation in IBM/SaaS deployments.

@mpawlow mpawlow self-assigned this Apr 15, 2026
@github-actions github-actions Bot added backend 🔷 Issues related to backend services (OpenSearch, Langflow, APIs) enhancement 🔵 New feature or request labels Apr 15, 2026
@mpawlow mpawlow force-pushed the mp/feat/saas/GH-1393-disable-private-keys-ibm-auth-enabled branch from 7137d56 to 5faf2a9 Compare April 16, 2026 12:57
@github-actions github-actions Bot added enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request labels Apr 16, 2026
@mpawlow mpawlow mentioned this pull request Apr 16, 2026
Open
@github-actions github-actions Bot added enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request labels Apr 16, 2026
@mpawlow
Copy link
Copy Markdown
Collaborator Author

mpawlow commented Apr 16, 2026

Test Cloud / SaaS Build

@mpawlow
Copy link
Copy Markdown
Collaborator Author

mpawlow commented Apr 16, 2026

Status Update

  • 🚧 Sanity test changes for 1.1.0-saas-0.1 build in Cloud / SaaS environment

@mpawlow mpawlow force-pushed the mp/feat/saas/GH-1393-disable-private-keys-ibm-auth-enabled branch from 5faf2a9 to 3b611a2 Compare April 20, 2026 14:18
@github-actions github-actions Bot added enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request labels Apr 20, 2026
@mpawlow
feat: Disable use of private / public keys when IBM_AUTH_ENABLED is true
d33e1a4 
Issue

- #1393

Summary

- Disabled JWT key generation and local token signing/verification when `IBM_AUTH_ENABLED` is true, delegating all authentication to Traefik in IBM/SaaS deployments.

Session Manager Updates

- Imported `IBM_AUTH_ENABLED` at module level in `session_manager.py` instead of inside individual methods.
- Set `private_key`, `public_key`, `public_key_pem`, and `algorithm` to `None` when IBM auth mode is active and no explicit signing key is configured (RSA key loading skipped).
- Guarded `create_jwt_token` to return `None` early and log an error when `private_key` is `None` (IBM auth mode).
- Guarded `verify_token` to return `None` immediately when `IBM_AUTH_ENABLED` is set, since token verification is handled externally by Traefik.
- Guarded `get_effective_jwt_token` to return `None` when `private_key` is `None`, preventing anonymous JWT creation in IBM auth mode.

Startup / Key Generation Updates

- Skipped `generate_jwt_keys()` call in `initialize_services()` when `IBM_AUTH_ENABLED` is true, preventing unnecessary RSA key file creation in IBM/SaaS deployments.
@mpawlow mpawlow force-pushed the mp/feat/saas/GH-1393-disable-private-keys-ibm-auth-enabled branch from 3b611a2 to d33e1a4 Compare April 20, 2026 16:26
@github-actions github-actions Bot added enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request labels Apr 20, 2026
edwinjosechittilappilly
edwinjosechittilappilly approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@edwinjosechittilappilly edwinjosechittilappilly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, merge only after testing.

@github-actions github-actions Bot added the lgtm label Apr 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edwinjosechittilappilly edwinjosechittilappilly edwinjosechittilappilly approved these changes

Assignees

@mpawlow mpawlow

Labels

backend 🔷 Issues related to backend services (OpenSearch, Langflow, APIs) enhancement 🔵 New feature or request lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mpawlow @edwinjosechittilappilly