Problem Statement
Problem
The supervisor's credential proxy intercepts the Authorization header on incoming requests and attempts to parse it as an OpenShell gateway session token. When an external JWT (e.g., from Auth0, Keycloak, or any OIDC provider) arrives in the Authorization header, the supervisor returns 500 "invalid token: token is malformed".
This prevents using standard bearer token authentication for agents that are exposed as API services to external clients.
Current Behavior
- External client sends: Authorization: Bearer
- Supervisor intercepts the header
- Supervisor tries to parse it as an OpenShell session token
- Parsing fails → 500 Internal Server Error
Proposed Design
Desired Behavior
Option A: Configurable header behavior — allow the sandbox to declare that the supervisor should not intercept Authorization headers (pass-through mode):
spec:
supervisor:
credentials:
passthroughInboundAuth: true # Don't intercept incoming Authorization headers
Option B: Graceful fallback — if the token is not a valid OpenShell session token, pass it through unchanged instead of erroring.
Option C: Separate header — use a different header for OpenShell credentials (e.g., X-OpenShell-Token) so Authorization is always available for the agent's own use.
Alternatives Considered
Use Case
Deploying agents as long-running API services where external clients authenticate with JWTs from an enterprise identity provider (Auth0, Keycloak, Okta). The agent needs to receive the user's identity for personalization, audit, or downstream delegation (On-Behalf-Of flows).
Workaround
We use an Istio ext_authz filter at the sidecar level that:
- Validates the external JWT
- Strips the Authorization header (so supervisor doesn't see it)
- Injects X-End-User-ID for identity propagation
- Injects X-Original-Token for downstream OBO flows
This works but loses the ability to have the agent itself validate/inspect the original token.
Agent Investigation
No response
Checklist
Problem Statement
Problem
The supervisor's credential proxy intercepts the Authorization header on incoming requests and attempts to parse it as an OpenShell gateway session token. When an external JWT (e.g., from Auth0, Keycloak, or any OIDC provider) arrives in the Authorization header, the supervisor returns 500 "invalid token: token is malformed".
This prevents using standard bearer token authentication for agents that are exposed as API services to external clients.
Current Behavior
Proposed Design
Desired Behavior
Option A: Configurable header behavior — allow the sandbox to declare that the supervisor should not intercept Authorization headers (pass-through mode):
Option B: Graceful fallback — if the token is not a valid OpenShell session token, pass it through unchanged instead of erroring.
Option C: Separate header — use a different header for OpenShell credentials (e.g., X-OpenShell-Token) so Authorization is always available for the agent's own use.
Alternatives Considered
Use Case
Deploying agents as long-running API services where external clients authenticate with JWTs from an enterprise identity provider (Auth0, Keycloak, Okta). The agent needs to receive the user's identity for personalization, audit, or downstream delegation (On-Behalf-Of flows).
Workaround
We use an Istio ext_authz filter at the sidecar level that:
This works but loses the ability to have the agent itself validate/inspect the original token.
Agent Investigation
No response
Checklist