Skip to content

[Issue]: Securely Passing Authentication Tokens in AutoGen #3205

New issue
New issue
Closed
Closed
[Issue]: Securely Passing Authentication Tokens in AutoGen#3205
Labels
0.2Issues which are related to the pre 0.4 codebaseneeds-triage
@Noel1997

Description

@Noel1997
Noel1997
opened on Jul 24, 2024

Describe the issue

Context:

  • We are using AutoGen for automating the development of data transformation pipelines by orchestrating LLM interactions and tool use.
  • Within the context of tool use, we need to figure out a secure method of passing sensitive information (authentication tokens in our case) to the registered function.
  • The current approach uses a global dictionary to map hash IDs to tokens. The LLM is provided with the hash ID, and the function retrieves the token using this hash ID.

Current Implementation:
Currently, in our AutoGen setup, we are using a one-way hash with an MD5 key to handle authentication tokens securely.

The process is as follows:

  • The authentication token is stored in a global dictionary with its one-way hash (MD5) as the key.
  • The LLM is passed a hash ID (one-way hash) instead of the actual token.
  • Inside the function that requires the token, the hash ID is used to retrieve the token from the global dictionary.

Example code for the current implementation:

# Global dictionary to store tokens securely
token_store: Dict[str, str] = {}

def store_token(token: str) -> str:
   hash_id = hashlib.md5(token.encode()).hexdigest()
   token_store[hash_id] = token
   return hash_id

def retrieve_token(hash_id: str) -> str:
   return token_store.get(hash_id)

def activate_nexset(hash_id: str, dataset_id: int) -> Dict:
   try:
       token = retrieve_token(hash_id)
       if not token:
           raise ValueError("Invalid token hash ID")

       url = f"<url>"
       headers = {
           "Authorization": f"Bearer {token}",
           "Content-Type": ""
       }

       response = httpx.put(url, headers=headers)
       return response.json()

Question:
Is there a way in AutoGen to securely pass authentication tokens to functions that require them, without exposing these tokens to the LLM? We are looking for best practices or any built-in mechanisms in AutoGen that could help us achieve this.

Any guidance or suggestions on securely handling authentication tokens in this context would be greatly appreciated.

Steps to reproduce

No response

Screenshots and logs

No response

Additional Information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    0.2Issues which are related to the pre 0.4 codebaseneeds-triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions