OAuth Authentication Support for Anthropic

[ksylvan]

OAuth Authentication Support for Anthropic

Summary

This PR adds OAuth authentication support for the Anthropic Claude provider in Fabric, allowing users to authenticate using their Claude account credentials instead of requiring an API key. The implementation includes secure token storage, automatic token refresh, and comprehensive test coverage.

Related Issues

Closes #1534

Screen Shots

Files Changed

New Files Added

• common/oauth_storage.go - Core OAuth token storage functionality with secure file operations
• common/oauth_storage_test.go - Comprehensive test suite for OAuth storage operations
• plugins/ai/anthropic/oauth.go - OAuth flow implementation specific to Anthropic's authentication system

Modified Files

• plugins/ai/anthropic/anthropic.go - Enhanced to support OAuth authentication alongside existing API key authentication
• go.mod - Moved golang.org/x/oauth2 from indirect to direct dependency
• restapi/configuration.go - Added OAuth configuration option to REST API endpoints

Code Changes

OAuth Storage Implementation

The new OAuthStorage struct provides secure token management:

type OAuthToken struct {
    AccessToken  string `json:"access_token"`
    RefreshToken string `json:"refresh_token"`
    ExpiresAt    int64  `json:"expires_at"`
    TokenType    string `json:"token_type"`
    Scope        string `json:"scope"`
}

Key features:

• Tokens stored in ~/.config/fabric/ with 0600 permissions
• Atomic file operations using temporary files
• Expiration checking with configurable buffer time
• Safe deletion of expired tokens

Anthropic OAuth Integration

The OAuth implementation includes:

• PKCE (Proof Key for Code Exchange) for enhanced security
• Custom HTTP transport that automatically adds Bearer tokens
• Automatic token refresh when tokens expire
• Fallback to re-authentication if refresh fails

Configuration Updates

Added OAuth support to the REST API configuration:

• New anthropic_use_oauth_login configuration option
• Maintains backward compatibility with existing API key authentication

Reason for Changes

This enhancement addresses the need for users to authenticate with Claude using their existing accounts rather than requiring separate API keys. OAuth provides a more user-friendly authentication experience and aligns with modern authentication practices.

Impact of Changes

Positive Impacts

• Improved User Experience: Users can authenticate using their existing Claude accounts
• Enhanced Security: OAuth tokens are more secure than long-lived API keys
• Automatic Token Management: Tokens are automatically refreshed, reducing authentication failures

Potential Risks

• Additional Complexity: OAuth flow is more complex than API key authentication
• Network Dependencies: OAuth requires internet connectivity for token refresh
• Browser Dependency: Initial authentication requires opening a web browser

Test Plan

The implementation includes comprehensive unit tests covering:

• Token expiration logic with various scenarios
• Secure file operations with proper permissions
• Token save/load/delete operations
• Error handling for non-existent tokens
• Path generation for different providers

Manual testing should verify:

1. OAuth flow completion in web browser
2. Token storage and retrieval
3. Automatic token refresh
4. Fallback to API key authentication when OAuth is disabled

Demo of functionality

Removed the auth token (~/.config/fabric/.claude_oauth).

fabric --search -m $MODEL_CLAUDE 'Tell me about the world news today in the world of Chess.'
No OAuth token found, initiating authentication...
Open the following URL in your browser. Fabric would like to authorize:
https://claude.ai/oauth/authorize?client_id=[...]
Paste the authorization code here: [REDACTED]

Additional Notes

Security Considerations

• OAuth tokens are stored with restrictive file permissions (0600)
• Temporary files are used for atomic operations
• Tokens include expiration times and are automatically refreshed
• The implementation follows OAuth 2.0 best practices with PKCE

Backward Compatibility

• Existing API key authentication continues to work unchanged
• OAuth is opt-in via configuration setting
• No breaking changes to existing functionality

[ksylvan]

Stopped here:

fabric -p ai -m $MODEL_CLAUDE 'Why is the sky blue?'
POST "https://api.anthropic.com/v1/messages": 401 Unauthorized {"type":"error","error":{"type":"authentication_error","message":"OAuth authentication is currently not supported."}}

We have to figure out how Claude Code does its magic when it grabs the OAuth token.

[eugeis]

LGTM

[ksylvan]

Okay, @eugeis and @johnsaigle, I got it to work. I will be finalizing the PR soon.

We use the same technique that the sst/opencode repo uses to spoof being Claude Code.