a2a-Market Google OAuth
Create a stable OAuth integration shell for buyer and merchant sign-in.
Current status: publish-ready scaffold. Keep flows explicit and deterministic before full SSO hardening.
Scope
- - Implement Google OAuth authorization code flow.
- Link external identity to internal Agent/Operator profile.
- Bootstrap session token and refresh workflow after callback.
Suggested Project Layout
- - �INLINECODE0
- INLINECODE1
- INLINECODE2
- INLINECODE3
Minimum Contracts (MVP P0)
- 1.
GET /auth/google/start builds state + redirect URL. - INLINECODE5� validates state and exchanges code.
- INLINECODE6� returns internal principal id.
- INLINECODE7� returns short-lived access token and refresh token.
Security Baseline
- - Validate
state and nonce against server-side cache. - Reject callback if issuer/audience do not match configuration.
- Store only hashed refresh tokens and rotate on use.
Events
- - Emit login event to audit log stream.
- Emit session-created event for WebSocket presence bootstrap.
Implementation Backlog
- - Add account merge flow for duplicate emails across providers.
- Add step-up verification for risky sessions.
Runtime Implementation
- - Status: implemented in local runtime package.
- Primary code paths:
- INLINECODE10
- Validation: covered by
runtime/tests and npm test in runtime/.
技能名称: a2a-market-google-oauth
详细描述:
a2a-Market Google OAuth
为买家和商户登录创建一个稳定的OAuth集成外壳。
当前状态:可发布的脚手架。在完全加固单点登录之前,保持流程明确且确定。
范围
- - 实现Google OAuth授权码流程。
- 将外部身份链接到内部Agent/Operator配置文件。
- 在回调后引导会话令牌和刷新工作流。
建议项目结构
- - app/integrations/oauth/googleclient.py
- app/interfaces/api/authroutes.py
- app/application/services/sessionservice.py
- app/protocol/identity/useridentity_mapper.py
最小契约(MVP P0)
- 1. GET /auth/google/start 构建状态和重定向URL。
- GET /auth/google/callback 验证状态并交换授权码。
- upsertidentity(provider, provideruserid, email) 返回内部主体ID。
- createsession(principal_id) 返回短期访问令牌和刷新令牌。
安全基线
- - 根据服务端缓存验证state和nonce。
- 如果颁发者/受众与配置不匹配,则拒绝回调。
- 仅存储哈希后的刷新令牌,并在使用时轮换。
事件
- - 向审计日志流发送登录事件。
- 发送会话创建事件,用于WebSocket存在性引导。
实现待办事项
- - 为跨提供商的重复邮箱添加账户合并流程。
- 为高风险会话添加升级验证。
运行时实现
- - 状态:已在本地运行时包中实现。
- 主要代码路径:
- runtime/src/integrations/oauth/google-oauth-service.js
- 验证:由runtime/tests和runtime/中的npm test覆盖。
