feat: update README draft link and operation policy text#21
Merged
Conversation
…ion authorization consent page
Code Coverage Report
Files
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR improves the authorization consent UX, optimizes the LLM-powered operation policy rendering, makes PAR request expiry configurable, and updates the IETF Draft reference links.
Root cause: E2E tests were failing because the PAR (Pushed Authorization Request) expiry was hardcoded to 90 seconds in
DefaultOAuth2ParServer, which was insufficient for flows involving multiple redirects (Agent → AS → User IDP → OIDC consent → AS callback → AOA consent) especially when using slower LLM models likeqwen3-coder-plus.Type of Change
Changes Made
1. Configurable PAR Request Expiry (
feat(config))parRequestExpiryproperty (default: 600s) toOAuth2ServerProperties.OAuth2TokenPropertieswith full Javadoc and RFC 9126 referenceAuthorizationServerAutoConfiguration.parServer()to read PAR expiry from configuration instead of using the hardcoded 90s defaultpar-request-expiry: 600in sample-authorization-server'sapplication.yml2. Consent Page Loading State UX (
feat(ui))aoa_consent.htmlandoidc_consent.htmlto prevent duplicate form submissions3. LLM Operation Policy Rendering Optimization (
feat(aoa))QwenLlmOperationTextRenderersystem prompt from a 3-section structured output to a concise 1–3 sentence plain-language paragraphqwen3-coder-flashtoqwen3-coder-plusfor higher quality rendering4. Documentation Update (
doc(README))draft-liu-agent-operation-authorization-00(GitHub XML) todraft-liu-agent-operation-authorization-01(official IETF Datatracker) in bothREADME.mdandREADME.zh-CN.mdTesting
Test Instructions:
Checklist
Breaking Changes
None. The PAR expiry default is changed from 90s to 600s, but this is a configuration-level change that improves compatibility with real-world authorization flows. Existing deployments can override via
open-agent-auth.capabilities.oauth2-server.token.par-request-expiry.Additional Context
Commits:
f4c32b8b— doc(README): update agent operation authorization IETF Draft linke9d3d9ea— feat(aoa): optimize policy operation render rules in the agent operation authorization consent page1921afb7— feat(aoa): remove token expiration from operation policy text07d3adb7— feat(ui): add loading disable button after authorization operationb686b29b— test: fix unit teste5861ba3— feat(config): make PAR request expiry configurable