fix(acp): Only advertise OAuth when not already authenticated#536
fix(acp): Only advertise OAuth when not already authenticated#536jpshackelford wants to merge 5 commits intomainfrom
Conversation
When using local mode with agent_settings.json configured, the ACP server was always returning OAuth authentication methods in the InitializeResponse. This caused JetBrains IDEs to show an unnecessary 'Authenticate with OpenHands Cloud' button even when local LLM settings were already configured. Now, the initialize() method checks _is_authenticated() before including auth methods. If the user is already authenticated (local agent has agent_settings.json, or cloud agent has valid API key), auth_methods is returned as empty. Fixes #535 Co-authored-by: openhands <openhands@all-hands.dev>
Coverage Report •
|
|||||||||||||||||||||||||
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
🟢 Good taste - This is how you fix UI problems: don't add handlers for things that shouldn't be shown, just don't show them.
Why this works:
- Simple conditional eliminates a UI special case (showing auth when not needed)
- Solves a real user problem, not a theoretical one
- Tests cover both branches with real code paths (subclass over mocks - correct approach)
- No added complexity, no breaking changes
Verdict: ✅ Merge-worthy. Clean, pragmatic fix with proper test coverage.
Key insight: Good code removes edge cases rather than handling them.
|
I have put this back into draft because the PR doesn't properly consider the case of bedrock. I believe that one authentication mode for Bedrock is the boto3 is used to take authentication detail from an aws profile. Actually I think with Bedrock and LiteLLM there are three distinct modes of authentication:
@OpenHands Please do look into the version of LiteLLM we are using in the CLI or transitively via |
|
I'm on it! jpshackelford can track my progress at all-hands.dev |
Add explicit None check before accessing auth_methods list in test to satisfy pyright's type narrowing. Also apply ruff formatting. Co-authored-by: openhands <openhands@all-hands.dev>
Summary: LiteLLM Bedrock Authentication InvestigationYou asked me to investigate the version of LiteLLM used in the CLI (and transitively via openhands-sdk) and confirm or deny your claim about Bedrock's 3 authentication modes. FindingsVersion Information:
✅ Your Claim is CONFIRMEDLiteLLM 1.80.11 explicitly supports all 3 authentication modes you mentioned, plus additional methods:
Additionally, LiteLLM supports:
Implication for PR #536Your concern about putting the PR back to draft is well-founded. The current
The PR needs to account for boto3's full credential chain to properly determine if a Bedrock user is "already authenticated." No code changes were made - this was an information-gathering task to help you make an informed decision about the PR. |
When no agent_settings.json exists, the local agent now checks for AWS credentials before showing the OAuth authentication button. This handles Bedrock users who authenticate via: - AWS environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_PROFILE, AWS_DEFAULT_PROFILE) - AWS credential files (~/.aws/credentials, ~/.aws/config) This ensures Bedrock users don't see an unnecessary 'Authenticate with OpenHands Cloud' button when they have valid AWS credentials configured. Note: This only detects intent to use AWS authentication, it does not validate that the credentials are correct. Co-authored-by: openhands <openhands@all-hands.dev>
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
🟡 Acceptable - Core logic is solid, but AWS credential detection adds complexity for what appears to be a theoretical edge case.
Why the core fix has good taste:
Simple conditional eliminates UI clutter by not including auth_methods when not needed. This is exactly how you solve UI problems - don't show things that shouldn't be there, rather than adding handlers to hide them.
Concern:
The AWS credential detection logic (~90 lines of implementation + tests) solves a hypothetical problem: "users with AWS credentials but no agent_settings.json". If this isn't a proven user pain point, it's over-engineering.
See inline comments for specifics.
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
🟢 Good taste - This is how you fix UI problems: eliminate the special case rather than adding handlers for it.
Verdict: ✅ Merge-worthy
Core fix is elegant and solves a real production issue. AWS credential detection adds complexity but addresses confirmed customer needs with straightforward logic and proper test coverage.
|
I am holding off merging until I get successful end-to-end test with IntelliJ IDEA. There appears to be another problem and it looks like it may be on the IntelliJ side. |
5 participants
Summary
Fixes #535
When using the OpenHands CLI ACP server with JetBrains IDEs (IntelliJ, etc.), users see an "Authenticate with OpenHands Cloud" button in the AI Chat window even when they have already configured local LLM settings in
~/.openhands/agent_settings.json.Root Cause
In
openhands_cli/acp_impl/agent/base_agent.py, theinitialize()method unconditionally returned OAuth as an available authentication method, regardless of whether authentication was actually needed.Changes
initialize()inbase_agent.pyto check_is_authenticated()before including auth methods in the responseagent_settings.json, or cloud agent has valid API key),auth_methodsis returned as an empty listExpected Behavior After Fix
Commands Run
Testing
test_initialize_no_auth_methods_when_authenticated- verifies empty auth_methods when authenticatedtest_initialize_auth_methods_when_not_authenticated- verifies OAuth is returned when not authenticated@jpshackelford can click here to continue refining the PR
🚀 Try this PR