Epic: OAuth Device Flow (IDE Auth) #1
Description
Problem
Current InferShield implementation requires API keys to be passed through the proxy:
OPENAI_API_KEY=sk-xxx
This works for direct API integrations but breaks IDE tools like:
- GitHub Copilot
- Cursor
- Windsurf
- Cody
- Continue
These tools use OAuth device flows instead of API keys.
Proposed Solution
Add OAuth proxy support similar to copilot-api-proxy:
- Device auth flow - User authenticates via browser
- Token storage - Securely store OAuth tokens
- Token refresh - Auto-refresh expired tokens
- Request proxying - Forward authenticated requests with security layer
- Multi-user support - Each developer has isolated tokens
Implementation
Phase 1: Single-user OAuth
- Device auth endpoint
- Token storage (encrypted)
- OpenAI/Anthropic OAuth support
- Token refresh logic
Phase 2: Multi-user OAuth
- User management
- Token isolation
- Admin dashboard
Phase 3: Enterprise OAuth
- SSO integration
- Centralized token management
- Compliance reporting per user
Use Cases
Individual Developer
Developer → Cursor IDE → InferShield OAuth proxy → OpenAI
Enterprise Team
Team → GitHub Copilot → InferShield (multi-tenant) → OpenAI
CISO gets security visibility across all developers
Target Release
Version 0.2 (2-3 weeks after MVP launch)
References
- copilot-api-proxy architecture
- OpenAI OAuth documentation
- GitHub Copilot authentication flow
Implementation subtask (from #3)
- Implement RFC8628 device authorization flow client (device code, user code, polling, timeouts)
- Provider adapters: OpenAI + GitHub (Copilot)
- Error handling for denied/expired/slow_down
(Former issue #3 merged here.)