DEV Community

Yu Watanabe
Yu Watanabe

Posted on

Agent hardening with Auth0

#devchallenge #auth0challenge #ai #authentication

Auth0 for AI Agents Challenge Submission

This is a submission for the Auth0 for AI Agents Challenge

What I Built

I have built a agent that provides answer for confidential information to the right person.

Before starting with the implementation, lets start with the problem I want to solve with this solution.

Point of View statement

Bob works at IT team at EMarket, an online e-commerce company .

The company wants to provide chat services to their employee to boost productivity.

But the team wants to first launch the service to LIMIED person as a prototype and gather information as an usability testing.

Therefore, Bob needs to restrict the usage of the chat service to certain users.

The How-Might-We question denoted from the POV might be like,

  • How might we authenticate the user ?
  • How might we restrict users to access the relative contents ?

To tackle the problem, I have came up with below solution.

Architecture

architecture

  1. User logs in to the app.
  2. App authenticates the user by consulting with Auth0.
  3. App loads documents into the vector store. public-doc.md holds the relative info to the user.
  4. App instantiates the Agent then binds the Retriever and do tool calling.
  5. Retriever first consults the FGA powered by Auth0 and checks relationship of the user with the file name.
  6. Retriever then retrieves the relevant documents from the vector store.
  7. Agent then prompts the Model .
  8. App returns the chat history rendered as HTML.

Since this architecture is aimed for this challenge, the indexing context might be different from the real world.

Service runs on Digitalocean App platform.

Demo

Github codebase

I have prepared two entities (person)

User Password
john.doe@test.com john123!
joe.shmoe@test.com joes123!

Feel free to login from the login page.

https://lionfish-app-2tsho.ondigitalocean.app/login

login page

Then access the page which calls the agent.

https://lionfish-app-2tsho.ondigitalocean.app/agent/call

You will see that john.doe will properly receive the answer including the relative information from the agent.

john.doe result

But the joe.smith will not get the right answer.

joe.smith result

Logout from session after you are done.

https://lionfish-app-2tsho.ondigitalocean.app/logout

logout page

How I Used Auth0 for AI Agents

The essence here is that to deliver the right user experience per user , I have used Auth0 for authentication and Auth0 FGA for the authorization.

Users are managed by the Auth0 platform.

Auth0

The catch here is that only user:john.smith@test.com (object) has relation with the document:public-doc (resource)

FGA modeling

FGA tuples

Lessons Learned and Takeaways

This was my first time doing frontend activities for a specific problem. So I learned a lot. I would like to list few points.

  • The speed toward the outcome. There are excellent tools and services for both sustainability and effectiveness. e.g. terraform, full managed service, sdk, etc .
  • Downside was took time for me to get the right package dependency. The quick start did not work out-of-the-box for me.
  • Learning curve might be high. My environment required explicit configuration for client for the FGARetriever . I had to go all the way to the codebase to get the right info. I could not find the API doc for @auth0/ai-langchain. ChatGPT did not work for me.
  • I would like to know the right message to notify the user for smooth UX in case of in appropriate permission.

Thank you very much for the opportunity !

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.