inovabiz-opencode-companion
v0.1.2
Published
OpenCode companion plugin for corporate provider authentication and gateway integration.
Readme
OpenCode Companion
OpenCode companion plugin for corporate provider authentication and gateway integration.
This package is distributed publicly for installation convenience, but it is not an open source project. Use requires an Entra application, API consent, and backend authorization rules controlled by the owning organization.
Requirements
- Windows 10/11.
- Node.js 20 or newer.
- OpenCode with npm plugin support.
- A Microsoft Entra public client application.
- A redirect URI of type Mobile and desktop applications using
http://localhost.
Do not configure or publish a client secret. This plugin uses the Authorization Code flow with PKCE.
Installation
npm install inovabiz-opencode-companionAdd the package to opencode.json:
{
"$schema": "https://opencode.ai/config.json",
"plugin": ["inovabiz-opencode-companion"]
}Configuration
Configure the Entra and gateway values either with environment variables or provider options.
Environment variables:
$env:OPENCODE_ENTRA_SSO_TENANT_ID = "<tenant-id>"
$env:OPENCODE_ENTRA_SSO_CLIENT_ID = "<public-client-id>"
$env:OPENCODE_ENTRA_SSO_ACCESS_TOKEN_SCOPE = "api://<api-app-id>/<delegated-scope>"
$env:OPENCODE_ENTRA_SSO_APIM_AUDIENCE = "<expected-token-audience>"
$env:OPENCODE_ENTRA_SSO_APIM_DELEGATED_SCOPE = "<delegated-scope-name>"
$env:OPENCODE_ENTRA_SSO_TARGET_BASE_URL = "https://<gateway-host>/<path>/v1"Provider options:
{
"provider": {
"CorporateGateway": {
"options": {
"baseURL": "https://<gateway-host>/<path>/v1",
"inovabizEntraSso": true,
"inovabizTenantId": "<tenant-id>",
"inovabizClientId": "<public-client-id>",
"inovabizAccessTokenScope": "api://<api-app-id>/<delegated-scope>",
"inovabizApimAudience": "<expected-token-audience>",
"inovabizApimDelegatedScope": "<delegated-scope-name>"
}
}
}
}The plugin only modifies requests for providers explicitly marked with inovabizEntraSso: true, or providers whose baseURL matches OPENCODE_ENTRA_SSO_TARGET_BASE_URL.
Runtime Behavior
For matching providers, the plugin:
- Starts an Entra sign-in flow when a renewable local session is unavailable.
- Stores MSAL cache data encrypted with Windows DPAPI for the current user.
- Validates the access token audience and delegated scope before use.
- Replaces the provider API key in memory with a non-secret marker.
- Removes the APIM subscription-key header if present.
- Sends the Entra bearer token plus the encrypted provider API key to the configured gateway.
The backend gateway must still validate JWT issuer, audience, scope, expiration, allowed users or groups, rate limits, and the final API key before forwarding any request.
Logout
Close OpenCode first, then remove the local token cache:
.\scripts\logout.ps1