shield_lock
JinDaGe
Back to skills
extension
Category: OtherNo API key required

天翼账号扫码登录ASTskill7-1

Use when Tianyi account AST direct authentication is needed, including login, QR code login, checking AST login status, reauth after 401, direct /ast/verify, idToken retrieval, another skill or plugin needing a Tianyi account idToken with business appId, or local agent_session authentication state.

personAuthor: user_990a4550hubcommunity
downloadDownload package

天翼账号 AST 直连认证 Skill v7.1

Overview

Use this skill to complete Tianyi account AST login and direct authentication. The public version is tianyi-ast-direct-auth-v7.1; the machine skill name is tianyi-ast-direct-auth-v7-1.

This skill handles one path only: direct authentication through /ast/verify. It does not use gateway mode or /ast/introspect.

Core Workflow

  1. Load runtime config from direct_auth_init.json or explicit caller parameters.
  2. Check local agent_session.json with the bundled Python helper.
  3. Resolve business appId from explicit caller input, runtime parameters, or direct_auth_init.json.
  4. If the session is valid and appId is available, call /ast/verify.
  5. If the session is missing, expired, malformed, or near expiry, start AST login.
  6. Call /ast/login/start, then /ast/login/qrcode.
  7. Show the user the QR image and login link.
  8. When the user says "已登录" or "查登录状态", call /ast/login/status/{ticket}.
  9. On success, persist local session and identity material with the helper.
  10. After local persistence succeeds, call /ast/verify to get idToken + expiresAt.

For code plugins, use scripts/get_id_token.py as the stable CLI wrapper around the same flow.

Read references/login-flow.md for login and pending-state details. Read references/verify-flow.md for /ast/verify details. Read references/caller-contract.md when another skill or business flow asks for an idToken. Read references/auth-result-contract.md when returning auth results to a caller. Read references/pending-handoff-contract.md when a caller must resume business work after QR login. Read references/plugin-api-contract.md when a pure code plugin needs a CLI entrypoint. Read references/partner-skill-template.md when writing a partner business skill. Read references/local-session-contract.md before handling local files. Read references/error-handling.md for failure handling.

Trigger Cases

Use this skill when the user or caller asks to:

  • 登录天翼账号
  • 进行天翼账号认证
  • 获取 AST 直连认证凭证
  • 获取 idToken
  • 其他业务 skill 需要天翼账号 idToken
  • 合作方插件需要使用业务 appId 获取天翼账号 idToken
  • 使用业务 appId=xxx 调起天翼账号认证 skill
  • 使用 appId=xxx 获取天翼账号 idToken
  • 检查或复用 agent_session.json
  • 处理业务 401 后重新认证
  • 使用 /ast/verify

Pending Context

After login starts, preserve:

  • pending_skill = "tianyi-ast-direct-auth-v7-1"
  • pending_action = "wait_user_confirm_login"
  • pending_ticket
  • pending_login_url
  • pending_ticket_expires_at
  • pending_last_status
  • pending_business_app_id when provided by a caller
  • pending_caller_skill when invoked by another skill
  • pending_business_intent when the caller must resume business work
  • pending_return_target = "idToken" when the caller expects an idToken

Only treat "已登录", "查登录状态", or equivalent replies as this skill's continuation when pending_skill, pending_action, and pending_ticket all match.

User Replies

Keep user-facing replies short. Show only the QR image, login link, and next action. Do not expose service URLs, local file paths, private key paths, signing plaintext, appId, or trusted-network details.

Success Rule

Login is complete only after:

  1. /ast/login/status/{ticket} returns status=success
  2. agent_session.json is saved successfully
  3. identity material is saved when privateKeyPem is returned

Direct authentication is complete only after /ast/verify returns idToken + expiresAt.

Caller Contract

When another skill invokes this skill as an authentication dependency, this skill owns the full AST login and /ast/verify flow. The caller receives only the resulting idToken + expiresAt for business API use.

The caller must not receive agentSessionToken, private key material, signing plaintext, or local file paths. See references/caller-contract.md.

For pure code plugins:

python scripts/get_id_token.py --app-id <partner-app-id> --json
python scripts/get_id_token.py --app-id <partner-app-id> --allow-login --json
python scripts/get_id_token.py --app-id <partner-app-id> --ticket <ticket> --json

The CLI output follows references/auth-result-contract.md.

Boundaries

  • Do not call /ast/introspect.
  • Do not implement gateway fallback.
  • Do not expose refresh/logout as user actions in v7.1.
  • Do not write appId, ticket, loginUrl, or idToken into agent_session.json.
  • Do not write old login_success.json.