feat(trigger): implement complete OAuth authorization flow for trigger providers

- Add OAuth authorization URL generation API endpoint
- Implement OAuth callback handler for credential storage
- Support both system-level and tenant-level OAuth clients
- Add trigger provider credential encryption utilities
- Refactor trigger entities into separate modules
- Update trigger provider service with OAuth client management
- Add credential cache for trigger providers

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

api/controllers/console/workspace/trigger_providers.py

@@ -1,20 +1,37 @@
 import logging
 
+from flask import make_response, redirect, request
 from flask_restx import Resource, reqparse
 from werkzeug.exceptions import BadRequest, Forbidden
 
+from configs import dify_config
 from controllers.console import api
 from controllers.console.wraps import account_initialization_required, setup_required
+from core.model_runtime.utils.encoders import jsonable_encoder
 from core.plugin.entities.plugin import TriggerProviderID
 from core.plugin.entities.plugin_daemon import CredentialType
+from core.plugin.impl.oauth import OAuthHandler
 from libs.login import current_user, login_required
 from models.account import Account
+from services.plugin.oauth_service import OAuthProxyService
 from services.trigger.trigger_provider_service import TriggerProviderService
 
 logger = logging.getLogger(__name__)
 
 
 class TriggerProviderListApi(Resource):
+    @setup_required
+    @login_required
+    @account_initialization_required
+    def get(self):
+        """List all trigger providers for the current tenant"""
+        user = current_user
+        assert isinstance(user, Account)
+        assert user.current_tenant_id is not None
+        return jsonable_encoder(TriggerProviderService.list_trigger_providers(user.current_tenant_id))
+
+
+class TriggerProviderCredentialListApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
@@ -27,8 +44,10 @@ class TriggerProviderListApi(Resource):
             raise Forbidden()
 
         try:
-            return TriggerProviderService.list_trigger_providers(
-                tenant_id=user.current_tenant_id, provider_id=TriggerProviderID(provider)
+            return jsonable_encoder(
+                TriggerProviderService.list_trigger_provider_credentials(
+                    tenant_id=user.current_tenant_id, provider_id=TriggerProviderID(provider)
+                )
             )
         except Exception as e:
             logger.exception("Error listing trigger providers", exc_info=e)
@@ -145,30 +164,128 @@ class TriggerProviderOAuthAuthorizeApi(Resource):
     @login_required
     @account_initialization_required
     def get(self, provider):
-        """Initiate OAuth authorization flow for a provider"""
+        """Initiate OAuth authorization flow for a trigger provider"""
         user = current_user
         assert isinstance(user, Account)
         assert user.current_tenant_id is not None
+
         try:
-            context_id = TriggerProviderService.create_oauth_proxy_context(
-                tenant_id=user.current_tenant_id,
-                user_id=user.id,
-                provider_id=TriggerProviderID(provider),
+            provider_id = TriggerProviderID(provider)
+            plugin_id = provider_id.plugin_id
+            provider_name = provider_id.provider_name
+            tenant_id = user.current_tenant_id
+
+            # Get OAuth client configuration
+            oauth_client_params = TriggerProviderService.get_oauth_client(
+                tenant_id=tenant_id,
+                provider_id=provider_id,
             )
 
-            # TODO: Build OAuth authorization URL
-            # This will be implemented when we have provider-specific OAuth configs
+            if oauth_client_params is None:
+                raise Forbidden("No OAuth client configuration found for this trigger provider")
 
-            return {
-                "context_id": context_id,
-                "authorization_url": f"/oauth/authorize?context={context_id}",
-            }
+            # Create OAuth handler and proxy context
+            oauth_handler = OAuthHandler()
+            context_id = OAuthProxyService.create_proxy_context(
+                user_id=user.id,
+                tenant_id=tenant_id,
+                plugin_id=plugin_id,
+                provider=provider_name,
+            )
+
+            # Build redirect URI for callback
+            redirect_uri = f"{dify_config.CONSOLE_API_URL}/console/api/oauth/plugin/{provider}/trigger/callback"
+
+            # Get authorization URL
+            authorization_url_response = oauth_handler.get_authorization_url(
+                tenant_id=tenant_id,
+                user_id=user.id,
+                plugin_id=plugin_id,
+                provider=provider_name,
+                redirect_uri=redirect_uri,
+                system_credentials=oauth_client_params,
+            )
+
+            # Create response with cookie
+            response = make_response(jsonable_encoder(authorization_url_response))
+            response.set_cookie(
+                "context_id",
+                context_id,
+                httponly=True,
+                samesite="Lax",
+                max_age=OAuthProxyService.__MAX_AGE__,
+            )
+
+            return response
 
         except Exception as e:
             logger.exception("Error initiating OAuth flow", exc_info=e)
             raise
 
 
+class TriggerProviderOAuthCallbackApi(Resource):
+    @setup_required
+    def get(self, provider):
+        """Handle OAuth callback for trigger provider"""
+        context_id = request.cookies.get("context_id")
+        if not context_id:
+            raise Forbidden("context_id not found")
+
+        # Use and validate proxy context
+        context = OAuthProxyService.use_proxy_context(context_id)
+        if context is None:
+            raise Forbidden("Invalid context_id")
+
+        # Parse provider ID
+        provider_id = TriggerProviderID(provider)
+        plugin_id = provider_id.plugin_id
+        provider_name = provider_id.provider_name
+        user_id = context.get("user_id")
+        tenant_id = context.get("tenant_id")
+
+        # Get OAuth client configuration
+        oauth_client_params = TriggerProviderService.get_oauth_client(
+            tenant_id=tenant_id,
+            provider_id=provider_id,
+        )
+
+        if oauth_client_params is None:
+            raise Forbidden("No OAuth client configuration found for this trigger provider")
+
+        # Get OAuth credentials from callback
+        oauth_handler = OAuthHandler()
+        redirect_uri = f"{dify_config.CONSOLE_API_URL}/console/api/oauth/plugin/{provider}/trigger/callback"
+
+        credentials_response = oauth_handler.get_credentials(
+            tenant_id=tenant_id,
+            user_id=user_id,
+            plugin_id=plugin_id,
+            provider=provider_name,
+            redirect_uri=redirect_uri,
+            system_credentials=oauth_client_params,
+            request=request,
+        )
+
+        credentials = credentials_response.credentials
+        expires_at = credentials_response.expires_at
+
+        if not credentials:
+            raise Exception("Failed to get OAuth credentials")
+
+        # Save OAuth credentials to database
+        TriggerProviderService.add_trigger_provider(
+            tenant_id=tenant_id,
+            user_id=user_id,
+            provider_id=provider_id,
+            credential_type=CredentialType.OAUTH2,
+            credentials=dict(credentials),
+            expires_at=expires_at,
+        )
+
+        # Redirect to OAuth callback page
+        return redirect(f"{dify_config.CONSOLE_WEB_URL}/oauth-callback")
+
+
 class TriggerProviderOAuthRefreshTokenApi(Resource):
     @setup_required
     @login_required
@@ -257,16 +374,13 @@ class TriggerProviderOAuthClientManageApi(Resource):
 
         try:
             provider_id = TriggerProviderID(provider)
-
-            result = TriggerProviderService.save_custom_oauth_client_params(
+            return TriggerProviderService.save_custom_oauth_client_params(
                 tenant_id=user.current_tenant_id,
                 provider_id=provider_id,
                 client_params=args.get("client_params"),
                 enabled=args.get("enabled"),
             )
 
-            return result
-
         except ValueError as e:
             raise BadRequest(str(e))
         except Exception as e:
@@ -287,13 +401,10 @@ class TriggerProviderOAuthClientManageApi(Resource):
         try:
             provider_id = TriggerProviderID(provider)
 
-            result = TriggerProviderService.delete_custom_oauth_client_params(
+            return TriggerProviderService.delete_custom_oauth_client_params(
                 tenant_id=user.current_tenant_id,
                 provider_id=provider_id,
             )
-
-            return result
-
         except ValueError as e:
             raise BadRequest(str(e))
         except Exception as e:
@@ -302,8 +413,12 @@ class TriggerProviderOAuthClientManageApi(Resource):
 
 
 # Trigger provider endpoints
-api.add_resource(TriggerProviderListApi, "/workspaces/current/trigger-provider/<path:provider>/list")
-api.add_resource(TriggerProviderCredentialsAddApi, "/workspaces/current/trigger-provider/<path:provider>/add")
+api.add_resource(
+    TriggerProviderCredentialListApi, "/workspaces/current/trigger-provider/credentials/<path:provider>/list"
+)
+api.add_resource(
+    TriggerProviderCredentialsAddApi, "/workspaces/current/trigger-provider/credentials/<path:provider>/add"
+)
 api.add_resource(
     TriggerProviderCredentialsUpdateApi, "/workspaces/current/trigger-provider/credentials/<path:credential_id>/update"
 )
@@ -311,9 +426,11 @@ api.add_resource(
     TriggerProviderCredentialsDeleteApi, "/workspaces/current/trigger-provider/credentials/<path:credential_id>/delete"
 )
 
+# OAuth
 api.add_resource(
     TriggerProviderOAuthAuthorizeApi, "/workspaces/current/trigger-provider/<path:provider>/oauth/authorize"
 )
+api.add_resource(TriggerProviderOAuthCallbackApi, "/oauth/plugin/<path:provider>/trigger/callback")
 api.add_resource(
     TriggerProviderOAuthRefreshTokenApi,
     "/workspaces/current/trigger-provider/credentials/<path:credential_id>/oauth/refresh",