Add proxy support for OAuth2 Chrome extension

CHANGELOG.md

@@ -140,6 +140,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - OAuth2 endpoints: `/dashboard/claude/auth/start`, `/dashboard/claude/auth/complete`, `/dashboard/claude/auth/status`
   - Extension endpoints: `/dashboard/extension/download`, `/dashboard/oauth2/callback`
   - Comprehensive documentation in CLAUDE_OAUTH2_SETUP.md and CLAUDE_OAUTH2_DEEP_DIVE.md
+  - Proxy-aware OAuth2 extension serving: detects X-Forwarded-For, X-Forwarded-Host, X-Real-IP headers
+  - Force interception mechanism: extension activates for localhost when OAuth flow initiated from dashboard
+  - Supports reverse proxy deployments (nginx, caddy, etc.) with automatic proxy detection
 - **Kiro Provider Integration**: Native support for Kiro (Amazon Q Developer / AWS CodeWhisperer)
   - KiroAuth class (`aisbf/kiro_auth.py`) for AWS credential management
   - Support for multiple authentication methods:

DOCUMENTATION.md

@@ -676,6 +676,9 @@ Model metadata is automatically extracted from provider responses and stored in
 - Full OAuth2 PKCE authentication flow
 - Automatic token refresh with refresh token rotation
 - Chrome extension for remote server OAuth2 callback interception
+- Proxy-aware extension serving: automatically detects reverse proxy deployments via X-Forwarded-* headers
+- Force interception mechanism: extension activates for localhost when OAuth flow initiated from dashboard
+- Supports nginx, caddy, and other reverse proxies with automatic proxy detection
 - Dashboard integration with authentication UI
 - Credentials stored in `~/.aisbf/claude_credentials.json`
 - Optional curl_cffi TLS fingerprinting for Cloudflare bypass
@@ -694,6 +697,14 @@ Model metadata is automatically extracted from provider responses and stored in
 - Supports IDE credentials and CLI authentication
 - Access to Claude models through Kiro
 - No separate API key required (uses Kiro credentials)
+
+### Kilocode
+- OAuth2 Device Authorization Grant flow
+- Supports both API key and OAuth2 authentication
+- Seamless integration with Kilocode services
+- Dashboard OAuth2 authentication UI
+- Credentials stored in ~/.kilo_credentials.json
+- Access to Kilocode AI models and services
 - Supports streaming, tool calling, and extended thinking
 
 ## Rotation Models

PYPI.md

@@ -137,6 +137,34 @@ pip install aisbf
 sudo pip install aisbf
 ```
 
+## Post-Installation OAuth2 Setup
+
+AISBF supports OAuth2 authentication for several providers:
+
+### Claude (Anthropic)
+- Full OAuth2 PKCE flow for Claude Code (claude.ai)
+- Chrome extension for remote server deployments
+- Proxy-aware: automatically detects reverse proxy deployments
+- Dashboard integration for easy authentication
+
+### Kiro (Amazon Q Developer)
+- Native OAuth2 support for AWS CodeWhisperer
+- Multiple authentication methods (IDE credentials, kiro-cli, direct refresh token)
+- Automatic credential management
+
+### Kilocode
+- Device Authorization Grant OAuth2 flow
+- Seamless integration with Kilocode services
+
+**Setup Instructions:**
+1. Start AISBF: `aisbf`
+2. Access dashboard: `http://localhost:17765/dashboard`
+3. Navigate to Providers section
+4. Configure OAuth2 providers and follow authentication prompts
+5. For remote deployments: Install Chrome extension from dashboard
+
+For detailed OAuth2 setup, see README.md and DOCUMENTATION.md in the installed package.
+
 ## Troubleshooting
 
 ### Build Errors

README.md

@@ -131,6 +131,7 @@ See [`PYPI.md`](PYPI.md) for detailed instructions on publishing to PyPI.
 - Claude Code (OAuth2 authentication via claude.ai)
 - Ollama (direct HTTP)
 - Kiro (Amazon Q Developer / AWS CodeWhisperer)
+- Kilocode (OAuth2 Device Authorization Grant)
 ## Configuration
 
 ### SSL/TLS Configuration
@@ -287,6 +288,9 @@ AISBF supports Claude Code (claude.ai) as a provider using OAuth2 authentication
 - Automatic token refresh with refresh token rotation
 - Chrome extension for remote server OAuth2 callback interception
 - Dashboard integration with authentication UI
+- Proxy-aware extension serving: automatically detects reverse proxy deployments
+- Force interception mechanism: extension activates for localhost when OAuth flow initiated from dashboard
+- Supports nginx, caddy, and other reverse proxies with X-Forwarded-* header detection
 - Credentials stored in `~/.aisbf/claude_credentials.json`
 - Optional curl_cffi TLS fingerprinting for Cloudflare bypass
 - Compatible with official claude-cli credentials

static/extension/background.js

@@ -14,7 +14,8 @@ const DEFAULT_CONFIG = {
   enabled: true,
   remoteServer: '',  // Will be set from AISBF dashboard
   ports: [54545],    // Default OAuth callback ports to intercept
-  paths: ['/callback', '/oauth/callback', '/auth/callback']
+  paths: ['/callback', '/oauth/callback', '/auth/callback'],
+  forceInterception: false // Override for OAuth flows initiated from AISBF
 };
 
 // Current configuration
@@ -76,11 +77,16 @@ function generateRules() {
   
   // If the remote server is on localhost, we don't need to intercept
   // The OAuth2 callback can go directly to localhost without redirection
-  if (isRemoteLocal) {
+  // EXCEPTION: If we have an ongoing OAuth flow initiated from AISBF (forceInterception flag)
+  if (isRemoteLocal && !config.forceInterception) {
     console.log('[AISBF] Remote server is localhost - no interception needed');
     return rules;
   }
   
+  if (isRemoteLocal && config.forceInterception) {
+    console.log('[AISBF] Remote server is localhost but force interception is enabled for active OAuth flow');
+  }
+  
   for (const port of config.ports) {
     for (const path of config.paths) {
       // Rule for 127.0.0.1
@@ -217,7 +223,8 @@ chrome.runtime.onMessageExternal.addListener((message, sender, sendResponse) =>
         enabled: true,
         remoteServer: message.remoteServer || sender.url.replace(/\/dashboard.*$/, ''),
         ports: message.ports || config.ports,
-        paths: message.paths || config.paths
+        paths: message.paths || config.paths,
+        forceInterception: message.forceInterception || false
       };
       saveConfig(newConfig).then(success => {
         sendResponse({ success, config: newConfig });