Is this a new feature, an improvement, or a change to existing functionality?

Improvement

How would you describe the priority of this feature request

Medium

Please provide a clear description of problem this feature solves

Currently, NAT only supports on-demand authentication, prompting users to log in after they have already submitted a message. Some users have reported this as poor UX as it interrupts them at an unexpected moment, the general expectation is that authentication occurs upfront, before the user begins interacting.

Describe your ideal solution

A new option in auth provider configuration called use_eager_auth which when set to true will trigger authentication at WebSocket connection time. When false (default), it will preserve the existing behavior and defer authentication until the workflow requires credentials, i.e. after prompt entry.

The option should be available per auth provider, allowing some providers to authenticate eagerly while others defer until credentials are required. For example:

authentication:
  test_auth_provider:
    _type: oauth2_auth_code_flow
    redirect_uri: http://localhost:8000/auth/redirect
    authorization_url: http://localhost:5001/oauth/authorize
    token_url: http://localhost:5001/oauth/token
    token_endpoint_auth_method: client_secret_post
    scopes:
      - openid
      - profile
      - email
    client_id: ${NAT_OAUTH_CLIENT_ID}
    client_secret: ${NAT_OAUTH_CLIENT_SECRET}
    use_pkce: false
    use_eager_auth: true
    use_redirect_auth: true

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct
• I have searched the open feature requests and have found no duplicates for this feature request