Understanding Authentication#
OpenID Connect#
Flyte supports OpenID Connect. A defacto standard for user authentication. After configuring OpenID Connect, users accessing flyte console or flytectl (or other 3rd party apps) will be prompted to authenticate using the configured provider.
sequenceDiagram
%%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%%
autonumber
User->>+Browser: /home
Browser->>+Console: /home
Console->>-Browser: 302 /login
Browser->>+Admin: /login
Admin->>-Browser: Idp.com/oidc
Browser->>+Idp: Idp.com/oidc
Idp->>-Browser: 302 /login
Browser->>-User: Enter user/pass
User->>+Browser: login
Browser->>+Idp: Submit username/pass
Idp->>-Browser: admin/?authCode=<abc>
Browser->>+Admin: admin/authCode=<abc>
Admin->>+Idp: Exchange Tokens
Idp->>-Admin: idt, at, rt
Admin->>+Browser: Write Cookies & Redirect to /console
Browser->>+Console: /home
Browser->>-User: Render /home
OAuth2#
Flyte supports OAuth2 to control access to 3rd party and native apps. FlyteAdmin comes with a built in Authorization Server that can perform 3-legged and 2-legged OAuth2 flows. It also supports delegating these responsibilities to an external Authorization Server.
Service Authentication using OAuth2#
Propeller (and potentially other non-user facing services) can also authenticate using client_credentials to the IdP and
be granted an access_token to be used with admin and other backend services.
User Authentication in other clients (e.g. Cli) using OAuth2-Pkce#
Users accessing backend services through Cli should be able to use OAuth2-Pkce flow to authenticate (in a browser) to the Idp and be issued an access_token valid to communicate with the intended backend service on behalf of the user.
FlyteAdmin’s builtin Authorization Server#
sequenceDiagram
%%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%%
autonumber
User->>+Cli: flytectl list-projects
Cli->>+Admin: admin/client-config
Admin->>-Cli: Client_id=<abc>, ...
Cli->>+Browser: /oauth2/authorize?pkce&code_challenge,client_id,scope
Browser->>+Admin: /oauth2/authorize?pkce...
Admin->>-Browser: 302 idp.com/login
Note over Browser,Admin: The prior OpenID Connect flow
Browser->>+Admin: admin/logged_in
Note over Browser,Admin: Potentially show custom consent screen
Admin->>-Browser: localhost/?authCode=<abc>
Browser->>+Cli: localhost/authCode=<abc>
Cli->>+Admin: /token?code,code_verifier
Admin->>-Cli: access_token
Cli->>+Admin: /projects/ + access_token
Admin->>-Cli: project1, project2
External Authorization Server#
sequenceDiagram
%%{config: { 'fontFamily': 'Menlo', 'fontSize': 10, 'fontWeight': 100} }%%
autonumber
User->>+Cli: flytectl list-projects
Cli->>+Admin: admin/client-config
Admin->>-Cli: Client_id=<abc>, ...
Cli->>+Browser: /oauth2/authorize?pkce&code_challenge,client_id,scope
Browser->>+ExternalIdp: /oauth2/authorize?pkce...
ExternalIdp->>-Browser: 302 idp.com/login
Note over Browser,ExternalIdp: The prior OpenID Connect flow
Browser->>+ExternalIdp: /logged_in
Note over Browser,ExternalIdp: Potentially show custom consent screen
ExternalIdp->>-Browser: localhost/?authCode=<abc>
Browser->>+Cli: localhost/authCode=<abc>
Cli->>+ExternalIdp: /token?code,code_verifier
ExternalIdp->>-Cli: access_token
Cli->>+Admin: /projects/ + access_token
Admin->>-Cli: project1, project2