Authentication

In Charmed Kubeflow authentication is based on Dex. This doc describes the authentication flow for various scenarios.

Contents:

Unauthenticated Request

The authentication flow for an unauthenticated request consists of these steps:

  • User makes an unauthenticated request
    • Redirected to /dex
  • User logs in via Dex
  • Redirected to gatekeeper callback endpoint
    • Sets a cookie with auth token for future requests
  • Redirected back to original page, with authorization token

The flow of an unauthenticated request is shown here:

dex-unauthenticated

  • A user makes a request that goes through Ambassador. To learn more about Ambassador authentication solutions, see here.
  • Ambassador checks with the gatekeeper service before allowing any request to go through
  • The gatekeeper service responds to Ambassador that the request is unauthenticated, and a redirect URL
  • Ambassador returns an HTTP 301 redirecting user to Dex

Logging In

dex-login
  • User makes request to /dex
  • Ambassador is configured to not check with the gatekeeper for requests to /dex
  • Dex presents a login page to the user
  • The user submits their credentials
  • Dex uses the configured connector to authenticate the user against an external auth service
    • Dex may also be configured with basic username/password support. This is the default in Charmed Kubeflow.
    • See the dex configuration section for more information on how to configure Dex with other connectors.
  • Dex redirects the user to a callback URL managed by the gatekeeper

Receive Token

dex-callback

  • User makes request to callback URL
  • Ambassador sends request to gatekeeper service
  • Gatekeeper service generates JWT token in the Set-Cookie response header

Authenticated Request

dex-authenticated

  • User makes authenticated request
  • Ambassador checks with the gatekeeper service to see if request is authenticated
  • Gatekeeper service affirms request is authenticated by looking at JWT token
  • Ambassador communicates with Kubeflow service for requested endpoint
  • Ambassador returns requested endpoint to user

Last updated 1 year, 1 month ago.