Login with OIDC¶
This guide describes how AuthService performs authentication with OpenID Connect (OIDC) when a user makes a request with no credentials.
Here’s what you’ll need so that you can authenticate with OIDC:
- An Arrikto EKF deployment integrated with an external Identity Provider.
- An existing user account for this Identity Provider.
Here is a step-by-step description of how an unauthenticated user follows the Authorization Code Flow (OIDC flow) to acquire their authentication credentials.
User: Make request with no credentials (like access token or cookie).
Istio Gateway: Intercept this request and send it to the AuthService.
AuthService: Try every one of the authenticators to authenticate the user.
All of the authenticators will fail in this case. AuthService initiates the Authorization Code Flow (OIDC Flow). It creates a state for this user request, which contains the original URL of the initial request.
AuthService: Respond to the Istio Gateway with an HTTP redirect to the OIDC provider login page, with the state, client ID, and callback URL.
Istio Gateway: Forward this response to the user.
User: Request the OIDC provider login page, and let the user log in the Identity Provider. Consent to log in to Kubeflow from the Identity Provider.
Identity Provider: Respond to the user with an HTTP redirect to the AuthService callback URL. Include authorization code and state as query parameters.
User: Request the AuthService callback URL, adding the authorization code and state as query parameters.
AuthService: Verify that the state matches the one AuthService created in step 3. Only then send the authorization code to the Identity Provider.
Identity Provider: Respond to AuthService with the access, refresh (optional), and ID token for the user.
AuthService: Send a request to the
Token Introspection Endpointof the Identity Provider.
Identity Provider: Respond with the full list of the claims for the user.
AuthService: Set a new session for this user.
AuthService: Redirect the user to the reception endpoint with the proper
?nextquery parameter and with a cookie.
AuthService retrieves the original URL from the state of the user and sets the
?nextquery parameter to include a relative path to the original URL. Then AuthService redirects the user to the
/reception?next=<ORIGINAL-URL>, for example,
For more information, check the following:
- OIDC Code Flow.
- OAuth2 Authorization Code Grant Flow.
- Arrikto’s journal on authentication with Istio and Dex.
In this guide you gained insight on how AuthService performs authentication with OpenID Connect when a user makes a request with no credentials.
The next guide presents how Kubeflow Reception creates an account for a client.