Login with OIDC¶
This guide describes how AuthService performs authentication with OpenID Connect (OIDC) when a user makes a request with no credentials.
Here’s what you’ll need so that you can authenticate with OIDC:
- An Arrikto EKF deployment integrated with an external Identity Provider.
- An existing user account for this Identity Provider.
Step-by-Step Analysis¶
Here is a step-by-step description of how an unauthenticated user follows the Authorization Code Flow (OIDC flow) to acquire their authentication credentials.
User: Make request with no credentials (like access token or cookie).
Istio Gateway: Intercept this request and send it to the AuthService.
AuthService: Try every one of the authenticators to authenticate the user.
Note
All of the authenticators will fail in this case. AuthService initiates the Authorization Code Flow (OIDC Flow). It creates a state for this user request, which contains the original URL of the initial request.
AuthService: Respond to the Istio Gateway with an HTTP redirect to the OIDC provider login page, with the state, client ID, and callback URL.
Istio Gateway: Forward this response to the user.
User: Request the OIDC provider login page, and let the user log in the Identity Provider. Consent to log in to Kubeflow from the Identity Provider.
Identity Provider: Respond to the user with an HTTP redirect to the AuthService callback URL. Include authorization code and state as query parameters.
User: Request the AuthService callback URL, adding the authorization code and state as query parameters.
AuthService: Verify that the state matches the one AuthService created in step 3. Only then send the authorization code to the Identity Provider.
Identity Provider: Respond to AuthService with the access, refresh (optional), and ID token for the user.
AuthService: Send a request to the
Token Introspection Endpoint
of the Identity Provider.Identity Provider: Respond with the full list of the claims for the user.
AuthService: Set a new session for this user.
AuthService: Redirect the user to the reception endpoint with the proper
?next
query parameter and with a cookie.Note
AuthService retrieves the original URL from the state of the user and sets the
?next
query parameter to include a relative path to the original URL. Then AuthService redirects the user to the/reception?next=<ORIGINAL-URL>
, for example,/reception?next=%2Fnotebook%2Fkubeflow-user%2Fmytest%2Flab
.
See also
For more information, check the following:
- OIDC Code Flow.
- OAuth2 Authorization Code Grant Flow.
- Arrikto’s journal on authentication with Istio and Dex.
Summary¶
In this guide you gained insight on how AuthService performs authentication with OpenID Connect when a user makes a request with no credentials.
What’s Next¶
The next guide presents how Kubeflow Reception creates an account for a client.