Authentication with External Identity Providers using Opaque Tokens¶
This guide describes how AuthService performs authentication for client requests that use an opaque access token from an external Identity Provider (such as PingID).
Here’s what you’ll need so that you can authenticate with an external IdP using an opaque token:
- Integration of your Arrikto EKF installation with an external Identity Provider.
- An opaque access token from your external Identity Provider.
- AuthService must be configured to perform remote access token validation.
You can use this method of authentication even if you use a JWT as an access token. In this case, the AuthService will simply treat it as an opaque token, meaning that it will not check its claims and all the following steps will apply.
Here is a step-by-step explanation of how AuthService authenticates clients based on their opaque access token.
Client: Perform HTTP request to Kubeflow with an opaque access token in the Authorization header.
Istio Gateway: Intercept the HTTP request and send it to the AuthService.
AuthService: Check whether the HTTP request has an Authorization header. Retrieve the opaque access token from the Authorization header.
If the client makes a request with no credentials, this check will also fail. AuthService will then perform the authentication via the OIDC Authorization Code Flow. Find out more about this authentication method here:
AuthService: Check whether the HTTP request can be authenticated with the Kubernetes authenticator.
When authenticating a client that has an access token granted from the external Identity Provider this check will fail.
If the AuthService caching mechanism is enabled and the retrieved Bearer token exists in the cache, then AuthService will skip both Step 5 and Step 6 (see the respective dotted arrows in the above diagram). You can find out more on how to enable the AuthService caching mechanism in the Enable AuthService Caching Mechanism guide.
AuthService: Request the
UserInfo Endpointof the external Identity Provider with the retrieved opaque access token in the Authorization header.
AuthService: Retrieve the User ID and the groups of the user from the successful response of the external Identity Provider, using the
GROUPS_CLAIMconfiguration options of AuthService.
If the access token is not valid, the external Identity Provider will respond with an error response. AuthService will then continue with the session authenticator. Find out more on the session authenticator here:
AuthService: Respond to Istio Gateway that the client was successfully authenticated (
HTTP 200status) and set the UserID header for the client.
Istio Gateway: Forward the request to Kubeflow with the UserID header.
Kubeflow: Perform the action that the client requested and respond back to Istio Gateway.
See more on how Kubeflow performs authorization by using Kubernetes RBAC:
Istio Gateway: Forward the response to the client.
- Find out how you can perform Authentication with External Identity Providers Using JWT, in order to let AuthService validate requests without asking the external Identity Provider.
- Find out about the Identity Providers that you can integrate your Arrikto EKF deployment with.
- Find out more regarding the Bearer Token usage by checking The OAUTH 2.0 Authorization Framework: Bearer Token Usage proposed standard.
In this guide you gained insight on how AuthService performs authentication for client requests that use an opaque access token from an external Identity Provider.
The next guide presents how the AuthService performs authentication with OpenID Connect (OIDC) when a user makes a request with no credentials.