Login with OIDC

This guide describes how AuthService performs authentication with OpenID Connect (OIDC) when a user makes a request with no credentials.

Here’s what you’ll need so that you can authenticate with OIDC:

Step-by-Step Analysis

Here is a step-by-step description of how an unauthenticated user follows the Authorization Code Flow (OIDC flow) to acquire their authentication credentials.

  1. User: Make request with no credentials (like access token or cookie).

  2. Istio Gateway: Intercept this request and send it to the AuthService.

  3. AuthService: Try every one of the authenticators to authenticate the user.

    Note

    All of the authenticators will fail in this case. AuthService initiates the Authorization Code Flow (OIDC Flow). It creates a state for this user request, which contains the original URL of the initial request.

  4. AuthService: Respond to the Istio Gateway with an HTTP redirect to the OIDC provider login page, with the state, client ID, and callback URL.

  5. Istio Gateway: Forward this response to the user.

  6. User: Request the OIDC provider login page, and let the user log in the Identity Provider. Consent to log in to Kubeflow from the Identity Provider.

  7. Identity Provider: Respond to the user with an HTTP redirect to the AuthService callback URL. Include authorization code and state as query parameters.

  8. User: Request the AuthService callback URL, adding the authorization code and state as query parameters.

  9. AuthService: Verify that the state matches the one AuthService created in step 3. Only then send the authorization code to the Identity Provider.

  10. Identity Provider: Respond to AuthService with the access, refresh (optional), and ID token for the user.

  11. AuthService: Send a request to the Token Introspection Endpoint of the Identity Provider.

  12. Identity Provider: Respond with the full list of the claims for the user.

  13. AuthService: Set a new session for this user.

  14. AuthService: Redirect the user to the reception endpoint with the proper ?next query parameter and with a cookie.

    Note

    AuthService retrieves the original URL from the state of the user and sets the ?next query parameter to include a relative path to the original URL. Then AuthService redirects the user to the /reception?next=<ORIGINAL-URL>, for example, /reception?next=%2Fnotebook%2Fkubeflow-user%2Fmytest%2Flab.

See also

For more information, check the following:

Summary

In this guide you gained insight on how AuthService performs authentication with OpenID Connect when a user makes a request with no credentials.

What’s Next

The next guide presents how Kubeflow Reception creates an account for a client.