Understanding Authentication#
OpenID Connect#
Flyte supports OpenID Connect. A defacto standard for user authentication. After configuring OpenID Connect, users accessing flyte console or flytectl (or other 3rd party apps) will be prompted to authenticate using the configured provider.
OAuth2#
Flyte supports OAuth2 to control access to 3rd party and native apps. FlyteAdmin comes with a built in Authorization Server that can perform 3-legged and 2-legged OAuth2 flows. It also supports delegating these responsibilities to an external Authorization Server.
Service Authentication using OAuth2#
Propeller (and potentially other non-user facing services) can also authenticate using client_credentials
to the IdP and
be granted an access_token
to be used with admin and other backend services.
User Authentication in other clients (e.g. Cli) using OAuth2-Pkce#
Users accessing backend services through Cli should be able to use OAuth2-Pkce flow to authenticate (in a browser) to the Idp and be issued an access_token valid to communicate with the intended backend service on behalf of the user.