Flyte supports OpenID Connect. A defacto standard for user authentication. After configuring OpenID Connect, users accessing flyte console or flytectl (or other 3rd party apps) will be prompted to authenticate using the configured provider.
Flyte supports OAuth2 to control access to 3rd party and native apps. FlyteAdmin comes with a built in Authorization Server that can perform 3-legged and 2-legged OAuth2 flows. It also supports delegating these responsibilities to an external Authorization Server.
Service Authentication using OAuth2#
Propeller (and potentially other non-user facing services) can also authenticate using
client_credentials to the IdP and
be granted an
access_token to be used with admin and other backend services.
User Authentication in other clients (e.g. Cli) using OAuth2-Pkce#
Users accessing backend services through Cli should be able to use OAuth2-Pkce flow to authenticate (in a browser) to the Idp and be issued an access_token valid to communicate with the intended backend service on behalf of the user.