flytekit.clients.auth.authenticator
0.1.dev2192+g7c539c3.d20250403
flytekit.clients.auth.authenticator
Base authenticator for all authentication flows
class Authenticator (
endpoint: str,
header_key: str,
credentials: flytekit. clients. auth. keyring. Credentials,
http_proxy_url: typing. Optional[str],
verify: typing. Union[bool, str, NoneType],
)
Parameter
Type
endpointstr
header_keystr
credentialsflytekit.clients.auth.keyring.Credentials
http_proxy_urltyping.Optional[str]
verifytyping.Union[bool, str, NoneType]
def fetch_grpc_call_auth_metadata ()
def refresh_credentials ()
Client Configuration that is needed by the authenticator
class ClientConfig (
token_endpoint: str,
authorization_endpoint: str,
redirect_uri: str,
client_id: str,
device_authorization_endpoint: typing. Optional[str],
scopes: typing. List[str],
header_key: str,
audience: typing. Optional[str],
)
Parameter
Type
token_endpointstr
authorization_endpointstr
redirect_uristr
client_idstr
device_authorization_endpointtyping.Optional[str]
scopestyping.List[str]
header_keystr
audiencetyping.Optional[str]
Client Config store retrieve client config. this can be done in multiple ways
This Authenticator uses ClientId and ClientSecret to authenticate
class ClientCredentialsAuthenticator (
endpoint: str,
client_id: str,
client_secret: str,
cfg_store: flytekit. clients. auth. authenticator. ClientConfigStore,
header_key: typing. Optional[str],
scopes: typing. Optional[typing. List[str]],
http_proxy_url: typing. Optional[str],
verify: typing. Union[bool, str, NoneType],
audience: typing. Optional[str],
session: typing. Optional[requests. sessions. Session],
)
Parameter
Type
endpointstr
client_idstr
client_secretstr
cfg_storeflytekit.clients.auth.authenticator.ClientConfigStore
header_keytyping.Optional[str]
scopestyping.Optional[typing.List[str]]
http_proxy_urltyping.Optional[str]
verifytyping.Union[bool, str, NoneType]
audiencetyping.Optional[str]
sessiontyping.Optional[requests.sessions.Session]
def fetch_grpc_call_auth_metadata ()
def refresh_credentials ()
This function is used by the _handle_rpc_error() decorator, depending on the AUTH_MODE config object. This handler
is meant for SDK use-cases of auth (like pyflyte, or when users call SDK functions that require access to Admin,
like when waiting for another workflow to complete from within a task). This function uses basic auth, which means
the credentials for basic auth must be present from wherever this code is running.
This Authenticator retrieves access_token using the provided command
class CommandAuthenticator (
command: typing. List[str],
header_key: str,
)
Parameter
Type
commandtyping.List[str]
header_keystr
def fetch_grpc_call_auth_metadata ()
def refresh_credentials ()
This function is used when the configuration value for AUTH_MODE is set to ’external_process’.
It reads an id token generated by an external process started by running the ‘command’.
This Authenticator implements the Device Code authorization flow useful for headless user authentication.
Examples described
class DeviceCodeAuthenticator (
endpoint: str,
cfg_store: flytekit. clients. auth. authenticator. ClientConfigStore,
header_key: typing. Optional[str],
audience: typing. Optional[str],
scopes: typing. Optional[typing. List[str]],
http_proxy_url: typing. Optional[str],
verify: typing. Union[bool, str, NoneType],
session: typing. Optional[requests. sessions. Session],
)
Parameter
Type
endpointstr
cfg_storeflytekit.clients.auth.authenticator.ClientConfigStore
header_keytyping.Optional[str]
audiencetyping.Optional[str]
scopestyping.Optional[typing.List[str]]
http_proxy_urltyping.Optional[str]
verifytyping.Union[bool, str, NoneType]
sessiontyping.Optional[requests.sessions.Session]
def fetch_grpc_call_auth_metadata ()
def refresh_credentials ()
This Authenticator encapsulates the entire PKCE flow and automatically opens a browser window for login
For Auth0 - you will need to manually configure your config.yaml to include a scopes list of the syntax:
admin.scopes: [“offline_access”, “offline”, “all”, “openid”] and/or similar scopes in order to get the refresh token +
caching. Otherwise, it will just receive the access token alone. Your FlyteCTL Helm config however should only
contain [“offline”, “all”] - as OIDC scopes are ungrantable in Auth0 customer APIs. They are simply requested
for in the POST request during the token caching process.
class PKCEAuthenticator (
endpoint: str,
cfg_store: flytekit. clients. auth. authenticator. ClientConfigStore,
scopes: typing. Optional[typing. List[str]],
header_key: typing. Optional[str],
verify: typing. Union[bool, str, NoneType],
session: typing. Optional[requests. sessions. Session],
)
Initialize with default creds from KeyStore using the endpoint name
Parameter
Type
endpointstr
cfg_storeflytekit.clients.auth.authenticator.ClientConfigStore
scopestyping.Optional[typing.List[str]]
header_keytyping.Optional[str]
verifytyping.Union[bool, str, NoneType]
sessiontyping.Optional[requests.sessions.Session]
def fetch_grpc_call_auth_metadata ()
def refresh_credentials ()
Client Config store retrieve client config. this can be done in multiple ways
class StaticClientConfigStore (
cfg: flytekit. clients. auth. authenticator. ClientConfig,
)
Parameter
Type
cfgflytekit.clients.auth.authenticator.ClientConfig
