flytekit.clients.auth.authenticator
Base authenticator for all authentication flows
class Authenticator(
endpoint: str,
header_key: str,
credentials: flytekit.clients.auth.keyring.Credentials,
http_proxy_url: typing.Optional[str],
verify: typing.Union[bool, str, NoneType],
)
| Parameter |
Type |
Description |
endpoint |
str |
|
header_key |
str |
|
credentials |
flytekit.clients.auth.keyring.Credentials |
|
http_proxy_url |
typing.Optional[str] |
|
verify |
typing.Union[bool, str, NoneType] |
|
def fetch_grpc_call_auth_metadata()
def refresh_credentials()
Client Configuration that is needed by the authenticator
class ClientConfig(
token_endpoint: str,
authorization_endpoint: str,
redirect_uri: str,
client_id: str,
device_authorization_endpoint: typing.Optional[str],
scopes: typing.List[str],
header_key: str,
audience: typing.Optional[str],
)
| Parameter |
Type |
Description |
token_endpoint |
str |
|
authorization_endpoint |
str |
|
redirect_uri |
str |
|
client_id |
str |
|
device_authorization_endpoint |
typing.Optional[str] |
|
scopes |
typing.List[str] |
|
header_key |
str |
|
audience |
typing.Optional[str] |
|
Client Config store retrieve client config. this can be done in multiple ways
This Authenticator uses ClientId and ClientSecret to authenticate
class ClientCredentialsAuthenticator(
endpoint: str,
client_id: str,
client_secret: str,
cfg_store: flytekit.clients.auth.authenticator.ClientConfigStore,
header_key: typing.Optional[str],
scopes: typing.Optional[typing.List[str]],
http_proxy_url: typing.Optional[str],
verify: typing.Union[bool, str, NoneType],
audience: typing.Optional[str],
session: typing.Optional[requests.sessions.Session],
)
| Parameter |
Type |
Description |
endpoint |
str |
|
client_id |
str |
|
client_secret |
str |
|
cfg_store |
flytekit.clients.auth.authenticator.ClientConfigStore |
|
header_key |
typing.Optional[str] |
|
scopes |
typing.Optional[typing.List[str]] |
|
http_proxy_url |
typing.Optional[str] |
|
verify |
typing.Union[bool, str, NoneType] |
|
audience |
typing.Optional[str] |
|
session |
typing.Optional[requests.sessions.Session] |
|
def fetch_grpc_call_auth_metadata()
def refresh_credentials()
This function is used by the _handle_rpc_error() decorator, depending on the AUTH_MODE config object. This handler
is meant for SDK use-cases of auth (like pyflyte, or when users call SDK functions that require access to Admin,
like when waiting for another workflow to complete from within a task). This function uses basic auth, which means
the credentials for basic auth must be present from wherever this code is running.
This Authenticator retrieves access_token using the provided command
class CommandAuthenticator(
command: typing.List[str],
header_key: str,
)
| Parameter |
Type |
Description |
command |
typing.List[str] |
|
header_key |
str |
|
def fetch_grpc_call_auth_metadata()
def refresh_credentials()
This function is used when the configuration value for AUTH_MODE is set to ’external_process’.
It reads an id token generated by an external process started by running the ‘command’.
This Authenticator implements the Device Code authorization flow useful for headless user authentication.
Examples described
class DeviceCodeAuthenticator(
endpoint: str,
cfg_store: flytekit.clients.auth.authenticator.ClientConfigStore,
header_key: typing.Optional[str],
audience: typing.Optional[str],
scopes: typing.Optional[typing.List[str]],
http_proxy_url: typing.Optional[str],
verify: typing.Union[bool, str, NoneType],
session: typing.Optional[requests.sessions.Session],
)
| Parameter |
Type |
Description |
endpoint |
str |
|
cfg_store |
flytekit.clients.auth.authenticator.ClientConfigStore |
|
header_key |
typing.Optional[str] |
|
audience |
typing.Optional[str] |
|
scopes |
typing.Optional[typing.List[str]] |
|
http_proxy_url |
typing.Optional[str] |
|
verify |
typing.Union[bool, str, NoneType] |
|
session |
typing.Optional[requests.sessions.Session] |
|
def fetch_grpc_call_auth_metadata()
def refresh_credentials()
This Authenticator encapsulates the entire PKCE flow and automatically opens a browser window for login
For Auth0 - you will need to manually configure your config.yaml to include a scopes list of the syntax:
admin.scopes: [“offline_access”, “offline”, “all”, “openid”] and/or similar scopes in order to get the refresh token +
caching. Otherwise, it will just receive the access token alone. Your FlyteCTL Helm config however should only
contain [“offline”, “all”] - as OIDC scopes are ungrantable in Auth0 customer APIs. They are simply requested
for in the POST request during the token caching process.
class PKCEAuthenticator(
endpoint: str,
cfg_store: flytekit.clients.auth.authenticator.ClientConfigStore,
scopes: typing.Optional[typing.List[str]],
header_key: typing.Optional[str],
verify: typing.Union[bool, str, NoneType],
session: typing.Optional[requests.sessions.Session],
)
Initialize with default creds from KeyStore using the endpoint name
| Parameter |
Type |
Description |
endpoint |
str |
|
cfg_store |
flytekit.clients.auth.authenticator.ClientConfigStore |
|
scopes |
typing.Optional[typing.List[str]] |
|
header_key |
typing.Optional[str] |
|
verify |
typing.Union[bool, str, NoneType] |
|
session |
typing.Optional[requests.sessions.Session] |
|
def fetch_grpc_call_auth_metadata()
def refresh_credentials()
class StaticClientConfigStore(
cfg: flytekit.clients.auth.authenticator.ClientConfig,
)
| Parameter |
Type |
Description |
cfg |
flytekit.clients.auth.authenticator.ClientConfig |
|
