In Charmed Kubeflow (CKF), authentication is based on Dex. This guide describes the authentication flow for various scenarios.
Unauthenticated request
The authentication flow for an unauthenticated request consists of these steps:
- User makes an unauthenticated request
- Redirected to /dex
- User logs in via Dex
- Redirected to gatekeeper callback endpoint
- Sets a cookie with auth token for future requests
- Redirected back to original page, with authorization token
The flow of an unauthenticated request is shown here:
- A user makes a request that goes through Ambassador. To learn more about Ambassador authentication solutions, see here.
- Ambassador checks with the gatekeeper service before allowing any request to go through
- The gatekeeper service responds to Ambassador that the request is unauthenticated, and a redirect URL
- Ambassador returns an HTTP 301 redirecting user to Dex
Log in
- User makes request to /dex
- Ambassador is configured to not check with the gatekeeper for requests to /dex
- Dex presents a login page to the user
- The user submits their credentials
- Dex uses the configured connector to authenticate the user against an external auth service
- Dex may also be configured with basic username/password support. This is the default in Charmed Kubeflow.
- See the dex configuration section for more information on how to configure Dex with other connectors.
- Dex redirects the user to a callback URL managed by the gatekeeper
Receive token
- User makes request to callback URL
- Ambassador sends request to gatekeeper service
- Gatekeeper service generates JWT token in the
Set-Cookie
response header
Authenticated request
- User makes authenticated request
- Ambassador checks with the gatekeeper service to see if request is authenticated
- Gatekeeper service affirms request is authenticated by looking at JWT token
- Ambassador communicates with Kubeflow service for requested endpoint
- Ambassador returns requested endpoint to user