OIDC auth plugin for MLflow
Project description
mlflow-oidc-auth
Mlflow auth plugin to use OpenID Connect (OIDC) as authentication and authorization provider
To get it just do pip install mlflow-oidc-auth (mlflow will come as a dependency)
Configuration
The plugin required the following environment variables but also supported .env file
| Parameter | Description |
|---|---|
| OIDC_REDIRECT_URI | Application redirect/callback url (https://example.com/callback) |
| OIDC_DISCOVERY_URL | OIDC Discovery URL |
| OIDC_CLIENT_SECRET | OIDC Client Secret |
| OIDC_CLIENT_ID | OIDC Client ID |
| OIDC_PROVIDER_TYPE | can be 'oidc' or 'microsoft' |
| OIDC_PROVIDER_DISPLAY_NAME | any text to display |
| OIDC_SCOPE | OIDC scope |
| OIDC_GROUP_NAME | User group name to be allowed login to MLFlow, currently supported groups in OIDC claims and Microsoft Entra ID groups |
| OIDC_ADMIN_GROUP_NAME | User group name to be allowed login to MLFlow manage and define permissions, currently supported groups in OIDC claims and Microsoft Entra ID groups |
| OIDC_AUTHORIZATION_URL | OIDC Auth URL (if discovery URL is not defined) |
| OIDC_TOKEN_URL | OIDC Token URL (if discovery URL is not defined) |
| OIDC_USER_URL | OIDC User info URL (if discovery URL is not defined) |
| SECRET_KEY | Key to perform cookie encryption |
| OAUTHLIB_INSECURE_TRANSPORT | Development only. Allow to use insecure endpoints for OIDC |
| LOG_LEVEL | Application log level |
| OIDC_USERS_DB_URI | Database connection string |
Configuration examples
Okta
OIDC_DISCOVERY_URL = 'https://<your_domain>.okta.com/.well-known/openid-configuration'
OIDC_CLIENT_SECRET ='<super_secret>'
OIDC_CLIENT_ID ='<client_id>'
OIDC_PROVIDER_TYPE = 'oidc'
OIDC_PROVIDER_DISPLAY_NAME = "Login with Okta"
OIDC_SCOPE = "openid,profile,email,groups"
OIDC_GROUP_NAME = "mlflow-users-group-name"
OIDC_ADMIN_GROUP_NAME = "mlflow-admin-group-name"
Microsoft Entra ID
OIDC_DISCOVERY_URL = 'https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration'
OIDC_CLIENT_SECRET = '<super_secret>'
OIDC_CLIENT_ID = '<client_id>'
OIDC_PROVIDER_TYPE = 'microsoft'
OIDC_PROVIDER_DISPLAY_NAME = "Login with Microsoft"
OIDC_SCOPE = "openid,profile,email"
OIDC_GROUP_NAME = "mlflow_users_group_name"
OIDC_ADMIN_GROUP_NAME = "mlflow_admins_group_name"
please note, that for getting group membership information, the application should have "GroupMember.Read.All" permission
Development
Preconditions:
The following tools should be installed for local development:
- git
- nodejs
- python
git clone https://github.com/data-platform-hq/mlflow-oidc-auth
cd mlflow-oidc-auth
./scripts/run-dev-server.sh
License
Apache 2 Licensed. For more information please see LICENSE
Based on MLFlow basic-auth plugin
https://github.com/mlflow/mlflow/tree/master/mlflow/server/auth
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file mlflow_oidc_auth-1.3.1.tar.gz.
File metadata
- Download URL: mlflow_oidc_auth-1.3.1.tar.gz
- Upload date:
- Size: 299.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.0.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c9da77192d2cbd27de5c8175f3fb9ecb83644c3395fd9d2ecf06c0431f73be6f |
|
| MD5 | 2a77387772f71a98bc4316285da63029 |
|
| BLAKE2b-256 | e21c88287fafe590312ef8953b4a55b799b76998ab61909c151acdc376683ba0 |
File details
Details for the file mlflow_oidc_auth-1.3.1-py3-none-any.whl.
File metadata
- Download URL: mlflow_oidc_auth-1.3.1-py3-none-any.whl
- Upload date:
- Size: 303.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.0.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 3a106528c5c0ba8739da2e17af868d63fd64ed50c41cdd77ce7430ac8c0c6c5d |
|
| MD5 | 20686d2de88cf750d70208278f09b2b6 |
|
| BLAKE2b-256 | 2f6848ac3bb960f3d9a769fbeb4f65e70d9b8268be307dc2151c59e36a596c7c |
