MLflow plugin adding OIDC/OAuth 2.1 client authorization
Project description
MLflow Client OIDC/OAuth 2.1 Plugin
MLflow plugin adding OIDC/OAuth 2.1 authorization support to the client, allowing the use of a tracking server secured behind a compatible proxy.
The plugin is built with OIDC Client and supports the same OIDC/OAuth 2.1 authorization flows:
- the authorization code flow, for interactive user login;
- the client credentials flow, for confidential machine-to-machine communication.
This plugin supports reading authorization settings from pyproject.toml.
Requirements
Python 3.10+
MLflow or MLflow Skinny 2+
Installation
pip install mlflow-oidc-client
Getting Started
First, add the following to the project's pyproject.toml configuration file:
[[tool.mlflow-oidc-client.tracking-servers]]
uri = "http://mlflow.example.com/" # URI of your MLflow Tracking Server
issuer = "https://auth.example.com/" # URI of your OIDC provider
client-id = "<application ID>" # Client ID of your project
You can now run MLflow client commands without any change. The plugin will match the MLFLOW_TRACKING_URI environment variable to the appropriate server configuration found in pyproject.toml.
# To list logged experiments:
MLFLOW_TRACKING_URI=http://mlflow.example.com/ mlflow experiments search
Configuration
Options may be set with environment variables or in the pyproject.toml configuration file, with environment variables taking precedence.
Each tracking server has its own [[tool.mlflow-oidc-client.tracking-servers]] block, which can be given multiple times in the same pyproject.toml.
| Environment Variable | Config File | Default Value | Description |
|---|---|---|---|
| MLFLOW_TRACKING_URI | N/A | N/A | MLflow Tracking Server URI |
| MLFLOW_TRACKING_OIDC_ISSUER | issuer | None (required) |
OIDC authorization issuer URI |
| MLFLOW_TRACKING_OIDC_CLIENT_ID | client-id | None (required) |
OIDC client ID |
| MLFLOW_TRACKING_OIDC_CLIENT_SECRET | client-secret | None |
OIDC client secret |
| MLFLOW_TRACKING_OIDC_REDIRECT_URI | redirect-uri | "http://127.0.0.1:39303/oauth2/callback" |
OIDC redirect URI |
| MLFLOW_TRACKING_OIDC_SCOPE | scope | "openid profile email" |
OIDC token scope |
| MLFLOW_TRACKING_OIDC_AUDIENCE | audience | Same as the client ID | OIDC token audience |
| MLFLOW_TRACKING_OIDC_INTERACTIVE | interactive | Interactive by default if the application is public (no client secret) | Require a user login in a browser |
| MLFLOW_TRACKING_OIDC_USE_ID_TOKEN | use-id-token | Use the ID token by default if the application is public (no client secret) | Use the ID token instead of the access token as Bearer token in the Authorization HTTP header |
Examples
Basic configuration providing interactive login for users:
[[tool.mlflow-oidc-client.tracking-servers]]
uri = "http://mlflow.example.com/"
issuer = "https://auth.example.com/"
client-id = "<application ID>"
Basic configuration for a machine-to-machine scenario (no interactive login required):
[[tool.mlflow-oidc-client.tracking-servers]]
uri = "http://mlflow.example.com/"
issuer = "https://auth.example.com/"
client-id = "<application ID>"
client-secret = "<application ID>"
audience = "<audience>" # Required by some providers (e.g. Auth0)
To avoid committing the client secret to git, you may pass it as the MLFLOW_TRACKING_OIDC_CLIENT_SECRET environment variable.
License
This project is licensed under the terms of the MIT license.
A yzr Free and Open Source project.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for mlflow_oidc_client-0.2.4-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6c2b2b563fb11bef9536eb0282a424a21842b77ccc82ed65624a54dca9970f0c |
|
| MD5 | 4a92fa4d51f788007a832fe4ba724956 |
|
| BLAKE2b-256 | 40abbe256f9628a3e491b80bbdab96c57266a42be4bb9fba4cfa905d1022b83e |
