Authentication with Cookie¶
This guide describes how AuthService performs authentication with OpenID Connect (OIDC) when the client makes a request with a cookie.
Note
In this guide, we use Client instead of User as the actor of the described Step-by-Step Analysis. AuthService can authenticate both users and their programmatic clients based on their cookie. A programmatic client is an application of the user that can make distinct requests. Therefore, AuthService must authenticate the programmatic client that made the request.
Here’s what you’ll need so that you can authenticate with a cookie:
- An Arrikto EKF deployment integrated with an external Identity Provider.
- An existing user account for this Identity Provider.
- The client must have logged in with OIDC (Login with OIDC). AuthService has created and given a cookie to the client.
- Kubeflow Reception must have created an account for this user (Account Creation).
Step-by-Step Analysis¶
Here is a step-by-step description of how AuthService authenticates clients based on their cookie.
Client: Request the URL with the cookie.
Istio Gateway: Forward the request to the AuthService.
AuthService: Check if the Kubernetes authentication method can authenticate this request.
Note
When authenticating a client with their cookie this check will fail.
AuthService: Check if one of the access token authentication methods can authenticate this request.
Note
When authenticating a client with their cookie this check will fail.
AuthService: Authenticate the client based on the session from the cookie.
AuthService: Respond to the Istio Gateway that the client was successfully authenticated (
HTTP 200
status) and set the UserID header for the client.Istio Gateway: Forward the request to Kubeflow with the UserID header.
Kubeflow: Perform the action that the client requested and respond to the Istio Gateway.
See also
See more on how Kubeflow performs authorization by using Kubernetes RBAC:
Istio Gateway: Forward the response to the client.
Summary¶
In this guide you gained insight on how AuthService performs authentication with OpenID Connect when the client makes a request with a cookie.
What’s Next¶
The next guide describes User Authentication procedure end-to-end.