Authentication using OIDC

Authentication and authorization support through OIDC for Kubeflow in AWS

This section shows the how to setup Kubeflow with authentication and authorization support through OIDC in Amazon Web Services (AWS). Similar to Cognito tutorial.

Enable TLS and Authentication

Right now, certificates for ALB public DNS names are not supported. Instead, you must prepare a custom domain. You can register your domain in Route53 or any domain provider such as GoDaddy.com.

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

To get TLS support from the ALB Ingress Controller, you need to follow this tutorial to request a certificate in AWS Certificate Manager. After successful validation, you will get a certificate ARN to use with the ALB Ingress Controller.

Note: Even you need to create a certificate ARN, we don’t necessarily need a custom domain unless you want to use it, you can still use ALB ingress hostname to visit kubeflow central dashboard.

Cognito Certificate ARN

OIDC allows clients to verify the identity of the End-User based on the authentication performed by an Authorization Server. OIDC allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. You can use any OIDC compatible solutions including Google, Facebook and Github for authentication. For this tutorial, we take Github Login as an example.

In order to authenticate and manage users for Kubeflow, let’s first connect Auth0 app to Github. You can follow instructions here or follow below detailed steps:

1. Register Your New App on Auth0

You should go to the Auth0 page to sign up and login at first.

Auth0 Login

Then you can look at below page and modify the domain name Under TENANT DOMAIN to be your preferable domain name and take notes.

Auth0 Welcome Page

After modification, click NEXT button. Then you can set up your personal information there and click CREATE ACCOUNT button.

2. Add a new Application in Github

To add a new application, log in to GitHub and go to OAuth Apps in your developer settings. Next click Register a new application.

Github Oauth App Register

3. Register Your New App on Github

On the Register a new application page fill out the form with the following information. Modify the parameters to reflect your application.

In step 1, you registered new app on Auth0 and there’s a TENANT DOMAIN. Now it is your Github Homepage URL with prefix of https://. For example, if your Auth0 tenant domain was kftest.auth0.com, your Github Homepage URL would be https://kftest.auth0.com and your redirect URL would be https://kftest.auth0.com/login/callback.

Github Oauth App Register Details

After completing the form click Register application to proceed.

4. Configure Github and Auth0 app

Once the application is registered, your app’s Client ID and Client Secret will be displayed on the following page:

Github Oauth App Client ID Secret

Go to your Auth0 Dashboard, after log into Auth0 Dashboard, select Connections > Social, then choose Github. Copy the Client ID and Client Secret from the Developer Applications of your app on Github into the fields on this page on Auth0.

Auth0 Github Setup

Then click SAVE button and go to the Auth0 Dashboard, take a note about the Client ID and Client Secret, which are found on your Auth0 application.

Auth0 App ClienID and ClientSecret

5. Deploy Kubeflow

Download kfctl_aws_cognito.v1.0.1.yaml. Before you kfctl apply -V -f kfctl_aws_cognito.v1.0.1.yaml, please update spec and repos fields in your Kubeflow configuration file at kfctl_aws_cognito.v1.0.1.yaml, so that it looks like this:

plugins:
- kind: KfAwsPlugin
  metadata:
    name: aws
  spec:
    auth:
      oidc:
        certArn: arn:aws:acm:us-west-2:########:certificate/#######-#####-###-#
        oAuthClientId: Your Auth0 App Client Id
        oAuthClientSecret: Your Auth0 App Client Secret
        oidcAuthorizationEndpoint: https://kftest.auth0.com/authorize
        oidcIssuer: https://kftest.auth0.com/
        oidcTokenEndpoint: https://kftest.auth0.com/oauth/token
        oidcUserInfoEndpoint: https://kftest.auth0.com/userinfo
      region: us-west-2
      enablePodIamPolicy: true
  repos:
  - name: manifests
    uri: https://github.com/kubeflow/manifests/archive/v1.0-branch.tar.gz

After you finish the TLS and Authentication configuration, then you can run kfctl apply -V -f kfctl_aws_cognito.v1.0.1.yaml.

After a while, your ALB will be ready, you can get ALB hostname by running follow command.

kubectl get ingress istio-ingress -n istio-system
NAME            HOSTS   ADDRESS                                                                 PORTS   AGE
istio-ingress   *       322ac077-istiosystem-istio-2af2-786120677.us-west-2.elb.amazonaws.com   80      56s

On Auth0 dashboard, click Applications on the left navigation bar, modify your ALB Hostname with prefix https:// and postfix /oauth2/idpresponse in Allowed Callback URLs as below image:

Auth0 App Callback URL

Succeed example

After you set up above steps, navigate the application from https://Your ALB HostName and you’ll see a webpage like below:

ALB Hostname Login

After you login with Github, you should succeed in seeing a kubeflow dashboard webpage.

Trouble shooting

If you can not see alb come up, the first thing you can do is check logs.

# Get pod name
kubectl get pods -l  app.kubernetes.io/name=aws-alb-ingress-controller -n kubeflow

# Check logs
kubectl logs -f alb-ingress-controller-xxxx-xxxx -n kubeflow

If you want to make same changes to your setting, you don’t have to delete and install kubeflow. Instead, you can run follow command to exam the configuration and make the changes.

Kubernetes ingress with all ALB settings

$ kubectl get ingress istio-ingress -n istio-system -o yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/auth-idp-oidc: '{"Issuer":" https://kftest.auth0.com","AuthorizationEndpoint":"https://kftest.auth0.com/authorize","TokenEndpoint":"https://kftest.auth0.com/oauth/token","UserInfoEndpoint":"https://kftest.auth0.com/userinfo","SecretName":"alb-oidc-secret"}'
    alb.ingress.kubernetes.io/auth-scope: email openid profile
    alb.ingress.kubernetes.io/auth-type: oidc
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:########:certificate/#######-#####-###-#
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing

Kubernetes secret of OIDC clientId and clientSecret. This is generated by kfctl automatically from your oAuthClientId and oAuthClientSecret in KfAwsPlugin.

$ kubectl get secret alb-oidc-secret -n istio-system -o yaml

apiVersion: v1
data:
  clientId: alZYN#################aclpjeEU=
  clientSecret: cG1OeEM#################################yMzdvMjdENTNfMnRDWg==