-
Notifications
You must be signed in to change notification settings - Fork 436
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use a generic OAuth2 client credentials flow to login to the Cloud API #3041
Conversation
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
# Get an auth token from auth0 | ||
auth0_url = f"https://{self._config.auth0_domain}/oauth/token" | ||
login_url = f"{self._config.api_url}/auth/login" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we need to keep the full URL configurable, so one can set it to an older value as well?
I mean now we are locking ourselves into in-house implementation, which is not a bad thing per se. So you can also ignore this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, but I'm trying to keep the current tenant environment variables still valid for now, and the API URL we already have in its base form.
To support fully configurable URLs, I would have to make changes to the tenant deployment configurations while also supporting backwards-compatibility for older tenants, which makes this more difficult.
Describe changes
Currently, the ZenML Pro tenants are hard-coded to using Auth0 to fetch the M2M tokens needed to access the ZenML Pro API. This PR changes that and makes the implementation generic, allowing ZenML Pro tenants to connect to any authentication server that supports the OAuth2 client credentials grant, not just Auth0.
This allows ZenML Pro tenants to connect straight to the ZenML Pro API itself to fetch M2M tokens through the client credentials grant instead of Auth0.
This is paired with https://github.com/zenml-io/zenml-cloud-api/pull/223 which adds OAuth2 client credentials grant support to the ZenML Pro API.
Note: no configuration changes are needed from the ZenML Pro deployments themselves, because they will be using the same client ID and client secret to connect to the ZenML PRo API. However, as a future security hardening measure, each tenant will be given its own client ID (probably the same as the tenant ID) and client secret.
Pre-requisites
Please ensure you have done the following:
develop
and the open PR is targetingdevelop
. If your branch wasn't based on develop read Contribution guide on rebasing branch to develop.Types of changes