Authenticate Accounts via OpenID Connect¶
참고
OpenID Connect Authentication is a Flower Enterprise feature. See Flower Enterprise for details.
In this guide, you’ll learn how to configure SuperLink with account-level authentication
and authorization, and how to log in using the flwr
CLI. Once logged in, any Flower
accounts that are authorized on the SuperLink can run Flower CLI commands that interact
with the SuperLink.
중요
With account authentication and authorization enabled, only accounts that have
submitted the flwr run
command can view and interact with their runs. This means
that your runs are private by default, ensuring that only authorized accounts
can access them.
전제 조건¶
To enable account authentication and authorization, the SuperLink must be deployed with
an OpenID Connect (OIDC) provider
and an OpenFGA server. The OIDC provider is used for account
authentication, while OpenFGA is used for fine-grained access control. This means an
authenticated account can only run flwr
CLI commands on the SuperLink if they have
been granted the necessary permissions by the SuperLink administrator. When enabled,
both account authentication and authorization must be configured on the SuperLink.
Login to the SuperLink¶
Once a SuperLink with account authentication and authorization is up and running, an
account can interface with it after installing the flwr
PyPI package via the Flower
CLI. Then, ensure that the enable-account-auth
field is set to true
in the
federation section in the pyproject.toml
of the Flower app you want to run:
[tool.flwr.federations]
default = "my-federation"
[tool.flwr.federations.my-federation]
address = "<SUPERLINK-ADDRESS>:9093" # Address of the SuperLink Control API
root-certificates = "<PATH/TO/ca.crt>" # TLS certificate set for the SuperLink. Required for self-signed certificates.
enable-account-auth = true # Enables the account auth mechanism on the `flwr` CLI side
참고
Account authentication and authorization is only supported with TLS connections.
Now, you need to login first before other CLI commands can be executed. Upon executing
flwr login
, a URL will be returned by the authentication plugin in the SuperLink.
Click on it and authenticate directly against the OIDC provider.
flwr login [APP] [FEDERATION]
Loading project configuration...
Success
Creating a new `.gitignore` with `.credentials` entry...
Please login with your account credentials here: https://account.flower.ai/realms/flower/device?user_code=...
# [... follows URL and logs in ... in the meantime the CLI will wait ...]
✅ Login successful.
Once the login is successful, the credentials returned by the OIDC provider via the
SuperLink will be saved to the app’s directory under
.flwr/.credentials/<federation-name>.json
. The tokens stored in this file will be
sent transparently with each subsequent flwr
CLI request to the SuperLink, and it
will relay them to OIDC provider to perform the authentication checks.