Skip to content

[Auth] Fix token request handling in DynamicTokenProvider [feature/ig4-authentication] #8584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
moranbental merged 2 commits into from
Sep 9, 2025
Merged

[Auth] Fix token request handling in DynamicTokenProvider [feature/ig4-authentication] #8584

moranbental merged 2 commits into from
Sep 9, 2025

Conversation

@moranbental
Copy link
Member

@moranbental moranbental commented Sep 8, 2025
edited
Loading

📝 Description

Fix token request handling in DynamicTokenProvider.
Previously, all requests used data=request_body, which broke flows that require application/json.
Now, each subclass specifies the correct request format, and requests respect the configured SSL verification.

🛠️ Changes Made

Refactored DynamicTokenProvider.fetch_token to support both data and json payloads.
Added mlrun.mlconf.httpdb.http.verify to enforce SSL verification for all token requests.

✅ Checklist

  • I updated the documentation (if applicable)
  • I have tested the changes in this PR

🧪 Testing

Tested on IG4 system

🔗 References

  • Ticket link:
  • Design docs links:
  • External links:

🚨 Breaking Changes?

  • Yes (explain below)
  • No

@moranbental moranbental requested a review from liranbg as a code owner September 8, 2025 13:49
@moranbental moranbental requested review from rokatyy and removed request for liranbg September 8, 2025 13:49
rokatyy
rokatyy approved these changes Sep 8, 2025
View reviewed changes
Copy link
Member

@rokatyy rokatyy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch! Minor suggestion

@moranbental moranbental merged commit c93f7b2 into mlrun:feature/ig4-authentication Sep 9, 2025
13 checks passed
@moranbental moranbental deleted the providers branch September 9, 2025 05:50
moranbental added a commit to moranbental/mlrun that referenced this pull request Oct 15, 2025
@moranbental
[Auth] Fix token request handling in DynamicTokenProvider [feature/ig…
147c72d 
…4-authentication] (mlrun#8584)

### 📝 Description
<!-- A short summary of what this PR does. -->
<!-- Include any relevant context or background information. -->
Fix token request handling in DynamicTokenProvider.
Previously, all requests used `data=request_body`, which broke flows
that require `application/json`.
Now, each subclass specifies the correct request format, and requests
respect the configured SSL verification.

---

### 🛠️ Changes Made
<!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) -->
Refactored `DynamicTokenProvider.fetch_token` to support both data and
json payloads.
Added `mlrun.mlconf.httpdb.http.verify` to enforce SSL verification for
all token requests.

---

### ✅ Checklist
- [ ] I updated the documentation (if applicable)
- [x] I have tested the changes in this PR

---

### 🧪 Testing
<!-- - How it was tested (unit tests, manual, integration) -->  
<!-- - Any special cases covered. -->  
Tested on IG4 system

---

### 🔗 References
- Ticket link:
- Design docs links:
- External links:

---

### 🚨 Breaking Changes?

- [ ] Yes (explain below)
- [x] No

<!-- If yes, describe what needs to be changed downstream: -->
@moranbental moranbental mentioned this pull request Oct 16, 2025
Merged
6 tasks
liranbg pushed a commit that referenced this pull request Nov 3, 2025
@moranbental @rokatyy @elbamit
[Authentication] Allow authentication against IG4 (#8724)
aca1350 
### 📝 Description
<!-- A short summary of what this PR does. -->
<!-- Include any relevant context or background information. -->
This PR introduces support for MLRun authentication with IG4.
It rebases the `feature/ig4-authentication` branch onto `development`

This PR includes the following PRs:

1. #8345
2. #8370
3.  #8366
4. #8388
5. #8440
6. #8408
7. #8466
8. #8471
9. #8443
10. #8484
11. #8498
12. #8574
13. #8529
14. #8584
15. #8588
16. #8589
17. #8567
18. #8623
19. #8612
20. #8514
21. #8626
22. #8632
23. #8633
24. #8667
25. #8668
26. #8674
27. #8780
28. #8754
29. #8796
30. #8811
---

### 🛠️ Changes Made
<!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) -->
To enable IG4 project authorization, set the following configs in mlrun
api:

```
MLRUN_HTTPDB__AUTHENTICATION__MODE: iguazio-v4
MLRUN_HTTPDB__AUTHENTICATION__IGUAZIO__SESSION_VERIFICATION_ENDPOINT: v1/identity/self
MLRUN_IGUAZIO_API_URL: http://igz-api:8000
```

Before importing MLRun, you must set:
```
MLRUN_AUTH_WITH_OAUTH_TOKEN__ENABLED=true
MLRUN_AUTH_TOKEN_ENDPOINT="https://igz-api.<namespace>.<system-domain>/api/v1/refresh-access-token"
```

---

### ✅ Checklist
- [x] I updated the documentation (if applicable)
- [x] I have tested the changes in this PR
- [ ] If I introduced a deprecation:
  - [ ] I followed the [Deprecation Guidelines](./DEPRECATION.md)
  - [ ] I updated the relevant Jira ticket for documentation

---

### 🧪 Testing
<!-- - How it was tested (unit tests, manual, integration) -->  
<!-- - Any special cases covered. -->  
Tested on IG4 system + unit tests

---

### 🔗 References
- Ticket link: https://iguazio.atlassian.net/browse/ML-9683,
https://iguazio.atlassian.net/browse/ML-9870,
https://iguazio.atlassian.net/browse/ML-9998
- Design docs links:
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/399179866/Support+IG4+Authentication+in+MLRun+AuthVerifier+HLD,
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/411960071/Support+sdk-side+IG4+authentication+-+token+usage+and+management+HLD,
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/404521061/BE+Secret+Token+Support+HLD,
- External links:
https://iguazio.atlassian.net/wiki/spaces/ARC/pages/361103361/MLRun+Secret+Tokens+in+IG4

---

### 🚨 Breaking Changes?

- [x] Yes (explain below)
- [] No

Removed unused API endpoints `- POST /api/v1/user-secrets` which was not
in used

---

### 🔍️ Additional Notes


How to enable IG4 authentication -
https://iguazio.atlassian.net/wiki/spaces/PLAT/pages/457671097/Enable+IG4+Authentication+in+MLRun

---------

Co-authored-by: Katerina Molchanova <[email protected]>
Co-authored-by: Amit Elbaz <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rokatyy rokatyy rokatyy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@moranbental @rokatyy