Skip to content

[User Secrets] Revoke token by sending the request header [feature/ig4-authentication] #8667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
liranbg merged 2 commits into from
Sep 29, 2025
Merged

[User Secrets] Revoke token by sending the request header [feature/ig4-authentication] #8667

liranbg merged 2 commits into from
Sep 29, 2025

Conversation

@moranbental
Copy link
Member

@moranbental moranbental commented Sep 29, 2025
edited
Loading

📝 Description

When attempting to call revoke_offline_token in Iguazio, it fails with the error:
No authentication is available, login required when trying to revoke token.
This happens because the request requires passing the access token from the request headers to Iguazio.

🛠️ Changes Made

  1. Call set_override_auth_headers before revoking the token in Iguazio using the request headers.
  2. Bump the Iguazio package to 0.0.1a12.

✅ Checklist

  • I updated the documentation (if applicable)
  • I have tested the changes in this PR

🧪 Testing

Tested on my ig4 system

🔗 References

🚨 Breaking Changes?

  • Yes (explain below)
  • No

🔍️ Additional Notes

@moranbental moranbental requested review from a team and liranbg as code owners September 29, 2025 11:33
@moranbental moranbental changed the title [User secrets] Revoke token by sending the request header [ig4-authentication] [User Secrets] Revoke token by sending the request header [feature/ig4-authentication] Sep 29, 2025
quaark
quaark requested changes Sep 29, 2025
View reviewed changes
Copy link
Member

@quaark quaark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Just add a UT for the case where we do provide the request headers

@moranbental moranbental requested a review from quaark September 29, 2025 12:45
@liranbg liranbg merged commit 0981fad into mlrun:feature/ig4-authentication Sep 29, 2025
13 checks passed
@moranbental moranbental deleted the revoke branch September 30, 2025 06:29
moranbental added a commit to moranbental/mlrun that referenced this pull request Oct 15, 2025
@moranbental
[User Secrets] Revoke token by sending the request header [feature/ig…
4e2c25e 
…4-authentication] (mlrun#8667)

### 📝 Description
<!-- A short summary of what this PR does. -->
<!-- Include any relevant context or background information. -->
When attempting to call `revoke_offline_token` in Iguazio, it fails with
the error:
`No authentication is available, login required when trying to revoke
token.`
This happens because the request requires passing the access token from
the request headers to Iguazio.

---

### 🛠️ Changes Made
<!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) -->

1. Call `set_override_auth_headers` before revoking the token in Iguazio
using the request headers.
2. Bump the Iguazio package to 0.0.1a12.

---

### ✅ Checklist
- [x] I updated the documentation (if applicable)
- [x] I have tested the changes in this PR

---

### 🧪 Testing
<!-- - How it was tested (unit tests, manual, integration) -->  
<!-- - Any special cases covered. -->  
Tested on my ig4 system 

---

### 🔗 References
- Ticket link: https://iguazio.atlassian.net/browse/ML-11075
- Design docs links:
- External links:

---

### 🚨 Breaking Changes?

- [ ] Yes (explain below)
- [x] No

<!-- If yes, describe what needs to be changed downstream: -->

---

### 🔍️ Additional Notes
<!-- Anything else reviewers should know (follow-up tasks, known issues,
affected areas etc.). -->
<!-- ### 📸 Screenshots / Logs -->
@moranbental moranbental mentioned this pull request Oct 16, 2025
Merged
6 tasks
liranbg pushed a commit that referenced this pull request Nov 3, 2025
@moranbental @rokatyy @elbamit
[Authentication] Allow authentication against IG4 (#8724)
aca1350 
### 📝 Description
<!-- A short summary of what this PR does. -->
<!-- Include any relevant context or background information. -->
This PR introduces support for MLRun authentication with IG4.
It rebases the `feature/ig4-authentication` branch onto `development`

This PR includes the following PRs:

1. #8345
2. #8370
3.  #8366
4. #8388
5. #8440
6. #8408
7. #8466
8. #8471
9. #8443
10. #8484
11. #8498
12. #8574
13. #8529
14. #8584
15. #8588
16. #8589
17. #8567
18. #8623
19. #8612
20. #8514
21. #8626
22. #8632
23. #8633
24. #8667
25. #8668
26. #8674
27. #8780
28. #8754
29. #8796
30. #8811
---

### 🛠️ Changes Made
<!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) -->
To enable IG4 project authorization, set the following configs in mlrun
api:

```
MLRUN_HTTPDB__AUTHENTICATION__MODE: iguazio-v4
MLRUN_HTTPDB__AUTHENTICATION__IGUAZIO__SESSION_VERIFICATION_ENDPOINT: v1/identity/self
MLRUN_IGUAZIO_API_URL: http://igz-api:8000
```

Before importing MLRun, you must set:
```
MLRUN_AUTH_WITH_OAUTH_TOKEN__ENABLED=true
MLRUN_AUTH_TOKEN_ENDPOINT="https://igz-api.<namespace>.<system-domain>/api/v1/refresh-access-token"
```

---

### ✅ Checklist
- [x] I updated the documentation (if applicable)
- [x] I have tested the changes in this PR
- [ ] If I introduced a deprecation:
  - [ ] I followed the [Deprecation Guidelines](./DEPRECATION.md)
  - [ ] I updated the relevant Jira ticket for documentation

---

### 🧪 Testing
<!-- - How it was tested (unit tests, manual, integration) -->  
<!-- - Any special cases covered. -->  
Tested on IG4 system + unit tests

---

### 🔗 References
- Ticket link: https://iguazio.atlassian.net/browse/ML-9683,
https://iguazio.atlassian.net/browse/ML-9870,
https://iguazio.atlassian.net/browse/ML-9998
- Design docs links:
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/399179866/Support+IG4+Authentication+in+MLRun+AuthVerifier+HLD,
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/411960071/Support+sdk-side+IG4+authentication+-+token+usage+and+management+HLD,
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/404521061/BE+Secret+Token+Support+HLD,
- External links:
https://iguazio.atlassian.net/wiki/spaces/ARC/pages/361103361/MLRun+Secret+Tokens+in+IG4

---

### 🚨 Breaking Changes?

- [x] Yes (explain below)
- [] No

Removed unused API endpoints `- POST /api/v1/user-secrets` which was not
in used

---

### 🔍️ Additional Notes


How to enable IG4 authentication -
https://iguazio.atlassian.net/wiki/spaces/PLAT/pages/457671097/Enable+IG4+Authentication+in+MLRun

---------

Co-authored-by: Katerina Molchanova <[email protected]>
Co-authored-by: Amit Elbaz <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@quaark quaark quaark approved these changes

@liranbg liranbg Awaiting requested review from liranbg

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@moranbental @quaark @liranbg