OpenID Connect Authentication Example

This section describes how to enable OpenID Connect authentication in Driverless AI.

Note: The Driverless AI Python and R clients are not compatible with the OpenID Connect authentication method. Enable OpenID Connect through the UI only, or use a different authentication method is recommended if you plan to connect to DAI using the R or Python clients.

The OpenID Connect Protocol

OpenID Connect follows a distinct protocol during the authentication process:

  1. A request is sent from the client (RP) to the OpenID provider (OP).

  2. The OP authenticates the end user and obtains authorization.

  3. The OP responds with an ID Token. (An Access Token is usually provided as well.)

  4. The Relying Party (RP) can send a request with the Access Token to the UserInfo Endpoint.

  5. The UserInfo Endpoint returns Claims about the End User.

Refer to the OpenID Connect Basic Client Implementer’s Guide for more information: https://openid.net/specs/openid-connect-basic-1_0.html

Understanding the Well-Known Endpoint

In order to begin the process of configuring Driverless AI for OpenID-based authentication, the end user must retrieve OpenID Connect metadata about their authorization server by requesting information from the well-known endpoint. This information is subsequently used to configure further interactions with the provider.

The well-known endpoint is typically configured as follows:

https://yourOpenIDProviderHostname/.well-known/openid-configuration

Open ID Configuration Options

Set the following options in the config.toml file for enabling OpenID-based authentication.

# The OpenID server URL. (Ex: https://oidp.ourdomain.com) Do not end with a "/"
auth_openid_provider_base_uri= "https://yourOpenIDProviderHostname"

# The uri to pull OpenID config data from. (You can extract most of required OpenID config from this URL.)
# Usually located at: /auth/realms/master/.well-known/openid-configuration

# Quote method from urllib.parse used to encode payload dict in Authentication Request
auth_openid_urlencode_quote_via="quote"

# These endpoints are made available by the well-known endpoint of the OpenID provider
# All endpoints should start with a "/"
auth_openid_auth_uri=""
auth_openid_token_uri=""
auth_openid_userinfo_uri=""
auth_openid_logout_uri=""

# In most cases, these values are usually 'code' and 'authorization_code' (as shown below)
# Supported values for response_type and grant_type are listed in the response of well-known endpoint
auth_openid_response_type="code"
auth_openid_grant_type="authorization_code"

# Scope values—supported values are available in the response from the well-known endpoint
# 'openid' is required
# Additional scopes may be necessary if the response to the userinfo request
# does not include enough information to use for authentication
# Separate additional scopes with a blank space.
# See https://openid.net/specs/openid-connect-basic-1_0.html#Scopes for more info
auth_openid_scope="openid"

# The OpenID client details that are available from the provider
# A new client for Driverless AI in your OpenID provider must be created if one does not already exist
auth_openid_client_id=""
auth_openid_client_secret=""

# Sample redirect value: http[s]://driverlessai-server-address:port/openid/callback
# Ensure that the client configuration in the OpenID provider (see previous step) includes
# this exact URL as one of the possible redirect URLs for the client
# If these do not match, the OpenID connection will fail
auth_openid_redirect_uri=""

# Token endpoint response key configs
auth_openid_access_token_expiry_key="expires_in"
auth_openid_refresh_token_expiry_key="refresh_expires_in"

# UserInfo response key configs for all users who log in to Driverless AI
# The userinfo_auth_key and userinfi_auth_value are
# a key value combination in the userinfo response that remain static for everyone
# If this key value pair does not exist in the user_info response,
# then the Authentication is considered failed
auth_openid_userinfo_auth_key=""
auth_openid_userinfo_auth_value=""

# Key that specifies username in user_info json (we will use value of this key as username in Driverless AI)
auth_openid_userinfo_username_key=""

# Enable advanced matching for OpenID authentication
# When enabled, the ObjectPath expression is used to evaluate the user's identity
# Disabled by default
# For more information, refer to http://objectpath.org/
auth_openid_use_objectpath_match=false

# Set the ObjectPath expression
# Used to evaluate whether a user is allowed to login to Driverless AI
# The user is allowed to log in when the expression evaluates to True
# Examples:
# $.our_claim is "our_value" (simple claim equality)
# "expected_role" in @.roles (list of claims contains required value)
auth_openid_use_objectpath_expression=""

Enabling OpenID Connect

The examples that follow describe how to start Driverless AI in the Docker image and with native installs after OpenID has been configured.

Enabling OpenID Connect in Docker Images

  1. Edit the OpenID configuration options in your config.toml file as described in the Open ID Configuration Options section.

  2. Mount the edited config.toml file into the Docker container. Replace TAG below with your Driverless AI tag.

nvidia-docker run \
  --net=openid-network \
  --name="dai-with-openid" \
  --pid=host \
  --init \
  --rm \
  --shm-size=256m \
  -u `id -u`:`id -g` \
  -p 12345:12345 \
  -v "`pwd`/DAI_DATA/data":/data \
  -v "`pwd`/DAI_DATA/log":/log \
  -v "`pwd`/DAI_DATA/license":/license \
  -v "`pwd`/DAI_DATA/tmp":/tmp \
  -v "`pwd`/DAI_DATA/config":/config \
  -e DRIVERLESS_AI_CONFIG_FILE="/config/config.toml" \
  h2oai/dai-centos7-x86_64:TAG

The next step is to launch and log in to Driverless AI. Refer to Logging in to Driverless AI.

Enabling OpenID Connect in Native Installs

  1. Export the Driverless AI config.toml file or add it to ~/.bashrc. For example:

# DEB and RPM
export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml"

# TAR SH
export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"

  1. Edit the OpenID configuration properties in the config.toml file as described in the Open ID Configuration Options section.

  2. Start (or restart) Driverless AI.

The next step is to launch and log in to Driverless AI. Refer to Logging in to Driverless AI.

Logging in to Driverless AI

Open a browser and launch Driverless AI. Notice the you will be prompted to log in with OpenID.

_images/auth_openid_launchdai.png