Skip to main content
Version: Next

OIDC Token-based Authentication

This page describes how to configure the OIDC token-based authentication security option for a new deployment.

note

This security option requires the following additional configuration when deploying H2O MLOps:

  • To enable this option, update securityOptions.activated in the values.yaml file (charts/mlops/values.yaml) to include the value AUTHORIZATION_PROTOCOL_OIDC in the list:

    securityOptions:
    activated:
    - .......
    - "AUTHORIZATION_PROTOCOL_OIDC"
    - .......
  • Set the deployer.config.securityProxy.oidcIssuers (OIDC issuer-related values) in the values.yaml file, including the OIDC issuer URL and TLS credentials.

Import Modules

import time

import httpx

import h2o_mlops
from h2o_authn import TokenProvider
from h2o_mlops.options import SecurityOptions
REFRESH_TOKEN       = "<REFRESH_TOKEN>"
CLIENT_ID = "<CLIENT_ID>"
TOKEN_ENDPOINT_URL = "<TOKEN_ENDPOINT_URL>"
GATEWAY_URL = "<GATEWAY_URL>"
DATA_DIR = "<DATA_DIR>"

Connect to H2O MLOps

token_provider = TokenProvider(
refresh_token=REFRESH_TOKEN,
client_id=CLIENT_ID,
token_endpoint_url=TOKEN_ENDPOINT_URL,
)

mlops = h2o_mlops.Client(
gateway_url=GATEWAY_URL,
token_provider=token_provider,
)

Create a New Deployment with Security Options

  1. Prepare everything you need to create a deployment.

    project = mlops.projects.create(name="demo")

    experiment = project.experiments.create(
    data=f"{DATA_DIR}/mojo.zip",
    name="experiment-from-client"
    )
    model = project.models.create(name="model-from-client")
    model.register(experiment=experiment)

    environment = project.environments.list(name="DEV")[0]

    scoring_runtime = mlops.runtimes.scoring.list(
    artifact_type="dai_mojo_pipeline",
    uid="dai_mojo_runtime",
    )[0]
  2. Define a SecurityOptions for OIDC token-based authentication.

    security_options = SecurityOptions(
    oidc_token_auth=True,
    )
  3. Deploy using the security_options argument.

    deployment = environment.deployments.create_single(
    name="deployment-from-client",
    model=model,
    scoring_runtime=scoring_runtime,
    security_options=security_options,
    )

    while not deployment.is_healthy():
    deployment.raise_for_failure()
    time.sleep(5)

    print(deployment.security_options)

Output:

passphrase: None
hashed_passphrase: None
oidc_token_auth: True

Score Against the Newly Created Deployment

You can score against the newly created deployment that is configured with the OIDC token-based authentication security option. However, an access token must be supplied in the Authorization header in the form Authorization: Bearer <token>.

access_token = token_provider()
response = httpx.post(
url=deployment.url_for_scoring,
json=deployment.get_sample_request(
auth_value=access_token,
),
headers={
"Authorization": f"Bearer {access_token}",
},
)

response.json()

Output:

{'id': '268b2733-9f51-48f1-9a4f-70b06ba35d08',
'fields': ['default payment next month.0', 'default payment next month.1'],
'score': [['0.7441956', '0.25580445']]}

Cleanup

for p in mlops.projects.list(name="demo"):
p.delete()

Feedback