OIDC Token-based Authentication

This page describes how to configure the OIDC token-based authentication security option for a new deployment.

note

This security option requires the following additional configuration when deploying H2O MLOps:

• To enable this option, update securityOptions.activated in the values.yaml file (charts/mlops/values.yaml) to include the value AUTHORIZATION_PROTOCOL_OIDC in the list:

  securityOptions:
      activated:
          - .......
          - "AUTHORIZATION_PROTOCOL_OIDC"
          - .......

• Set the deployer.config.securityProxy.oidcIssuers (OIDC issuer-related values) in the values.yaml file, including the OIDC issuer URL and TLS credentials.

Import Modules

import time

import httpx

import h2o_mlops
from h2o_authn import TokenProvider
from h2o_mlops.options import SecurityOptions

REFRESH_TOKEN       = "<REFRESH_TOKEN>"
CLIENT_ID           = "<CLIENT_ID>"
TOKEN_ENDPOINT_URL  = "<TOKEN_ENDPOINT_URL>"
GATEWAY_URL         = "<GATEWAY_URL>"
DATA_DIR            = "<DATA_DIR>"

Connect to H2O MLOps

token_provider = TokenProvider(
    refresh_token=REFRESH_TOKEN,
    client_id=CLIENT_ID,
    token_endpoint_url=TOKEN_ENDPOINT_URL,
)

mlops = h2o_mlops.Client(
    gateway_url=GATEWAY_URL,
    token_provider=token_provider,
)

Create a New Deployment with Security Options

1. Prepare everything you need to create a deployment.

   project = mlops.projects.create(name="demo")
   
   experiment = project.experiments.create(
       data=f"{DATA_DIR}/mojo.zip",
       name="experiment-from-client"
   )
   model = project.models.create(name="model-from-client")
   model.register(experiment=experiment)
   
   environment = project.environments.list(name="DEV")[0]
   
   scoring_runtime = mlops.runtimes.scoring.list(
       artifact_type="dai_mojo_pipeline", 
       uid="dai_mojo_runtime",
   )[0]

2. Define a SecurityOptions for OIDC token-based authentication.

   security_options = SecurityOptions(
       oidc_token_auth=True,
   )

3. Deploy using the security_options argument.

   deployment = environment.deployments.create_single(
       name="deployment-from-client",
       model=model,
       scoring_runtime=scoring_runtime,
       security_options=security_options,
   )
   
   while not deployment.is_healthy():
       deployment.raise_for_failure()
       time.sleep(5)
   
   print(deployment.security_options)

Output:

passphrase: None
hashed_passphrase: None
oidc_token_auth: True

Score Against the Newly Created Deployment

You can score against the newly created deployment that is configured with the OIDC token-based authentication security option. However, an access token must be supplied in the Authorization header in the form Authorization: Bearer <token>.

access_token = token_provider()

response = httpx.post(
    url=deployment.url_for_scoring,
    json=deployment.get_sample_request(
        auth_value=access_token,
    ),
    headers={
        "Authorization": f"Bearer {access_token}",
    },
)

response.json()

Output:

{'id': '268b2733-9f51-48f1-9a4f-70b06ba35d08',
 'fields': ['default payment next month.0', 'default payment next month.1'],
 'score': [['0.7441956', '0.25580445']]}

Cleanup

for p in mlops.projects.list(name="demo"):
    p.delete()

---

Feedback

• Submit and view feedback for this page
• Send feedback about H2O MLOps to cloud-feedback@h2o.ai