alvis/oO
1
0
Fork 0
Code Issues 34 Pull Requests Actions Packages Projects Releases Wiki Activity

Consolidate MLflow + Airflow auth into shared OIDC provider #85

New Issue
Open
opened 2026-04-17 07:59:16 +00:00 by alvis · 0 comments
alvis commented 2026-04-17 07:59:16 +00:00
Owner
Copy Link

Context

MLflow (at o.alogins.net/mlflow) and Airflow (at o.alogins.net/airflow) currently use their own built-in auth modules:

  • MLflow: built-in basic-auth (--app-name basic-auth)
  • Airflow: built-in web UI auth (FAB)

When M3 migrates from Auth.js to a dedicated OIDC provider (ADR-0004), both MLOps services should become OIDC clients for single sign-on.

Tasks

  • Configure MLflow to accept tokens from the shared OIDC provider (OAuth2 proxy sidecar or MLflow OIDC plugin)
  • Configure Airflow to use OIDC/OAuth2 for authentication (AUTH_TYPE = AUTH_OAUTH in FAB config)
  • Remove per-service password management; users log in once via the shared provider
  • Update Caddy if an OAuth2 proxy layer is added in front of either service
  • Update infra/mlflow/basic_auth.ini — disable or remove once OIDC is active

Notes

  • ADR-0004 governs the OIDC provider choice — do not implement until that ADR resolves
  • Airflow FAB supports AUTH_OAUTH natively; MLflow may require an OAuth2 proxy (e.g. oauth2-proxy) as a sidecar
  • Blocked by: OIDC provider setup (M3 core work)
## Context MLflow (at `o.alogins.net/mlflow`) and Airflow (at `o.alogins.net/airflow`) currently use their own built-in auth modules: - **MLflow**: built-in basic-auth (`--app-name basic-auth`) - **Airflow**: built-in web UI auth (FAB) When M3 migrates from Auth.js to a dedicated OIDC provider (ADR-0004), both MLOps services should become OIDC clients for single sign-on. ## Tasks - [ ] Configure MLflow to accept tokens from the shared OIDC provider (OAuth2 proxy sidecar or MLflow OIDC plugin) - [ ] Configure Airflow to use OIDC/OAuth2 for authentication (`AUTH_TYPE = AUTH_OAUTH` in FAB config) - [ ] Remove per-service password management; users log in once via the shared provider - [ ] Update Caddy if an OAuth2 proxy layer is added in front of either service - [ ] Update `infra/mlflow/basic_auth.ini` — disable or remove once OIDC is active ## Notes - ADR-0004 governs the OIDC provider choice — do not implement until that ADR resolves - Airflow FAB supports `AUTH_OAUTH` natively; MLflow may require an OAuth2 proxy (e.g. `oauth2-proxy`) as a sidecar - Blocked by: OIDC provider setup (M3 core work)
alvis added this to the M3 — Mobile & notifications milestone 2026-04-17 07:59:16 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
admin
backend
design
good-first-issue
infra
ml
mobile
platform
web
No Label
Milestone
No items
No Milestone M3 — Mobile & notifications
Projects
Clear projects
No project
Assignees
Clear assignees
alvis
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: alvis/oO#85
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?