Add PKCEAuthenticator implementation in Rust #2416
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Tracking issue
flyteorg/flyte#5344
Why are the changes needed?
To upgrade a gRPC channel to an authenticated one, we must obtain the credentials that will be attached to every gRPC call, similar to what the Flytekit Remote Client does.
There are several ways to achieve this goal, for example:
So we can narrow down our choices to the following approach:
Implement the OAuth flow in Rust, at least supporting the PKCE flow.
Here are some useful packages:
Moreover, even we can pass authenticated credentials from original Python authenticator into Rust channel, it seems much ado about nothing.
Because if we can't have a pure and lite gRPC client with authentication-included in Rust, It can be challenging for them to authenticate without a Python environment, If someone wants to only enable Rust remote in their Rust code.
Considering the two aforementioned options, we can still retain the ability to return authenticated credentials from Python and reimplement another new
oauth2
authenticator in Rust.What changes were proposed in this pull request?
How was this patch tested?
WIP
cargo run
executesauthenticator::PKCEAuthentication();
atsrc/main.py
.auth_url
by clicking a link (will open a new browser tab).access_token
.Setup process
You need to set up the external authentication provider, like Auth0
![Screenshot 2024-05-16 at 6 07 00 PM](https://private-user-images.githubusercontent.com/35886692/331158680-ad785063-ea6a-49af-aa05-52aed5708c88.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMjYzMjAsIm5iZiI6MTcxOTAyNjAyMCwicGF0aCI6Ii8zNTg4NjY5Mi8zMzExNTg2ODAtYWQ3ODUwNjMtZWE2YS00OWFmLWFhMDUtNTJhZWQ1NzA4Yzg4LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIyVDAzMTM0MFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWQ5ZjNkZTI5ZWQyNTg0OWQ5MjNmYTNmMjA3ZGI2M2E0M2QxNjgyZWQzZGIyNzNjNTdmYjIzMTk3ZjJhMTU5NmQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.RFmwoEz2dYXuAMLbLWd27P7WxlO6XCQriColInbzcnw)
Screenshots
Check all the applicable boxes
Related PRs
Docs link