Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:Kserve Kserve IAP Request Auth

From Leeroopedia
Knowledge Sources
Domains Authentication, Google Cloud Platform
Last Updated 2026-02-13 00:00 GMT

Overview

Concrete tool for making authenticated HTTP requests to KServe inference services behind GCP Identity-Aware Proxy (IAP) using desktop OAuth provided by the KServe sample code.

Description

This module implements an OAuth2 desktop authentication flow for accessing IAP-protected KServe endpoints on Google Cloud Platform. It provides the following key functions:

  • getToken() -- Orchestrates the full token acquisition flow: obtains a refresh token from desktop client credentials, then exchanges it for an ID token scoped to the IAP client.
  • getRefreshTokenFromClientId() -- Combines authorization code retrieval and refresh token exchange.
  • getAuthCode() -- Opens a browser tab to the Google OAuth consent screen and prompts the user to paste the authorization code.
  • getRefreshTokenFromCode() -- Exchanges an authorization code for a refresh token via the OAuth2 token endpoint.
  • idTokenFromRefreshToken() -- Exchanges a refresh token for an ID token targeted at the IAP audience.
  • makeRequest() -- Sends an authenticated GET or POST request to the KServe endpoint using the Bearer token, with optional input file data and user account headers.
  • main() -- CLI entry point that parses arguments (url, iap_client_id, desktop_client_id, desktop_client_secret, user_account, input file) and executes the flow.

Usage

Use this script from a desktop or CLI environment to authenticate against a GCP IAP-protected KServe inference service and make prediction requests.

Code Reference

Source Location

Signature

def getToken(iap_client_id, desktop_client_id, desktop_client_secret):
    ...

def getRefreshTokenFromClientId(desktop_client_id, desktop_client_secret):
    ...

def getAuthCode(client_id):
    ...

def getRefreshTokenFromCode(auth_code, client_id, client_secret):
    ...

def idTokenFromRefreshToken(client_id, client_secret, refresh_token, audience):
    ...

def makeRequest(url, input_file, user_account, id_token):
    ...

def main():
    ...

Import

from iap_request_auth import getToken, makeRequest

I/O Contract

Inputs

getToken()

Name Type Required Description
iap_client_id str Yes The OAuth client ID used to set up IAP
desktop_client_id str Yes The OAuth client ID for the desktop application
desktop_client_secret str Yes The OAuth client secret for the desktop application

makeRequest()

Name Type Required Description
url str Yes The full URL of the KServe inference endpoint
input_file str No Path to a file containing prediction input data (POST if provided, GET otherwise)
user_account str No The user email address for the x-goog-authenticated-user-email header
id_token str Yes The IAP ID token for Bearer authorization

idTokenFromRefreshToken()

Name Type Required Description
client_id str Yes OAuth client ID
client_secret str Yes OAuth client secret
refresh_token str Yes OAuth refresh token
audience str Yes Target audience (IAP client ID) for the ID token

Outputs

getToken()

Name Type Description
token str The ID token string for authenticating against IAP

makeRequest()

Name Type Description
(none) None Prints the response text to stdout; raises Exception on 403 or non-200 responses

Usage Examples

Basic Usage

from iap_request_auth import getToken, makeRequest

# Obtain an IAP ID token
id_token = getToken(
    iap_client_id="your-iap-client-id.apps.googleusercontent.com",
    desktop_client_id="your-desktop-client-id.apps.googleusercontent.com",
    desktop_client_secret="your-desktop-client-secret",
)

# Make an authenticated prediction request
makeRequest(
    url="https://your-kserve-endpoint.com/v1/models/my-model:predict",
    input_file="input.json",
    user_account="user@example.com",
    id_token=id_token,
)

CLI Usage

# Run from the command line:
# python iap_request_auth.py \
#     --url https://your-endpoint.com/v1/models/model:predict \
#     --iap_client_id YOUR_IAP_CLIENT_ID \
#     --desktop_client_id YOUR_DESKTOP_CLIENT_ID \
#     --desktop_client_secret YOUR_DESKTOP_SECRET \
#     --user_account user@example.com \
#     --input input.json

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Implementation:Kserve_Kserve_IAP_Request_Auth&oldid=8088"