Implementation:Kserve Kserve Dex Auth
| Knowledge Sources | |
|---|---|
| Domains | Authentication, Istio Service Mesh |
| Last Updated | 2026-02-13 00:00 GMT |
Overview
Concrete tool for authenticating against a Dex identity provider protecting a Kubeflow/KServe endpoint and obtaining session cookies for inference requests provided by the KServe sample code.
Description
This module implements the get_istio_auth_session() function, which handles the complete authentication flow for Dex-protected Kubeflow/KServe endpoints. The function:
- Sends a GET request to the target URL and checks if a redirect occurs (indicating the endpoint is secured).
- If secured, follows redirects to find the Dex login URL, handling both
/authselection pages and direct/auth/xxxx/loginpaths. - Defaults to
staticPasswordsauthentication (with/auth/localpath) when multiple auth types are available. - POSTs the username and password credentials to the Dex login URL.
- Captures the resulting session cookies (including
authservice_session) for use in subsequent API calls.
The module also includes a __main__ block that demonstrates a complete flow: authenticate, extract cookies, and POST a prediction request to a KServe sklearn-iris model.
Usage
Use this function when you need programmatic access to KServe inference services deployed in Istio-Dex protected Kubeflow environments, providing username/password authentication to obtain session cookies.
Code Reference
Source Location
- Repository: Kserve_Kserve
- File: docs/samples/istio-dex/dex_auth.py
- Lines: 1-129
Signature
def get_istio_auth_session(url: str, username: str, password: str) -> dict:
"""
Determine if the specified URL is secured by Dex and try to obtain a session cookie.
WARNING: only Dex `staticPasswords` and `LDAP` authentication are currently supported
(we default to using `staticPasswords` if both are enabled)
:param url: Kubeflow server URL, including protocol
:param username: Dex `staticPasswords` or `LDAP` username
:param password: Dex `staticPasswords` or `LDAP` password
:return: auth session information
"""
...
Import
from dex_auth import get_istio_auth_session
I/O Contract
Inputs
get_istio_auth_session()
| Name | Type | Required | Description |
|---|---|---|---|
| url | str | Yes | Kubeflow server URL, including protocol (e.g., "http://localhost:8080") |
| username | str | Yes | Dex staticPasswords or LDAP username |
| password | str | Yes | Dex staticPasswords or LDAP password |
Outputs
get_istio_auth_session()
| Name | Type | Description |
|---|---|---|
| auth_session | dict | Dictionary containing: endpoint_url, redirect_url, dex_login_url, is_secured (bool), session_cookie (string of "key=value" pairs), authservice_session (cookie value) |
Usage Examples
Basic Usage
import requests
from dex_auth import get_istio_auth_session
KUBEFLOW_ENDPOINT = "http://localhost:8080"
KUBEFLOW_USERNAME = "user@example.com"
KUBEFLOW_PASSWORD = "12341234"
MODEL_NAME = "sklearn-iris"
SERVICE_HOSTNAME = "sklearn-iris.kubeflow-user-example-com.example.com"
# Authenticate with Dex
auth_session = get_istio_auth_session(
url=KUBEFLOW_ENDPOINT,
username=KUBEFLOW_USERNAME,
password=KUBEFLOW_PASSWORD,
)
# Use session cookies for prediction
cookies = {"authservice_session": auth_session["authservice_session"]}
jar = requests.cookies.cookiejar_from_dict(cookies)
iris_input = {"instances": [[6.8, 2.8, 4.8, 1.4], [6.0, 3.4, 4.5, 1.6]]}
res = requests.post(
url=f"{KUBEFLOW_ENDPOINT}/v1/models/{MODEL_NAME}:predict",
headers={"Host": SERVICE_HOSTNAME, "Content-Type": "application/json"},
cookies=jar,
json=iris_input,
timeout=200,
)
print(res.json())
Related Pages
Page Connections
Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment