Skip to content

feat(auth): add pluggable authenticator support via registry and entry_points#3445

Merged
honnix merged 1 commit into
flyteorg:masterfrom
honnix:honnix/pluggable-auth
Jun 22, 2026
Merged

feat(auth): add pluggable authenticator support via registry and entry_points#3445
honnix merged 1 commit into
flyteorg:masterfrom
honnix:honnix/pluggable-auth

Conversation

@honnix

@honnix honnix commented Jun 22, 2026

Copy link
Copy Markdown
Member

Summary

Currently, flytekit's auth system only supports a fixed set of built-in authentication modes (PKCE, ClientSecret, ExternalCommand, DeviceFlow). Adding a new mode requires modifying flytekit core. This makes it impossible for downstream consumers to provide custom authenticators without forking or shelling out to external processes via ExternalCommand.

This PR makes the authenticator system extensible via two mechanisms:

  • Explicit registryregister_authenticator_plugin(name, factory) works in every environment (pip, Bazel, vendored mono-repos). This is the primary mechanism.
  • Entry_point discovery — plugins can register under the flytekit.auth entry_point group for automatic discovery in pip-installed environments.

When auth_mode is set to a value that doesn't match any built-in AuthType, get_authenticator() checks the explicit registry first, then falls back to entry_point discovery. Names are compared case-insensitively for consistency with the built-in auth mode handling.

Motivation

At Spotify we use GCP ID token auth with Flyte. Today this requires ExternalCommand mode shelling out to gcloud auth print-identity-token, which is slow and cannot run in parallel (gcloud's SQLite config database locks). A pluggable auth system lets us register an in-process authenticator using google-auth directly — no subprocess, no gcloud, fully parallel-safe.

Plugin contract

A callable (class or factory function) with the signature:

(PlatformConfig, ClientConfigStore) -> Authenticator

Usage

Explicit registration (Bazel / mono-repo):

from flytekit.clients.auth_helper import register_authenticator_plugin

register_authenticator_plugin("gcp_id_token", GcpIdTokenAuthenticator)

Entry_point (pip):

[project.entry-points."flytekit.auth"]
gcp_id_token = "my_package.auth:gcp_id_token_factory"

Config:

FLYTE_CREDENTIALS_AUTH_MODE=GCP_ID_TOKEN

Test plan

  • Existing auth tests pass (all built-in types unaffected)
  • Plugin loaded via entry_point
  • Plugin loaded via explicit registry
  • Registry takes precedence over entry_points
  • Unknown auth mode without plugin raises ValueError
  • Built-in auth types skip plugin lookup entirely
  • Case-insensitive matching for both registry and entry_points

🤖 Generated with Claude Code

@honnix honnix force-pushed the honnix/pluggable-auth branch from 9652fa7 to 40fc1db Compare June 22, 2026 17:07
@honnix
feat(auth): add pluggable authenticator support via registry and entr…
c4e5fac 
…y_points

Currently, flytekit's auth system only supports a fixed set of built-in
authentication modes (PKCE, ClientSecret, ExternalCommand, DeviceFlow).
Adding a new mode requires modifying flytekit core. This makes it
impossible for downstream consumers to provide custom authenticators
(e.g., native GCP ID token auth) without forking flytekit or shelling
out to external processes.

This change makes the authenticator system extensible:

1. `register_authenticator_plugin(name, factory)` — explicit registration
   that works in every environment (pip, Bazel, vendored mono-repos).

2. `flytekit.auth` entry_point group — automatic discovery for
   pip-installed plugins.

When `auth_mode` is set to a value that doesn't match any built-in
AuthType, the function checks the explicit registry first, then falls
back to entry_point discovery. Names are compared case-insensitively
for consistency with the built-in auth mode handling.

Plugin contract: a callable `(PlatformConfig, ClientConfigStore) -> Authenticator`.

Signed-off-by: Hongxin Liang <honnix@users.noreply.github.com>
@honnix honnix force-pushed the honnix/pluggable-auth branch from 40fc1db to c4e5fac Compare June 22, 2026 17:39
@honnix honnix marked this pull request as ready for review June 22, 2026 17:42
@honnix honnix merged commit e96c720 into flyteorg:master Jun 22, 2026
54 of 56 checks passed
@honnix honnix deleted the honnix/pluggable-auth branch June 22, 2026 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pingsutw pingsutw pingsutw approved these changes

@wild-endeavor wild-endeavor Awaiting requested review from wild-endeavor wild-endeavor is a code owner

@kumare3 kumare3 Awaiting requested review from kumare3 kumare3 is a code owner

@cosmicBboy cosmicBboy Awaiting requested review from cosmicBboy cosmicBboy is a code owner

@samhita-alla samhita-alla Awaiting requested review from samhita-alla samhita-alla is a code owner

@davidmirror-ops davidmirror-ops Awaiting requested review from davidmirror-ops davidmirror-ops is a code owner

@machichima machichima Awaiting requested review from machichima machichima is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@honnix @pingsutw