Bring your towel and join one of the fastest growing data communities. Welcome to our second-generation open source orchestration platform, a completely rethought approach to dataflow automation.

Prefect Community

Hi,

Is there a way to install Prefect Core with the UI on something like AWS and add authentication on top of it so that only certain people can access it? 
And is it possible without using Prefect Cloud?

Hi <@U013H1KMP0S>,

It’s definitely possible to install Prefect Server in a remote environment and you’re free to add any authentication layer to it that you’d like! Prefect Server doesn’t come with an authentication layer out of the box.

Oh I see thanks
Do you have any recommendations for authentication?

<http://cloud.prefect.io|Prefect Cloud> uses <https://auth0.com/|Auth0> but I think your particular set up and use case should be the deciding factors. An open source non-third party provider library like <http://www.passportjs.org/|PassportJS> might be useful for adding a straightforward OAuth (or username/email/password) authentication.

We’re exploring running Core/UI in a locked-down VPC and then accessing it via VPN — i.e. doing the security at the network level. Although I’m interested in whether someone comes up with a straightforward way to wire up an auth frontend for an additional layer of security.

Hi <@UN6FTLFAS>,
I tried adding an auth layer to apollo server using PassportJS. I use Google OAuth strategy as auth layer and cookie session to store the session at client side. This is what the flow looks like:
1. User makes a request to Apollo endpoint.
2. A custom middleware detects that request is not authenticated and redirects user to PassportJS's Google OAuth endpoint.
3. Once OAuth dance is complete, PassportJS adds the user to request session.
4. cookie-session middleware then sends this cookie to client side.
5. For subsequent requests, the cookie is automatically sent in request which prevents auth dance from getting triggered.
The way I plan for this to work is user first triggers the authentication by accessing the Apollo endpoint which will preserve the session cookie. Now when Prefect UI makes an AJAX request to Apollo endpoint, browser will automatically send the session cookie. The process is bit quirky but works for now. However, I realised that Prefect UI is not sending the cookie as expected. Same works fine when request is hit directly via browser.
I guess this has something to do with including credentials in request <https://www.apollographql.com/docs/react/networking/authentication/#cookie>

Do you think this can be the issue?

I'm late to the party here, but <@U013H1KMP0S> we've used this tool before. It essentially sits in front of your application (I.e. prefect) and then proxies authenticated people to your app

<https://github.com/oauth2-proxy/oauth2-proxy>