https://prefect.io logo
Join Slack
Powered by
<@ULVA73B9P> does prefect support role based acces...
# marvin-ai
u
@Marvin does prefect support role based access or even authentication with openid? I am trying to integrate access to prefect with keycloak via traefik auth but getting authorization error
m
thought for 176.7 seconds
Short answer: - Prefect Cloud: yes — RBAC and SSO via OpenID Connect (OIDC) are built-in. - Self-hosted Prefect Server (open source): no built-in RBAC and no built-in OIDC. You can put it behind an identity-aware proxy (Traefik, oauth2-proxy, Authelia, etc.) but Prefect itself won’t validate OIDC tokens. Useful links: - Cloud SSO (OIDC) setup: Configure SSO in Prefect Cloud - Security settings for self-hosted: Security settings (Server) - Reverse-proxy example (Nginx) you can translate to Traefik: Reverse proxy example What this means for your Keycloak + Traefik setup - If you’re self-hosting, terminate OIDC at Traefik and protect both the UI and API routes there. Prefect won’t inspect the tokens; the proxy gates access. - Avoid double auth. If you’ve set Prefect’s basic auth (server.api.auth_string), either have Traefik inject the correct Authorization header or disable Prefect’s basic auth and rely solely on Traefik. - Make sure the UI points at the correct external API URL. Set these on the UI container: - 
PREFECT_UI_URL=<https://prefect.example.com>
- 
PREFECT_UI_API_URL=<https://prefect.example.com/api>
- Don’t rewrite away 
/api
. The UI calls 
/api/...
from the browser; if your proxy strips or rewrites that path, you’ll get 401/404 and other cheerful surprises. - Ensure auth middleware applies to both 
/
(UI) and 
/api
(API). If only 
/
is protected, the browser’s API calls to 
/api
will be blocked by the proxy or fail CORS. - If you split UI and API across different hosts, you’ll need proper CORS headers; easiest is to keep them on the same hostname. Common Traefik pitfalls that look like “authorization errors” - Path rewriting of 
/api
or mismatched 
PREFECT_UI_API_URL
- Protecting only the UI route, not 
/api
- Double-auth (Traefik OIDC + Prefect basic auth) causing 401s - Missing header/cookie forwarding in ForwardAuth middleware If you want RBAC without more yak-shaving, Prefect Cloud does it out of the box with OIDC (Keycloak works as a generic OIDC provider): Cloud SSO docs. If you share: - Whether you’re on Cloud or self-hosted (and Prefect version), - Your Traefik router/middleware snippet, - The exact endpoint returning 401/403 (e.g., 
/api/health
, 
/api/flows
, or just the UI), I can point at the precise misconfiguration instead of waving generally at your proxy.
Open in Slack
PreviousNext
Powered by