kcfigaro
commented
3 months ago Hello, @jpambrun. Sorry for the late reply.
It won't create a new user for you, it is passing your user token to the upstream server. More precisely, these options pass the OIDC ID token and access token in the header to the upstream MLflow tracking server. You don't need to do anything on the MLflow side to trust the header.
I've enabled these options because I want to allow users to retrieve their tokens directly from the MLflow server. For instance, to programmatically log to a tracking server, you need to fetch the token and pass the value into MLFLOW_TRACKING_TOKEN env value.
For more detailed descriptions, you can check https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#command-line-options
I can see the oauth proxy is passing some information: https://github.com/cloudacode/mlflow-oauth-sidecar/blob/4a96b3fcfc0392103ec74f90be12c074da8aaebc/docker-compose.yaml#L103-L105
But I feel like there is something missing from the mlflow side to trust these? Should I understand that any mlflow instance online would take these headers and create a new user for me?