Client Configuration and Authentication

The vik-advani-flyte-sdk-9b3ce04 codebase provides a robust framework for connecting to Flyte services. At the heart of this system is the ClientSet class, which manages connections to various Flyte control plane services, and a flexible authentication architecture that supports multiple OAuth2 flows and custom credential providers.

The Client Architecture

The remote client is structured around two primary classes: ClientSet and SessionConfig.

ClientSet

The ClientSet (found in src/flyte/remote/_client/controlplane.py) is the main entry point for all service interactions. It initializes and holds references to various ConnectRPC service clients, including:

ProjectServiceClient (via project_domain_service)
TaskServiceClient (via task_service)
RunServiceClient (via run_service)
IdentityServiceClient (via identity_service)
ClusterAwareDataProxy (via dataproxy_service)

SessionConfig

A ClientSet is initialized with a SessionConfig (src/flyte/remote/_client/auth/_session.py). This object encapsulates the connection state, including the target endpoint, the HTTP transport (using pyqwest), and a chain of interceptors that handle authentication, retries, and metadata injection.

Initialization Entry Points

The SDK provides several high-level functions in src/flyte/_initialize.py to set up the global client.

Standard Initialization

The init() function is the most common way to configure the client. It supports various authentication modes via the auth_type parameter.

from flyte import init

# Default PKCE initialization
init(endpoint="https://flyte.example.com")

# Client Credentials for service-to-service auth
init(
    endpoint="https://flyte.example.com",
    auth_type="ClientSecret",
    client_id="my-client-id",
    client_credentials_secret="my-secret"
)

API Key Initialization

For environments where an encoded API key is provided, init_from_api_key() decodes the key to extract the endpoint, client ID, and secret automatically.

from flyte import init_from_api_key

# Reads from FLYTE_API_KEY environment variable by default
init_from_api_key()

Authentication Flows

The SDK implements authentication through specialized Authenticator classes. The get_async_authenticator factory in src/flyte/remote/_client/auth/_authenticators/factory.py maps the auth_type to the appropriate implementation.

PKCE (Interactive)

The PKCEAuthenticator (src/flyte/remote/_client/auth/_authenticators/pkce.py) is the default for interactive use. It implements the Proof Key for Code Exchange flow, which typically opens a local browser window for user login. It manages the lifecycle of the AuthorizationClient, including code challenge generation and token exchange.

Client Credentials (Service)

The ClientCredentialsAuthenticator (src/flyte/remote/_client/auth/_authenticators/client_credentials.py) is designed for non-interactive service-to-service communication. It uses a client_id and client_credentials_secret to obtain tokens directly from the token endpoint.

Device Code (Headless)

The DeviceCodeAuthenticator (src/flyte/remote/_client/auth/_authenticators/device_code.py) is ideal for headless environments like SSH sessions. It prompts the user to visit a URL and enter a specific code to authorize the device.

External Command

The AsyncCommandAuthenticator (src/flyte/remote/_client/auth/_authenticators/external_command.py) allows integration with external token providers (e.g., AWS SSO or custom CLI tools). It executes a shell command and uses its stdout as the access token.

init(
    endpoint="https://flyte.example.com",
    auth_type="ExternalCommand",
    command=["aws", "sso", "get-token", "--profile", "flyte-prod"]
)

Passthrough

The PassthroughAuthenticator (src/flyte/remote/_client/auth/_authenticators/passthrough.py) is used when tokens are managed externally and passed into the SDK via the auth_metadata context manager.

from flyte.remote import auth_metadata
from flyte.remote._user import User

with auth_metadata([("authorization", "Bearer my-custom-token")]):
    user = User.get()

Configuration Management

Authentication settings are managed by the ClientConfig model (src/flyte/remote/_client/auth/_client_config.py). This model includes fields for token_endpoint, authorization_endpoint, client_id, and scopes.

Remote Configuration Resolution

The SDK can fetch OAuth2 configuration directly from the Flyte backend using the RemoteClientConfigStore. The Authenticator._resolve_config() method merges this remote configuration with any local overrides provided during initialization.

# In Authenticator._resolve_config:
remote_config = await self._cfg_store.get_client_config()
self._resolved_config = (
    remote_config.with_override(self._client_config) if self._client_config else remote_config
)

Verifying Authentication

Once initialized, you can verify the authentication status and retrieve user details using the User class (src/flyte/remote/_user.py).

from flyte.remote._user import User

user = User.get()
print(f"Logged in as: {user.name()} ({user.subject()})")

This call uses the identity_service on the active ClientSet to fetch UserInfoResponse metadata from the Flyte platform.

The Client Architecture​

ClientSet​

SessionConfig​

Initialization Entry Points​

Standard Initialization​

API Key Initialization​

Authentication Flows​

PKCE (Interactive)​

Client Credentials (Service)​

Device Code (Headless)​

External Command​

Passthrough​

Configuration Management​

Remote Configuration Resolution​

Verifying Authentication​