Authentication and Authorization in Prefect OSS

[esisilvestri]

While the Basic auth that was added is great I think many users would like a more flexible system that also allows for either role based or ressource based permissions. I wanted to start a discussion around how this could be implemented and wanted, as a first step, share my thoughts on potential implementations (very high level).

In my opinion the authentication and authorization system has to be external to the Prefect API. Ideally we would have a base Authenitcation and base Authorization logic that can then be adapted by external providers. This could be something like KeyCloak etc. which implement the necessary endpoints.

The Authorization logic should also be able to be used for the UI and the worker processes so make sure workers only access ressources that they are allowed to access.

For authentication I was thinking of JWT which would allow us to cache the JWSK keys in an external cache and validate the JWT locally on the Prefect server. For authorization I was thinking of ressource based permissions (think CASL for example).

Was are other users thoughts on this topic?

[jagmarques]

Agree that external auth is the right approach for OSS. JWT + JWKS for authentication is solid - you validate tokens locally without hitting the auth server on every request.

For authorization, resource-based permissions (like CASL) are more flexible than role-based for Prefect's model since you often need per-deployment or per-work-pool access control. The middleware pattern works well: intercept API requests, extract the JWT claims, and check permissions against a policy store before forwarding to the Prefect API.

For workers specifically, the simplest approach is to issue scoped service account tokens that can only poll specific work pools. You can enforce this at the reverse proxy layer (e.g., OPA sidecar on the API gateway) so the Prefect server itself does not need modification.