MLflow OIDC Auth

7.0.3 verified Fri May 01 auth: no python

OIDC authentication plugin for MLflow tracking server. Version 7.0.3, requires Python >=3.10. Provides OAuth2/OIDC integration for MLflow, supports token-based auth, group-based permission filtering, and MLflow's REST API auth middleware. Active development with regular releases.

pip install mlflow-oidc-auth

Common errors

error ImportError: cannot import name 'create_oidc_app' from 'mlflow_oidc_auth' ↓

cause Using older version (<7.0.0) where the function was not exported.

fix

Upgrade to 7.0.0+ or import from mlflow_oidc_auth.oidc in older versions.

error TypeError: create_oidc_app() missing 1 required positional argument: 'app' ↓

cause Calling `create_oidc_app` without passing the Flask app as first argument.

fix

Pass the Flask application instance: create_oidc_app(app, ...).

Warnings

breaking Version 7.x changed the import path from `mlflow_oidc_auth.oidc` to top-level `mlflow_oidc_auth`. Old imports will fail. ↓

fix Use `from mlflow_oidc_auth import create_oidc_app` instead of `from mlflow_oidc_auth.oidc import ...`.

deprecated The `token_endpoint` parameter is deprecated and may be removed in future; use the `token_endpoint` from the OIDC discovery document. ↓

fix Omit `token_endpoint` and `userinfo_endpoint` if your issuer supports OIDC discovery (well-known/openid-configuration).

gotcha Session secret must be set before `create_oidc_app` is called; otherwise session encryption fails silently. ↓

fix Set `app.secret_key` before invoking `create_oidc_app`.

gotcha The plugin requires MLflow to be installed with extras `[auth]` or in `server` mode. Without MLflow, imports succeed but runtime fails. ↓

fix Install MLflow with the `auth` extra: `pip install mlflow[auth]`.

Imports

create_oidc_app

wrong

from mlflow_oidc_auth import OIDCApp

correct

from mlflow_oidc_auth import create_oidc_app

The class is not exported; use the factory function.

AuthMiddleware

from mlflow_oidc_auth import AuthMiddleware

Quickstart

Basic Flask app with OIDC auth. Requires environment variables for issuer, client ID, and secret.

import os
from mlflow_oidc_auth import create_oidc_app
from flask import Flask

app = Flask(__name__)
app.secret_key = os.environ.get('SECRET_KEY', 'changeme')

oidc = create_oidc_app(
    app,
    issuer=os.environ.get('OIDC_ISSUER', 'https://example.com/auth/realms/myrealm'),
    client_id=os.environ.get('OIDC_CLIENT_ID', 'my-client'),
    client_secret=os.environ.get('OIDC_CLIENT_SECRET', ''),
    token_endpoint=os.environ.get('OIDC_TOKEN_ENDPOINT', ''),
    userinfo_endpoint=os.environ.get('OIDC_USERINFO_ENDPOINT', ''),
)

if __name__ == '__main__':
    app.run(debug=True)