diff --git a/backend/src/apiserver/auth/auth_util.go b/backend/src/apiserver/auth/auth_util.go index d258a73ad742..807004e5d4ae 100644 --- a/backend/src/apiserver/auth/auth_util.go +++ b/backend/src/apiserver/auth/auth_util.go @@ -19,6 +19,7 @@ import ( "fmt" "strings" + "github.com/kubeflow/pipelines/backend/src/apiserver/client" "github.com/kubeflow/pipelines/backend/src/apiserver/common" "github.com/kubeflow/pipelines/backend/src/common/util" "github.com/pkg/errors" @@ -38,9 +39,15 @@ var IdentityHeaderMissingError = util.NewUnauthenticatedError( // Make this public for tests to force its re-instantiation var Authenticators []Authenticator -func GetAuthenticators() []Authenticator { +func GetAuthenticators(tokenReviewClient client.TokenReviewInterface) []Authenticator { if Authenticators == nil { Authenticators = []Authenticator{ + NewTokenReviewAuthenticator( + common.AuthorizationBearerTokenHeader, + common.AuthorizationBearerTokenPrefix, + []string{common.TokenReviewAudience}, + tokenReviewClient, + ), NewHTTPHeaderAuthenticator(common.GetKubeflowUserIDHeader(), common.GetKubeflowUserIDPrefix()), } } diff --git a/backend/src/apiserver/resource/resource_manager.go b/backend/src/apiserver/resource/resource_manager.go index 0c07bad25d88..8dc6b1a270bc 100644 --- a/backend/src/apiserver/resource/resource_manager.go +++ b/backend/src/apiserver/resource/resource_manager.go @@ -1239,7 +1239,7 @@ func (r *ResourceManager) IsRequestAuthenticated(ctx context.Context) (string, e // If the request header contains the user identity, requests are authorized // based on the namespace field in the request. var errlist []error - for _, auth := range kfpauth.GetAuthenticators() { + for _, auth := range kfpauth.GetAuthenticators(r.tokenReviewClient) { userIdentity, err := auth.GetUserIdentity(ctx) if err == nil { return userIdentity, nil