Skip to content

Evolve user authentication for inference service

Problem / Opportunity Statement

Status quo:

  • Both sides of the service (UI and API) restrict incoming connections to Jetstream2 and IU Rescloud subnets (plus a test IP from CyVerse).
  • The web UI allows self-service sign-up, and we tell people to register using the email associated with their ACCESS account.
  • The inference API has no authentication at all; it'll accept an empty string for a token.
  • We can track adoption/use of the web UI in terms of aggregate usage, and and also number of user accounts and when they're created (because folks need to create an account to use).
  • We can track adoption/use of the API only in terms of aggregate usage, not in terms of number of users/projects (because it's an open API, no account/token required).

Separately, AnvilGPT (1) uses CILogon to authenticate users via their ACCESS accounts, and (2) offers API access using Open WebUI as a proxy.

Needs / wants:

  • @scamicha believes (and I agree) that we should remove as many barriers as possible to using the service. It should be be as easy as commercial inference APIs.
  • This includes allowing users to connect from outside the blessed subnets. (But we still need to authenticate them, to prevent abuse.)
  • We do want to track/count who is using both the API and UI. It will help justify continued development effort and use of valuable hardware (i.e. half, or more, of a $250k server).

Resolution

  • Possibly implement OpenID Connect for user login, possibly with multiple providers (ACCESS, IU).
  • For the API side, direct users to the Open WebUI proxy, and obtain a token from the interface after logging in.
  • Remove the IP range restriction so folks can connect from anywhere (as long as they authenticate).

Screenshots of obtaining and using an API token from Open WebUI

image

image

It appears that a given Open WebUI user can only have one active API key at a time. If I create a new API key with my own (non-privileged) account, it invalidates the old one. I can imagine this being inadequate for someone wanting to pre-create API keys for several different projects/uses, with the possibility of later revoking them granularly. Perhaps we offer a different path for someone wanting to do that.

Edited by Chris Martin