November 22, 2022 3 min read

Authenticating Flipt

George MacRorie
Flipt Authentication
Photo by FLY:D on Unsplash

Last week we cut the v1.15.0 release of Flipt. The primary feature of this release was authentication. As of v1.15.0, Flipt has support for static client token-based authentication. This is our first step to bringing authentication and authorization features to Flipt.

Currently, the way to obtain a client token is to enable the “token” authentication method in Flipt’s configuration. Once enabled, a section of the API (/auth/v1/method/token) is mounted and available to create new access tokens.

Note that this endpoint is also protected when authentication is set to required, meaning prior authentication is needed to create tokens.

authentication:
  methods:
    token:
      enabled: true

Check out our token authentication configuration documentation for more specific details.

If no tokens exist in the backing store then one will be created the first time you enable the token authentication method. This way, an initial token can be bootstrapped so that you don’t lock yourself out of Flipt (authentication can also be set to not required in this situation). The bootstrapped token will be output in the logs:

…
2022-11-22T12:02:10Z    INFO    access token created    {"server": "grpc", "client_token": "nCq9QO-FeEAS91LV1LFD2qOpUASXl8eljlXokeorbyY="}
…

By default Flipt remains open, however, with a slight adjustment to your instance configuration, Flipt’s API can be secured.

authentication:
  required: true

Attempts to perform API operations will require a client token to be presented via the Authorization header:

curl localhost:8080/api/v1/flags \
   -H 'Authorization: Bearer nCq9QO-FeEAS91LV1LFD2qOpUASXl8eljlXokeorbyY=' \
   -H 'Content-Type: application/json'

Putting this altogether we get a secured API with the ability for prior authenticated clients to create additional credentials:

authentication:
  required: true
  methods:
    token:
      enabled: true

Head over to the new Authentication section of our documentation to learn more about interacting with Flipt when authentication is required.

As mentioned, this is our first step to securing Flipt. Once authentication is enabled, the UI becomes unusable since we have not yet implemented the features required to authenticate browser sessions.

In the next release, we expect to add Google as the first OAuth login provider, followed by other authentication providers in subsequent releases.

Equally, we’re working on automated processes for managing expired client tokens. With v1.15.0 it is currently on the operator to use Flipt’s APIs to delete outdated tokens, however, we plan for this mechanism to be built-in, automated, and configurable in the future.

On top of all this, we’re actively designing authorization features for Flipt, so that you can decide who can do what when interacting with the API and UI.

Join us in our Discord to chat about your needs and to help influence the future of authentication and authorization with Flipt.

Scarf