# Site-specific Authentication and Federated Job-level Authorization

Site-specific authentication and authorization allows users to inject their own authentication and authorization methods into the NVFlare system. This includes the FL server / clients registration, authentication, and the job deployment and run authorization.

NVFlare provides a general purpose event based pluggable authentication and authorization framework to allow for expanding functionality such as:

* exposing the app through a WAF (Web Application Firewall) or any other network element enforcing Mutual Transport Layer Security(mTLS)

* using a confidential certification authority to ensure the identity of each participating site and to ensure that they meet the computing requirements for confidential computing

* defining additional roles to manage who can submit which kind of jobs to execute within NVFlare, identify who submits jobs and which dataset can be accessed

Users can write their own FLComponents, listening to the NVFlare system events at different points of their workflow, then easily plug in their authentication and authorization logic as needed.

### Assumptions and Risks
By enabling the customized site-specific authentication and authorization, NVFlare will make several security related data available to the external FL components, e.g. IDENTITY_NAME, PUBLIC_KEY, CERTIFICATE, etc. In order to protect them from being compromised, that data needs to be made read-only.

Because of the external pluginable authentication and authorization processes, the results of the processes could potentially cause the jobs to not be able to be deployed or run. When configuring and using these functions, the users need to be aware of the impact and know where to plug in the authentication and authorization check.

### Event based pluginable authentication and authorization
The NVFlare event based solution supports site-specific authentication and federated job-level authorization. Users can provide and implement any sort of additional security checks by building and plugging in FLcomponents which listen to the appropriate events and provide custom authentication and authorization functions.


Lets look these mechanism via 

* [Customized Server Side Security Check](./custom_server_side_authentication/server_side_security_plugin.ipynb)
* [Customized Client side job-level check](./custom_client_side_job_level_authorization/client_side_security_check.ipynb)
* [client side 3rd party authentication integration](./custom_client_side_auth_system_integration/keycloak_integration.ipynb)
