flwr-nightly 1.23.0.dev20251001__py3-none-any.whl → 1.23.0.dev20251003__py3-none-any.whl

flwr/proto/control_pb2_grpc.pyi

@@ -44,6 +44,21 @@ class ControlStub:
         flwr.proto.control_pb2.PullArtifactsResponse]
     """Pull artifacts generated during a run (flwr pull)"""
 
+    CreateNodeCli: grpc.UnaryUnaryMultiCallable[
+        flwr.proto.control_pb2.CreateNodeCliRequest,
+        flwr.proto.control_pb2.CreateNodeCliResponse]
+    """Add SuperNode"""
+
+    DeleteNodeCli: grpc.UnaryUnaryMultiCallable[
+        flwr.proto.control_pb2.DeleteNodeCliRequest,
+        flwr.proto.control_pb2.DeleteNodeCliResponse]
+    """Remove SuperNode"""
+
+    ListNodesCli: grpc.UnaryUnaryMultiCallable[
+        flwr.proto.control_pb2.ListNodesCliRequest,
+        flwr.proto.control_pb2.ListNodesCliResponse]
+    """List SuperNodes"""
+
 
 class ControlServicer(metaclass=abc.ABCMeta):
     @abc.abstractmethod
@@ -102,5 +117,29 @@ class ControlServicer(metaclass=abc.ABCMeta):
         """Pull artifacts generated during a run (flwr pull)"""
         pass
 
+    @abc.abstractmethod
+    def CreateNodeCli(self,
+        request: flwr.proto.control_pb2.CreateNodeCliRequest,
+        context: grpc.ServicerContext,
+    ) -> flwr.proto.control_pb2.CreateNodeCliResponse:
+        """Add SuperNode"""
+        pass
+
+    @abc.abstractmethod
+    def DeleteNodeCli(self,
+        request: flwr.proto.control_pb2.DeleteNodeCliRequest,
+        context: grpc.ServicerContext,
+    ) -> flwr.proto.control_pb2.DeleteNodeCliResponse:
+        """Remove SuperNode"""
+        pass
+
+    @abc.abstractmethod
+    def ListNodesCli(self,
+        request: flwr.proto.control_pb2.ListNodesCliRequest,
+        context: grpc.ServicerContext,
+    ) -> flwr.proto.control_pb2.ListNodesCliResponse:
+        """List SuperNodes"""
+        pass
+
 
 def add_ControlServicer_to_server(servicer: ControlServicer, server: grpc.Server) -> None: ...

flwr/proto/node_pb2.py

@@ -14,7 +14,7 @@ _sym_db = _symbol_database.Default()
 
 
 
-DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x15\x66lwr/proto/node.proto\x12\nflwr.proto\"\x17\n\x04Node\x12\x0f\n\x07node_id\x18\x01 \x01(\x04\x62\x06proto3')
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x15\x66lwr/proto/node.proto\x12\nflwr.proto\"\x17\n\x04Node\x12\x0f\n\x07node_id\x18\x01 \x01(\x04\"\xb6\x01\n\x08NodeInfo\x12\x0f\n\x07node_id\x18\x01 \x01(\x04\x12\x11\n\towner_aid\x18\x02 \x01(\t\x12\x12\n\ncreated_at\x18\x03 \x01(\t\x12\x14\n\x0c\x61\x63tivated_at\x18\x04 \x01(\t\x12\x16\n\x0e\x64\x65\x61\x63tivated_at\x18\x05 \x01(\t\x12\x12\n\ndeleted_at\x18\x06 \x01(\t\x12\x14\n\x0conline_until\x18\x07 \x01(\x02\x12\x1a\n\x12heartbeat_interval\x18\x08 \x01(\x02\x62\x06proto3')
 
 _globals = globals()
 _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)
@@ -23,4 +23,6 @@ if _descriptor._USE_C_DESCRIPTORS == False:
   DESCRIPTOR._options = None
   _globals['_NODE']._serialized_start=37
   _globals['_NODE']._serialized_end=60
+  _globals['_NODEINFO']._serialized_start=63
+  _globals['_NODEINFO']._serialized_end=245
 # @@protoc_insertion_point(module_scope)

flwr/proto/node_pb2.pyi

@@ -5,6 +5,7 @@ isort:skip_file
 import builtins
 import google.protobuf.descriptor
 import google.protobuf.message
+import typing
 import typing_extensions
 
 DESCRIPTOR: google.protobuf.descriptor.FileDescriptor
@@ -19,3 +20,35 @@ class Node(google.protobuf.message.Message):
         ) -> None: ...
     def ClearField(self, field_name: typing_extensions.Literal["node_id",b"node_id"]) -> None: ...
 global___Node = Node
+
+class NodeInfo(google.protobuf.message.Message):
+    DESCRIPTOR: google.protobuf.descriptor.Descriptor
+    NODE_ID_FIELD_NUMBER: builtins.int
+    OWNER_AID_FIELD_NUMBER: builtins.int
+    CREATED_AT_FIELD_NUMBER: builtins.int
+    ACTIVATED_AT_FIELD_NUMBER: builtins.int
+    DEACTIVATED_AT_FIELD_NUMBER: builtins.int
+    DELETED_AT_FIELD_NUMBER: builtins.int
+    ONLINE_UNTIL_FIELD_NUMBER: builtins.int
+    HEARTBEAT_INTERVAL_FIELD_NUMBER: builtins.int
+    node_id: builtins.int
+    owner_aid: typing.Text
+    created_at: typing.Text
+    activated_at: typing.Text
+    deactivated_at: typing.Text
+    deleted_at: typing.Text
+    online_until: builtins.float
+    heartbeat_interval: builtins.float
+    def __init__(self,
+        *,
+        node_id: builtins.int = ...,
+        owner_aid: typing.Text = ...,
+        created_at: typing.Text = ...,
+        activated_at: typing.Text = ...,
+        deactivated_at: typing.Text = ...,
+        deleted_at: typing.Text = ...,
+        online_until: builtins.float = ...,
+        heartbeat_interval: builtins.float = ...,
+        ) -> None: ...
+    def ClearField(self, field_name: typing_extensions.Literal["activated_at",b"activated_at","created_at",b"created_at","deactivated_at",b"deactivated_at","deleted_at",b"deleted_at","heartbeat_interval",b"heartbeat_interval","node_id",b"node_id","online_until",b"online_until","owner_aid",b"owner_aid"]) -> None: ...
+global___NodeInfo = NodeInfo

flwr/server/app.py

@@ -38,7 +38,7 @@ from flwr.common.address import parse_address
 from flwr.common.args import try_obtain_server_certificates
 from flwr.common.config import get_flwr_dir
 from flwr.common.constant import (
-    AUTH_TYPE_YAML_KEY,
+    AUTHN_TYPE_YAML_KEY,
     AUTHZ_TYPE_YAML_KEY,
     CLIENT_OCTET,
     CONTROL_API_DEFAULT_SERVER_ADDRESS,
@@ -71,7 +71,7 @@ from flwr.supercore.ffs import FfsFactory
 from flwr.supercore.grpc_health import add_args_health, run_health_server_grpc_no_tls
 from flwr.supercore.object_store import ObjectStoreFactory
 from flwr.superlink.artifact_provider import ArtifactProvider
-from flwr.superlink.auth_plugin import ControlAuthPlugin, ControlAuthzPlugin
+from flwr.superlink.auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
 from flwr.superlink.servicer.control import run_control_api_grpc
 
 from .superlink.fleet.grpc_adapter.grpc_adapter_servicer import GrpcAdapterServicer
@@ -83,13 +83,13 @@ from .superlink.simulation.simulationio_grpc import run_simulationio_api_grpc
 
 DATABASE = ":flwr-in-memory-state:"
 BASE_DIR = get_flwr_dir() / "superlink" / "ffs"
-P = TypeVar("P", ControlAuthPlugin, ControlAuthzPlugin)
+P = TypeVar("P", ControlAuthnPlugin, ControlAuthzPlugin)
 
 
 try:
     from flwr.ee import (
         add_ee_args_superlink,
-        get_control_auth_plugins,
+        get_control_authn_plugins,
         get_control_authz_plugins,
         get_control_event_log_writer_plugins,
         get_ee_artifact_provider,
@@ -101,7 +101,7 @@ except ImportError:
     def add_ee_args_superlink(parser: argparse.ArgumentParser) -> None:
         """Add EE-specific arguments to the parser."""
 
-    def get_control_auth_plugins() -> dict[str, type[ControlAuthPlugin]]:
+    def get_control_authn_plugins() -> dict[str, type[ControlAuthnPlugin]]:
         """Return all Control API authentication plugins."""
         raise NotImplementedError("No authentication plugins are currently supported.")
 
@@ -189,16 +189,23 @@ def run_superlink() -> None:
     # Obtain certificates
     certificates = try_obtain_server_certificates(args)
 
-    # Disable the user auth TLS check if args.disable_oidc_tls_cert_verification is
+    # Disable the account auth TLS check if args.disable_oidc_tls_cert_verification is
     # provided
     verify_tls_cert = not getattr(args, "disable_oidc_tls_cert_verification", None)
 
-    auth_plugin: Optional[ControlAuthPlugin] = None
+    authn_plugin: Optional[ControlAuthnPlugin] = None
     authz_plugin: Optional[ControlAuthzPlugin] = None
     event_log_plugin: Optional[EventLogWriterPlugin] = None
-    # Load the auth plugin if the args.user_auth_config is provided
+    # Load the auth plugin if the args.account_auth_config is provided
     if cfg_path := getattr(args, "user_auth_config", None):
-        auth_plugin, authz_plugin = _try_obtain_control_auth_plugins(
+        log(
+            WARN,
+            "The `--user-auth-config` flag is deprecated and will be removed in a "
+            "future release. Please use `--account-auth-config` instead.",
+        )
+        args.account_auth_config = cfg_path
+    if cfg_path := getattr(args, "account_auth_config", None):
+        authn_plugin, authz_plugin = _try_obtain_control_auth_plugins(
             Path(cfg_path), verify_tls_cert
         )
         # Enable event logging if the args.enable_event_log is True
@@ -229,7 +236,7 @@ def run_superlink() -> None:
         objectstore_factory=objectstore_factory,
         certificates=certificates,
         is_simulation=is_simulation,
-        auth_plugin=auth_plugin,
+        authn_plugin=authn_plugin,
         authz_plugin=authz_plugin,
         event_log_plugin=event_log_plugin,
         artifact_provider=artifact_provider,
@@ -444,7 +451,7 @@ def _try_load_public_keys_node_authentication(
 
 def _try_obtain_control_auth_plugins(
     config_path: Path, verify_tls_cert: bool
-) -> tuple[ControlAuthPlugin, ControlAuthzPlugin]:
+) -> tuple[ControlAuthnPlugin, ControlAuthzPlugin]:
     """Obtain Control API authentication and authorization plugins."""
     # Load YAML file
     with config_path.open("r", encoding="utf-8") as file:
@@ -459,7 +466,7 @@ def _try_obtain_control_auth_plugins(
             plugins: dict[str, type[P]] = loader()
             plugin_cls: type[P] = plugins[auth_plugin_name]
             return plugin_cls(
-                user_auth_config_path=config_path, verify_tls_cert=verify_tls_cert
+                account_auth_config_path=config_path, verify_tls_cert=verify_tls_cert
             )
         except KeyError:
             if auth_plugin_name:
@@ -471,11 +478,22 @@ def _try_obtain_control_auth_plugins(
         except NotImplementedError:
             sys.exit(f"No {section} plugins are currently supported.")
 
+    # Warn deprecated authn_type key
+    if "authn_type" in config["authentication"]:
+        log(
+            WARN,
+            "The `authn_type` key in the authentication configuration is deprecated. "
+            "Use `%s` instead.",
+            AUTHN_TYPE_YAML_KEY,
+        )
+        authn_type = config["authentication"].pop("authn_type")
+        config["authentication"][AUTHN_TYPE_YAML_KEY] = authn_type
+
     # Load authentication plugin
-    auth_plugin = _load_plugin(
+    authn_plugin = _load_plugin(
         section="authentication",
-        yaml_key=AUTH_TYPE_YAML_KEY,
-        loader=get_control_auth_plugins,
+        yaml_key=AUTHN_TYPE_YAML_KEY,
+        loader=get_control_authn_plugins,
     )
 
     # Load authorization plugin
@@ -485,7 +503,7 @@ def _try_obtain_control_auth_plugins(
         loader=get_control_authz_plugins,
     )
 
-    return auth_plugin, authz_plugin
+    return authn_plugin, authz_plugin
 
 
 def _try_obtain_control_event_log_writer_plugin() -> Optional[EventLogWriterPlugin]:

flwr/server/superlink/fleet/vce/backend/backend.py

@@ -18,7 +18,7 @@
 from abc import ABC, abstractmethod
 from typing import Callable
 
-from flwr.client.client_app import ClientApp
+from flwr.clientapp.client_app import ClientApp
 from flwr.common.context import Context
 from flwr.common.message import Message
 from flwr.common.typing import ConfigRecordValues

flwr/server/superlink/fleet/vce/backend/raybackend.py

@@ -21,7 +21,7 @@ from typing import Callable, Optional, Union
 
 import ray
 
-from flwr.client.client_app import ClientApp
+from flwr.clientapp.client_app import ClientApp
 from flwr.common.constant import PARTITION_ID_KEY
 from flwr.common.context import Context
 from flwr.common.logger import log

flwr/server/superlink/fleet/vce/vce_api.py

@@ -27,9 +27,9 @@ from typing import Callable, Optional
 from uuid import uuid4
 
 from flwr.app.error import Error
-from flwr.client.client_app import ClientApp, ClientAppException, LoadClientAppError
-from flwr.client.clientapp.utils import get_load_client_app_fn
 from flwr.client.run_info_store import DeprecatedRunInfoStore
+from flwr.clientapp.client_app import ClientApp, ClientAppException, LoadClientAppError
+from flwr.clientapp.utils import get_load_client_app_fn
 from flwr.common import Message
 from flwr.common.constant import (
     HEARTBEAT_MAX_INTERVAL,

flwr/simulation/ray_transport/ray_actor.py

@@ -24,7 +24,7 @@ import ray
 from ray import ObjectRef
 from ray.util.actor_pool import ActorPool
 
-from flwr.client.client_app import ClientApp, ClientAppException, LoadClientAppError
+from flwr.clientapp.client_app import ClientApp, ClientAppException, LoadClientAppError
 from flwr.common import Context, Message
 from flwr.common.logger import log
 

flwr/simulation/ray_transport/ray_client_proxy.py

@@ -21,8 +21,8 @@ from typing import Optional
 
 from flwr import common
 from flwr.client import ClientFnExt
-from flwr.client.client_app import ClientApp
 from flwr.client.run_info_store import DeprecatedRunInfoStore
+from flwr.clientapp.client_app import ClientApp
 from flwr.common import DEFAULT_TTL, Message, Metadata, RecordDict, now
 from flwr.common.constant import (
     NUM_PARTITIONS_KEY,

flwr/simulation/run_simulation.py

@@ -30,7 +30,7 @@ from typing import Any, Optional
 
 from flwr.cli.config_utils import load_and_validate
 from flwr.cli.utils import get_sha256_hash
-from flwr.client import ClientApp
+from flwr.clientapp import ClientApp
 from flwr.common import Context, EventType, RecordDict, event, log, now
 from flwr.common.config import get_fused_config_from_dir, parse_config_args
 from flwr.common.constant import RUN_ID_NUM_BYTES, Status

flwr/superlink/auth_plugin/__init__.py

@@ -15,9 +15,12 @@
 """Account auth plugin for ControlServicer."""
 
 
-from .auth_plugin import ControlAuthPlugin, ControlAuthzPlugin
+from .auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
+from .noop_auth_plugin import NoOpControlAuthnPlugin, NoOpControlAuthzPlugin
 
 __all__ = [
-    "ControlAuthPlugin",
+    "ControlAuthnPlugin",
     "ControlAuthzPlugin",
+    "NoOpControlAuthnPlugin",
+    "NoOpControlAuthzPlugin",
 ]

flwr/superlink/auth_plugin/auth_plugin.py

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # ==============================================================================
-"""Abstract classes for Flower User Auth Plugin."""
+"""Abstract classes for Flower account auth plugins."""
 
 
 from abc import ABC, abstractmethod
@@ -20,15 +20,19 @@ from collections.abc import Sequence
 from pathlib import Path
 from typing import Optional, Union
 
-from flwr.common.typing import AccountInfo, UserAuthCredentials, UserAuthLoginDetails
+from flwr.common.typing import (
+    AccountAuthCredentials,
+    AccountAuthLoginDetails,
+    AccountInfo,
+)
 
 
-class ControlAuthPlugin(ABC):
-    """Abstract Flower Auth Plugin class for ControlServicer.
+class ControlAuthnPlugin(ABC):
+    """Abstract Flower Authentication Plugin class for ControlServicer.
 
     Parameters
     ----------
-    user_auth_config_path : Path
+    account_auth_config_path : Path
         Path to the YAML file containing the authentication configuration.
     verify_tls_cert : bool
         Boolean indicating whether to verify the TLS certificate
@@ -38,13 +42,13 @@ class ControlAuthPlugin(ABC):
     @abstractmethod
     def __init__(
         self,
-        user_auth_config_path: Path,
+        account_auth_config_path: Path,
         verify_tls_cert: bool,
     ):
         """Abstract constructor."""
 
     @abstractmethod
-    def get_login_details(self) -> Optional[UserAuthLoginDetails]:
+    def get_login_details(self) -> Optional[AccountAuthLoginDetails]:
         """Get the login details."""
 
     @abstractmethod
@@ -54,7 +58,7 @@ class ControlAuthPlugin(ABC):
         """Validate authentication tokens in the provided metadata."""
 
     @abstractmethod
-    def get_auth_tokens(self, device_code: str) -> Optional[UserAuthCredentials]:
+    def get_auth_tokens(self, device_code: str) -> Optional[AccountAuthCredentials]:
         """Get authentication tokens."""
 
     @abstractmethod
@@ -71,7 +75,7 @@ class ControlAuthzPlugin(ABC):  # pylint: disable=too-few-public-methods
 
     Parameters
     ----------
-    user_auth_config_path : Path
+    account_auth_config_path : Path
         Path to the YAML file containing the authorization configuration.
     verify_tls_cert : bool
         Boolean indicating whether to verify the TLS certificate
@@ -79,9 +83,9 @@ class ControlAuthzPlugin(ABC):  # pylint: disable=too-few-public-methods
     """
 
     @abstractmethod
-    def __init__(self, user_auth_config_path: Path, verify_tls_cert: bool):
+    def __init__(self, account_auth_config_path: Path, verify_tls_cert: bool):
         """Abstract constructor."""
 
     @abstractmethod
-    def verify_user_authorization(self, account_info: AccountInfo) -> bool:
-        """Verify user authorization request."""
+    def authorize(self, account_info: AccountInfo) -> bool:
+        """Verify account authorization request."""

flwr/superlink/auth_plugin/noop_auth_plugin.py

@@ -0,0 +1,87 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Concrete NoOp implementation for Servicer-side account authentication and
+authorization plugins."""
+
+
+from collections.abc import Sequence
+from pathlib import Path
+from typing import Optional, Union
+
+from flwr.common.constant import NOOP_ACCOUNT_NAME, NOOP_FLWR_AID, AuthnType
+from flwr.common.typing import (
+    AccountAuthCredentials,
+    AccountAuthLoginDetails,
+    AccountInfo,
+)
+
+from .auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
+
+NOOP_ACCOUNT_INFO = AccountInfo(
+    flwr_aid=NOOP_FLWR_AID,
+    account_name=NOOP_ACCOUNT_NAME,
+)
+
+
+class NoOpControlAuthnPlugin(ControlAuthnPlugin):
+    """No-operation implementation of ControlAuthnPlugin."""
+
+    def __init__(
+        self,
+        account_auth_config_path: Path,
+        verify_tls_cert: bool,
+    ):
+        pass
+
+    def get_login_details(self) -> Optional[AccountAuthLoginDetails]:
+        """Get the login details."""
+        # This allows the `flwr login` command to load the NoOp plugin accordingly,
+        # which then raises a LoginError when attempting to login.
+        return AccountAuthLoginDetails(
+            authn_type=AuthnType.NOOP,  # No operation authn type
+            device_code="",
+            verification_uri_complete="",
+            expires_in=0,
+            interval=0,
+        )
+
+    def validate_tokens_in_metadata(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> tuple[bool, Optional[AccountInfo]]:
+        """Return valid for no-op plugin."""
+        return True, NOOP_ACCOUNT_INFO
+
+    def get_auth_tokens(self, device_code: str) -> Optional[AccountAuthCredentials]:
+        """Get authentication tokens."""
+        raise RuntimeError("NoOp plugin does not support getting auth tokens.")
+
+    def refresh_tokens(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> tuple[
+        Optional[Sequence[tuple[str, Union[str, bytes]]]], Optional[AccountInfo]
+    ]:
+        """Refresh authentication tokens in the provided metadata."""
+        return metadata, NOOP_ACCOUNT_INFO
+
+
+class NoOpControlAuthzPlugin(ControlAuthzPlugin):
+    """No-operation implementation of ControlAuthzPlugin."""
+
+    def __init__(self, account_auth_config_path: Path, verify_tls_cert: bool):
+        pass
+
+    def authorize(self, account_info: AccountInfo) -> bool:
+        """Return True for no-op plugin."""
+        return True

flwr/superlink/servicer/control/{control_user_auth_interceptor.py → control_account_auth_interceptor.py}

@@ -31,7 +31,7 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
     StreamLogsRequest,
     StreamLogsResponse,
 )
-from flwr.superlink.auth_plugin import ControlAuthPlugin, ControlAuthzPlugin
+from flwr.superlink.auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
 
 Request = Union[
     StartRunRequest,
@@ -50,15 +50,15 @@ shared_account_info: contextvars.ContextVar[AccountInfo] = contextvars.ContextVa
 )
 
 
-class ControlUserAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
-    """Control API interceptor for user authentication."""
+class ControlAccountAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
+    """Control API interceptor for account authentication."""
 
     def __init__(
         self,
-        auth_plugin: ControlAuthPlugin,
+        authn_plugin: ControlAuthnPlugin,
         authz_plugin: ControlAuthzPlugin,
     ):
-        self.auth_plugin = auth_plugin
+        self.authn_plugin = authn_plugin
         self.authz_plugin = authz_plugin
 
     def intercept_service(
@@ -96,45 +96,45 @@ class ControlUserAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
             if isinstance(request, (GetLoginDetailsRequest, GetAuthTokensRequest)):
                 return call(request, context)  # type: ignore
 
-            # For other requests, check if the user is authenticated
-            valid_tokens, account_info = self.auth_plugin.validate_tokens_in_metadata(
+            # For other requests, check if the account is authenticated
+            valid_tokens, account_info = self.authn_plugin.validate_tokens_in_metadata(
                 metadata
             )
             if valid_tokens:
                 if account_info is None:
                     context.abort(
                         grpc.StatusCode.UNAUTHENTICATED,
-                        "Tokens validated, but user info not found",
+                        "Tokens validated, but account info not found",
                     )
                     raise grpc.RpcError()
-                # Store user info in contextvars for authenticated users
+                # Store account info in contextvars for authenticated accounts
                 shared_account_info.set(account_info)
-                # Check if the user is authorized
-                if not self.authz_plugin.verify_user_authorization(account_info):
+                # Check if the account is authorized
+                if not self.authz_plugin.authorize(account_info):
                     context.abort(
                         grpc.StatusCode.PERMISSION_DENIED,
-                        "❗️ User not authorized. "
+                        "❗️ Account not authorized. "
                         "Please contact the SuperLink administrator.",
                     )
                     raise grpc.RpcError()
                 return call(request, context)  # type: ignore
 
-            # If the user is not authenticated, refresh tokens
-            tokens, account_info = self.auth_plugin.refresh_tokens(metadata)
+            # If the account is not authenticated, refresh tokens
+            tokens, account_info = self.authn_plugin.refresh_tokens(metadata)
             if tokens is not None:
                 if account_info is None:
                     context.abort(
                         grpc.StatusCode.UNAUTHENTICATED,
-                        "Tokens refreshed, but user info not found",
+                        "Tokens refreshed, but account info not found",
                     )
                     raise grpc.RpcError()
-                # Store user info in contextvars for authenticated users
+                # Store account info in contextvars for authenticated accounts
                 shared_account_info.set(account_info)
-                # Check if the user is authorized
-                if not self.authz_plugin.verify_user_authorization(account_info):
+                # Check if the account is authorized
+                if not self.authz_plugin.authorize(account_info):
                     context.abort(
                         grpc.StatusCode.PERMISSION_DENIED,
-                        "❗️ User not authorized. "
+                        "❗️ Account not authorized. "
                         "Please contact the SuperLink administrator.",
                     )
                     raise grpc.RpcError()

flwr/superlink/servicer/control/control_event_log_interceptor.py

@@ -24,7 +24,7 @@ from google.protobuf.message import Message as GrpcMessage
 from flwr.common.event_log_plugin.event_log_plugin import EventLogWriterPlugin
 from flwr.common.typing import LogEntry
 
-from .control_user_auth_interceptor import shared_account_info
+from .control_account_auth_interceptor import shared_account_info
 
 
 class ControlEventLogInterceptor(grpc.ServerInterceptor):  # type: ignore

flwr/superlink/servicer/control/control_grpc.py

@@ -31,12 +31,12 @@ from flwr.supercore.ffs import FfsFactory
 from flwr.supercore.license_plugin import LicensePlugin
 from flwr.supercore.object_store import ObjectStoreFactory
 from flwr.superlink.artifact_provider import ArtifactProvider
-from flwr.superlink.auth_plugin import ControlAuthPlugin, ControlAuthzPlugin
+from flwr.superlink.auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
 
+from .control_account_auth_interceptor import ControlAccountAuthInterceptor
 from .control_event_log_interceptor import ControlEventLogInterceptor
 from .control_license_interceptor import ControlLicenseInterceptor
 from .control_servicer import ControlServicer
-from .control_user_auth_interceptor import ControlUserAuthInterceptor
 
 try:
     from flwr.ee import get_license_plugin
@@ -54,7 +54,7 @@ def run_control_api_grpc(
     objectstore_factory: ObjectStoreFactory,
     certificates: Optional[tuple[bytes, bytes, bytes]],
     is_simulation: bool,
-    auth_plugin: Optional[ControlAuthPlugin] = None,
+    authn_plugin: Optional[ControlAuthnPlugin] = None,
     authz_plugin: Optional[ControlAuthzPlugin] = None,
     event_log_plugin: Optional[EventLogWriterPlugin] = None,
     artifact_provider: Optional[ArtifactProvider] = None,
@@ -69,15 +69,15 @@ def run_control_api_grpc(
         ffs_factory=ffs_factory,
         objectstore_factory=objectstore_factory,
         is_simulation=is_simulation,
-        auth_plugin=auth_plugin,
+        authn_plugin=authn_plugin,
         artifact_provider=artifact_provider,
     )
     interceptors: list[grpc.ServerInterceptor] = []
     if license_plugin is not None:
         interceptors.append(ControlLicenseInterceptor(license_plugin))
-    if auth_plugin is not None and authz_plugin is not None:
-        interceptors.append(ControlUserAuthInterceptor(auth_plugin, authz_plugin))
-    # Event log interceptor must be added after user auth interceptor
+    if authn_plugin is not None and authz_plugin is not None:
+        interceptors.append(ControlAccountAuthInterceptor(authn_plugin, authz_plugin))
+    # Event log interceptor must be added after account auth interceptor
     if event_log_plugin is not None:
         interceptors.append(ControlEventLogInterceptor(event_log_plugin))
         log(INFO, "Flower event logging enabled")
@@ -90,12 +90,12 @@ def run_control_api_grpc(
         interceptors=interceptors or None,
     )
 
-    if auth_plugin is None:
+    if authn_plugin is None:
         log(INFO, "Flower Deployment Runtime: Starting Control API on %s", address)
     else:
         log(
             INFO,
-            "Flower Deployment Runtime: Starting Control API with user "
+            "Flower Deployment Runtime: Starting Control API with account "
             "authentication on %s",
             address,
         )