https://flyte.org logo
#flytekit
Title
# flytekit
s

Stephen

03/15/2023, 2:13 PM
Hey, Do you have an idea of what has changed in the way we use Oauth2 with Flytekit? I saw that it was reworked recently and it seems like now it’s taking the
scopes
defined in FlyteAdmin correctly. I am asking because when I use Flytekit
v1.3.1
, I only get the scope
['all']
for the
PlatformConfig
Copy code
PlatformConfig(endpoint='<http://flyteurl.com|flyteurl.com>', insecure=False, insecure_skip_verify=False, console_endpoint=None, command=None, client_id='github-client', client_credentials_secret='nice_secret', scopes=['all'], auth_mode='ClientSecret')
And when I use Flytekit
v1.4.1
then I get different scopes
Copy code
/.venv/lib/python3.9/site-packages/flytekit/clients/auth/authenticator.py(193)get_token()
-> if scopes is not None:
(Pdb) scopes
['offline', 'all']
Flytekit
v1.4.1
correctly reflects the scopes we have but I was wondering how come
v1.3.1
has different scopes?
k

Ketan (kumare3)

03/15/2023, 2:20 PM
Ohh I did a complete overhaul of the auth system in flytekit
Check it out, it is actually now designed as a usable library
s

Stephen

03/15/2023, 2:20 PM
So I guess it’s why it’s actually reflecting the correct scopes now and before it was some kind of bug I guess?
k

Ketan (kumare3)

03/15/2023, 2:35 PM
I think so
f

Franco Bocci

03/17/2023, 11:47 AM
Hey @Ketan (kumare3), how are you doing? 🙂 This is the remote client config being used which is called here (and maybe in some other places) When this function is called, it receives 2 configs. The one we define (the PlatformConfig), and that RemoteStoreConfig I just linked.
scopes
passed from the PlatformConfig are 100% ignored, and the ones defined in that
RemoteClientConfigStore.get_client_config
are used, which are
[offline, all]
. Shouldn’t there be something like a merge if those values are defined by us? I was about to open an issue for this but wanted to double check before doing so
k

Ketan (kumare3)

03/17/2023, 1:23 PM
@Franco Bocci is this causing a bug. I am not sure a merge is a solution too
Cc @Haytham Abuelfutuh can you help here
f

Franco Bocci

03/17/2023, 2:02 PM
Hey! Yes, we have a function:
Copy code
from flytekit.configuration import Config
from flytekit.remote import FlyteRemote


def get_latest_workflow_version(project, domain, workflow):
    cfg = Config.auto(config_file=path)
    remote = FlyteRemote(cfg)
    wf_version = remote.fetch_workflow(project, domain, workflow).id.version
    return wf_version
with a config like:
Copy code
admin:
  endpoint: dns:///console.flyte.dev.foo.bar.com
  insecure: false
  authType: ClientSecret
  clientId: github-client
  clientSecretLocation: /etc/secrets/client_secret
  scopes: ["all"]
and that “scopes” is ignored,
['offline', 'all']
are used, and causes an error authenticating
The error only takes place after upgrading
flytekit
. With the
1.3
version it works okay
k

Ketan (kumare3)

03/17/2023, 2:06 PM
I guess then please contribute
Sorry for the confusion
I thought no one was using locally defined scopes
f

Franco Bocci

03/17/2023, 2:11 PM
h

Haytham Abuelfutuh

03/17/2023, 3:08 PM
I agree this is a bug... the reference implementation is here: https://github.com/flyteorg/flyteidl/blob/e1a667ef2536bbfc61331490b5417404f45ddc0b/clients/go/admin/token_source_provider.go#L67 And it should indeed use the locally defined scopes (if they exist) otherwise, it should read from the admin defined ones...
f

Franco Bocci

03/17/2023, 3:40 PM
Just to kickoff this. Maybe something in this direction could help? https://github.com/flyteorg/flytekit/pull/1553
66 Views