Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.

Flyte

Hey,

Do you have an idea of what has changed in the way we use Oauth2 with Flytekit? I saw that it was reworked recently and it seems like now it’s taking the `scopes` defined in FlyteAdmin correctly. I am asking because when I use Flytekit `v1.3.1` , I only get the scope `['all']` for the `PlatformConfig`
```PlatformConfig(endpoint='<http://flyteurl.com|flyteurl.com>', insecure=False, insecure_skip_verify=False, console_endpoint=None, command=None, client_id='github-client', client_credentials_secret='nice_secret', scopes=['all'], auth_mode='ClientSecret')```
And when I use Flytekit `v1.4.1` then I get different scopes
```/.venv/lib/python3.9/site-packages/flytekit/clients/auth/authenticator.py(193)get_token()
-&gt; if scopes is not None:
(Pdb) scopes
['offline', 'all']```
Flytekit `v1.4.1` correctly reflects the scopes we have but I was wondering how come `v1.3.1` has different scopes?

Ohh I did a complete overhaul of the auth system in flytekit

Check it out, it is actually now designed as a usable library 

So I guess it’s why it’s actually reflecting the correct scopes now and before it was some kind of bug I guess?

Hey <@UNZB4NW3S>, how are you doing? :slightly_smiling_face:

<https://github.com/flyteorg/flytekit/pull/1458/files#diff-68068a13c159b1b1618b3fb6587cbec5fe18f4637414359b8f7580e03e19b536R22|This> is the remote client config being used which is called <https://github.com/flyteorg/flytekit/pull/1458/files#diff-68068a13c159b1b1618b3fb6587cbec5fe18f4637414359b8f7580e03e19b536R95|here> (and maybe in some other places)
When <https://github.com/flyteorg/flytekit/pull/1458/files#diff-68068a13c159b1b1618b3fb6587cbec5fe18f4637414359b8f7580e03e19b536R47|this> function is called, it receives 2 configs. The one we define (the PlatformConfig), and that RemoteStoreConfig I just linked. `scopes` passed from the PlatformConfig are 100% ignored, and the ones defined in that `RemoteClientConfigStore.get_client_config` are used, which are `[offline, all]` . Shouldn’t there be something like a merge if those values are defined by us?

I was about to open an issue for this but wanted to double check before doing so

<@U04P5R3PJ2J> is this causing a bug. I am not sure a merge is a solution too

Hey! Yes, we have a function:
```from flytekit.configuration import Config
from flytekit.remote import FlyteRemote


def get_latest_workflow_version(project, domain, workflow):
    cfg = Config.auto(config_file=path)
    remote = FlyteRemote(cfg)
    wf_version = remote.fetch_workflow(project, domain, workflow).id.version
    return wf_version```
with a config like:
```admin:
  endpoint: dns:///console.flyte.dev.foo.bar.com
  insecure: false
  authType: ClientSecret
  clientId: github-client
  clientSecretLocation: /etc/secrets/client_secret
  scopes: ["all"]```
and that “scopes” is ignored, `['offline', 'all']` are used, and causes an error authenticating

The error only takes place after upgrading `flytekit` . With the `1.3` version it works okay

I thought no one was using locally defined scopes

<https://github.com/flyteorg/flyte/issues/3486>

I agree this is a bug... the reference implementation is here: <https://github.com/flyteorg/flyteidl/blob/e1a667ef2536bbfc61331490b5417404f45ddc0b/clients/go/admin/token_source_provider.go#L67>

And it should indeed use the locally defined scopes (if they exist) otherwise, it should read from the admin defined ones...

Just to kickoff this. Maybe something in this direction could help?
<https://github.com/flyteorg/flytekit/pull/1553>