Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.

Flyte

_TLDR; Trying to configure flytectl CLI with SSO whatever?_

Hello everyone!
I deployed Flyte on our GKE cluster using Helm.
I followed the documentation about Authenticating and the *console* works perfectly with our IdP (*Okta*) using OIDC and OAuth2.
Next step is working with the CLI, but the configuration for *flytectl* is very confusing and I keep getting this error:
`Error: rpc error: code = PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type`

Flyte’s `config.yaml`:
```admin:
  endpoint: dns:///flyte.mydomain
  authType: Pkce
  insecure: false```
What am I missing?

Thanks in advanced :slightly_smiling_face:
Ariel

They can simply use pkce auth, it will automatically prompt

Also if you are using Okta you can use device flow

Thank you <@UNZB4NW3S>
So using pkce auth, should I change something in Okta application configuration? This is how it is set right now

You always have pkce, for device flow there are some options

ok so I guess my config.yaml should look like that:
```admin:
  endpoint: dns:///flyte.mydomain
  authType: Pkce
  insecure: false```
Correct?
What’s the next steps?
Since I keep getting this error:
`PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type`

<@UNZB4NW3S> I added also my auth config if that’s helpful…

I followed the documentation for Flyte Authentication, so we have in Okta 3 applications: Flyte (Flyteadmin), Flytectl and Flytepropeller.
The auth config (from `flyte-admin-base-config` configmap):
```  server.yaml: |
    auth:
      appAuth:
        authServerType: External
        externalAuthServer:
          allowedAudience: <https://flyte.my.domain>
          baseUrl: <https://xxx.okta.com/oauth2/xxx>
          metadataUrl: .well-known/oauth-authorization-server
        thirdPartyConfig:
          flyteClient:
            clientId: xxx
            redirectUri: <http://localhost:53593/callback>
            scopes:
            - offline
            - all
      authorizedUris:
      - <https://flyte.my.domain>
      - <http://flyteadmin:80>
      - <http://flyteadmin.flyte.svc.cluster.local:80>
      userAuth:
        openId:
          baseUrl: <https://xxx.okta.com/oauth2/xxx>
          clientId: xxx
          scopes:
          - profile
          - openid
          - offline_access```
By the way, I added these following specs `allowedAudience` and `metadataUrl` to my auth configuration although it wasn’t specified in Flyte documentation. Otherwise I got JWT authentication errors in the admin and the scheduler was failing (crashloopback status)…

discussion moved to <https://flyte-org.slack.com/archives/C05A0JA1CCD|#flyte-on-gcp >