Hi all, does oauth2 let me limit what projects users can read/execute? Is it possible to give users less than admin access? The docs here https://docs.flyte.org/en/latest/deployment/configuration/auth_setup.html#oauth2-authorization-server seem to insinuate that I can use an external auth server to specify scopes to particular users, but I can't seem to find a list of scopes anywhere in the docs. I'm new to auth flows, so apologies if I'm misguided "looking for oauth scopes in the docs." Any hint in the right direction would be appreciated.
06/04/2023, 2:31 PM
No, oauth2 scopes are sometimes incorrectly used for this.
The authorization server should NOT be needed unless your IDP does not support client ids - like google login
06/04/2023, 7:00 PM
Got it, thanks for clarifying how not to use scopes. Honestly I'm still a bit bleary-eyed thinking about auth flows, though I do feel like I'm finally understanding the difference between authentication and authorization, etc (diagrams like https://docs.flyte.org/en/latest/deployment/configuration/auth_appendix.html#id2 are immensely helpful). Setting up a poc in our ecosystem (aws, okta) will likely help elucidate some of my areas of uncertainty - the authorization request itself, idp setup, and flyte user scope. At least I'll be able to ask more informed questions... I appreciate you responding so promptly on the weekend!
06/04/2023, 10:02 PM
If you are using Okta you don’t need the Flyte provided authorization server
Okta should handle everything including device flow