Hi all, We've started to "upgrade" from flyte-sandbox to flyte-binary and actually I'm facing some challenges. Does someone have a running setup with flyte-binary and SSO with AzureAD/OIDC for FlyteConsole and Flytectl? It seems that FlyteConsole doesn't send a token request and so it doesn't get a JWT token and authorization fails. Here's my values.yaml file:

configuration:
  database:
    host: postgresql.mlops.svc.cluster.local
    dbname: flyteadmindb
    username: flyteuser
    password: "..."
    options: sslmode=disable
  storage:
    type: minio
    metadataContainer: "flyte-container"
    userDataContainer: "flyte-container"
    provider: s3
    providerConfig:
      # s3 Provider configuration for S3 object store
      s3:
        # disableSSL Switch to disable SSL for communicating with S3-compatible service
        disableSSL: true
        # v2Signing Flag to sign requests with v2 signature
        # Useful for s3-compatible blob stores (e.g. minio)
        v2Signing: false
        # endpoint URL of S3-compatible service
        endpoint: <http://mls3api.corp.intern:9000/>
        # authType Type of authentication to use for connecting to S3-compatible service (Supported values: iam, accesskey)
        authType: accesskey
        # accessKey Access key for authenticating with S3-compatible service
        accessKey: "..."
        # secretKey Secret key for authenticating with S3-compatible service
        secretKey: "..."
  logging:
    level: 5
  auth:
    enabled: true
    oidc:
      baseUrl: "<https://login.microsoftonline.com/tenant_id/v2.0>"
      clientId: "..."
      clientSecret: "..."
      scopes:
        - openid
        - email
        - profile
    internal:
      clientSecret: "..."
      clientSecretHash: ".."
    flyteClient:
    # clientId Client ID for Flyte client authentication
      clientId: "..."
      # redirectUri Redirect URI for Flyte client authentication
      redirectUri: "<http://localhost:53593/callback>"
      # scopes Scopes for Flyte client authentication
      scopes:
        - all
    authorizedUris:
    - <https://login.microsoftonline.com/tenant_id/oauth2/v2.0>
    - <https://mlflyte.corp.intern>

  inline:
    plugins:
      k8s:
        inject-finalizer: true
        default-env-vars:
          - AWS_METADATA_SERVICE_TIMEOUT: 5
          - AWS_METADATA_SERVICE_NUM_ATTEMPTS: 20
    storage:
      cache:
        max_size_mbs: 100
        target_gc_percent: 100

serviceAccount:
  create: true
  annotations: {}

ingress:
  create: true
  commonAnnotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
  httpAnnotations:
    <http://nginx.ingress.kubernetes.io/app-root|nginx.ingress.kubernetes.io/app-root>: /console
  grpcAnnotations:
    <http://nginx.ingress.kubernetes.io/backend-protocol|nginx.ingress.kubernetes.io/backend-protocol>: GRPC

deployment:
  extraEnvVars:
    - name: HTTP_PROXY
      value: "..."
    - name: HTTPS_PROXY
      value:  "..."
    - name: NO_PROXY
      value: "..."
    - name: no_proxy
      value: "..."

I got it to work for the multi cluster deployment and my values.yaml looks a little different. Still i think your value for

authorizedUris

should be the domain record where you are running flyte f.e. https://flyte.somedomain.com

Thank you, Jan. If I remove https://login.microsoftonline.com/<tenant id>/v2.0/ from the authorized_uris I see the following entry in the logs of flyte-backend-flyte-binary:

per-RPC creds failed due to error: failed to get token: Post \"<https://mlflyte.accounts.intern/oauth2/token>\": x509: certificate signed by unknown authority]. If it's an unauthenticated error, we will attempt to establish an authenticated context."

I'd prefer to use AzureAD as an external authorization service like it's described here. But I don't understand how to apply this configuration in flyte-binary.

Did you just remove it or replace it?

I've removed the Azure URL, so the remaining entry in authorizedUris is

<https://mlflyte.corp.intern/>

. The redirect URLs are

<https://mlflyte.corp.intern/callback>

and

<http://localhost:53593/callback>

Not sure if i can still follow. i guess <https:mlflyte.corp.intern|mlflyte.corp.intern> is not a DNS record of yours? The Azure App Registration only needs https://<your_domain_record>/callback as a redirect URL

In AzureApp you can enter multiple redirects. Azure checks if the redirect parameter in the authorize request matches any of these whitelisted redirect entries. Indeed, mlflyte.corp.intern ist the URL of our internal DNS which is separated from our external DNS. The localhost entry is needed for flytectl (https://docs.flyte.org/en/latest/deployment/configuration/auth_setup.html).