Hello, I am trying to configure auth across azure ...
# ask-the-community
l
Hello, I am trying to configure auth across azure AD, I added the following as configuration:
Copy code
auth:
    enabled: true
    oidc:
      baseUrl: "<https://login.microsoftonline.com/TENANT_ID/v2.0>"
      clientId: CLIENT_ID
      clientSecret: CLIENT_SECRET
      scopes:
        - openid
        - email
        - profile
    internal:
      clientSecret: CLIENT_SECRET
      clientSecretHash: CLIENT_SECRET_HASHED
    flyteClient:
      clientId: CLIENT_ID
      redirectUri: "<http://localhost:53593/callback>"
      scopes:
        - all
    authorizedUris:
    - <https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0>
    - <https://my.domain.com>
When trying to login I can walk through azure login step, but then receive a 403 from my.domain.com/callback?code=XXXX After an increase of the log level, I can see the following :
Copy code
{"json":{"src":"handlers.go:238"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"token.go:83"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"handlers.go:248"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"token.go:103"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"cookie.go:79"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"handlers.go:65"},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"handlers.go:121"},"level":"debug","msg":"Setting CSRF state cookie to tb9f2xhb2y and state to 2419390fb3ddca455183ba94811c3c6a3a9d988b99536691fde913716e22cd65\n","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"handlers.go:141"},"level":"debug","msg":"Running callback handler... for RequestURI /callback?code=XXXXXX
I am behind an azure/application-gateway as ingress, and as far as I know appgw does not support gRPC, can it be the issue? Or should I look somewhere else?
d
so you're using Azure AD only for OIDC? Also yes, I've seen similar errors in the past in other environments where the Ingress controller didn't support gRPC
s
l
Thanks, @David Espejo (he/him) did you manage to fix your issue or did you change ingress controller?
Thanks @Samhita Alla gonna look at it 👍
@Samhita Alla This threads did not helped me so much, my oidc_client_secret seems the right one. After deeper investigation I found the following logs under pod logs:
Copy code
{"json":{"src":"cookie_manager.go:146"},"level":"error","msg":"Error generating encrypted accesstoken cookie [SECURE_COOKIE_ERROR] Error creating secure cookie, caused by: securecookie: the value is too long","ts":"2023-06-28T10:46:10Z"}
{"json":{"src":"handlers.go:162"},"level":"error","msg":"Error setting encrypted JWT cookie [SECURE_COOKIE_ERROR] Error creating secure cookie, caused by: securecookie: the value is too long","ts":"2023-06-28T10:46:10Z"}
Any idea why?
s
@laborde joris, looks like an issue has been created already: https://github.com/flyteorg/flyte/issues/3750. Could you please upvote it? @David Espejo (he/him), is it possible for you to discuss this issue in the contributors meeting? Looks like many of our users are encountering it.
d
@laborde joris in that case, they changed the ingress from nginx to ALB So, from your config, I understand you're using Azure AD only for OIDC (and using the internal auth server) with the
flyte-core
chart Is that the case?
l
@David Espejo (he/him) In fact I am also using azure/application-gateway as ingress, and I am not sure that I am allowed to change that 😢 I am using the flyte-binary chart
d
ok, I'lm trying to repro and will let you know
a
Hi @David Espejo (he/him) do you think this problem will be fixed within a few weeks?
206 Views