Hello I am trying to configure auth across azure AD I added Flyte #ask-the-community

Hello, I am trying to configure auth across azure ...

laborde joris

06/27/2023, 3:56 PM

Hello, I am trying to configure auth across azure AD, I added the following as configuration:

Copy code

auth:
    enabled: true
    oidc:
      baseUrl: "<https://login.microsoftonline.com/TENANT_ID/v2.0>"
      clientId: CLIENT_ID
      clientSecret: CLIENT_SECRET
      scopes:
        - openid
        - email
        - profile
    internal:
      clientSecret: CLIENT_SECRET
      clientSecretHash: CLIENT_SECRET_HASHED
    flyteClient:
      clientId: CLIENT_ID
      redirectUri: "<http://localhost:53593/callback>"
      scopes:
        - all
    authorizedUris:
    - <https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0>
    - <https://my.domain.com>

When trying to login I can walk through azure login step, but then receive a 403 from my.domain.com/callback?code=XXXX After an increase of the log level, I can see the following :

Copy code

{"json":{"src":"handlers.go:238"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"token.go:83"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"handlers.go:248"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"token.go:103"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"cookie.go:79"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"handlers.go:65"},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"handlers.go:121"},"level":"debug","msg":"Setting CSRF state cookie to tb9f2xhb2y and state to 2419390fb3ddca455183ba94811c3c6a3a9d988b99536691fde913716e22cd65\n","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2023-06-27T14:31:08Z"}
{"json":{"src":"handlers.go:141"},"level":"debug","msg":"Running callback handler... for RequestURI /callback?code=XXXXXX

I am behind an azure/application-gateway as ingress, and as far as I know appgw does not support gRPC, can it be the issue? Or should I look somewhere else?

David Espejo (he/him)

06/27/2023, 5:17 PM

so you're using Azure AD only for OIDC? Also yes, I've seen similar errors in the past in other environments where the Ingress controller didn't support gRPC

Samhita Alla

06/28/2023, 4:39 AM

I also recommend you to take a look at https://discuss.flyte.org/t/2197578/opened-pr-2746#97daa7fe-3d17-4600-b341-64314ea89e89 thread.

laborde joris

06/28/2023, 6:45 AM

Thanks, @David Espejo (he/him) did you manage to fix your issue or did you change ingress controller?

laborde joris

06/28/2023, 6:46 AM

Thanks @Samhita Alla gonna look at it 👍

laborde joris

06/28/2023, 10:48 AM

@Samhita Alla This threads did not helped me so much, my oidc_client_secret seems the right one. After deeper investigation I found the following logs under pod logs:

Copy code

{"json":{"src":"cookie_manager.go:146"},"level":"error","msg":"Error generating encrypted accesstoken cookie [SECURE_COOKIE_ERROR] Error creating secure cookie, caused by: securecookie: the value is too long","ts":"2023-06-28T10:46:10Z"}
{"json":{"src":"handlers.go:162"},"level":"error","msg":"Error setting encrypted JWT cookie [SECURE_COOKIE_ERROR] Error creating secure cookie, caused by: securecookie: the value is too long","ts":"2023-06-28T10:46:10Z"}

Any idea why?

Samhita Alla

06/28/2023, 11:37 AM

@laborde joris, looks like an issue has been created already: https://github.com/flyteorg/flyte/issues/3750. Could you please upvote it? @David Espejo (he/him), is it possible for you to discuss this issue in the contributors meeting? Looks like many of our users are encountering it.

David Espejo (he/him)

06/28/2023, 11:42 AM

@laborde joris in that case, they changed the ingress from nginx to ALB So, from your config, I understand you're using Azure AD only for OIDC (and using the internal auth server) with the

flyte-core

chart Is that the case?

laborde joris

06/28/2023, 12:09 PM

@David Espejo (he/him) In fact I am also using azure/application-gateway as ingress, and I am not sure that I am allowed to change that 😢 I am using the flyte-binary chart

David Espejo (he/him)

06/28/2023, 1:24 PM

ok, I'lm trying to repro and will let you know

Alexander Sarson

07/10/2023, 11:38 AM

Hi @David Espejo (he/him) do you think this problem will be fixed within a few weeks?

284 Views

Open in Slack

Previous Next