Hi, community i would like to give certain user groups access to a subset of the flyteadmin resources via HTTP/grpc using oauth2. I configured Keycloak but don't know which scopes or claims i have to assign. As I understand it, the scope "all" gives access to everything. Can someone give me a hint?

Hi @nice-article-27102 and welcome to the Flyte community. I think what you mean here is more in the field of Role Based Access Control (RBAC) and the associated roles and privileges a user/group could enact after a successful authentication flow. If that's the case, that's not currently offered in OSS Flyte but on the managed service. The `scopes`that can be configured in an IdP (Keycloak in this case) are Open ID scopes and they refer to what portions of the user's data can be accessed by the client application. So, for example, the

email

scope would give the client app access to the users' email address.

Hi @average-finland-92144, many thanks for the answer! yes exactly I meant RBAC for the Flyte APIs. In Keycloak there exits the "Authorization Services" (https://www.keycloak.org/docs/latest/authorization_services/index.html) . Is it somehow feasible to connect this with Ory Fosite (https://github.com/ory/fosite) which is used inside Flyte?

The internal auth server in Flyte is a wrapper for fosite yes. The current "integration" I see is only when, say, Keycloak provides identity only (OIDC) and Flyte's internal server performs the complete auth flows. Integration at a different level would be an interesting contribution I think 🙂