#2606 [Docs] Additional Keycloak configuration settings Issue created by nealf Description The Authentication page includes some info on getting Flyte configured to use Keycloak, but it is missing some key pieces in the OAuth2 Authorization Server section. It should include a few notes on the configuration of Keycloak: • Client scopes for

offline

and

all

need to be created as they do not exist in Keycloak by default. The offline one should likely include the

offline_access

role in the scope mapper • The audience (

aud

) needs to be added the to the access token - one way to do this is creating a new client mapper Additionally, the example Helm config yaml should include the

allowedAudience:

setting, for example, modifying what is there now:

auth:
    appAuth:
        # 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
        #    Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
        authServerType: External

        # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
        externalAuthServer:
            baseUrl: <https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6>
            #baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for keycloak
            #metadataUrl: .well-known/openid-configuration #Uncomment for keycloak
            #allowedAudience: Flytectl # Uncomment for keycloak, should match the audience keycloak returns in access. If not provided, the audience is expected to be the public Uri of the service token

    thirdPartyConfig:
        flyteClient:
            # 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
            clientId: flytectl

            # This should not change
            redirectUri: <http://localhost:53593/callback>

            # 4. "all" is a required scope and must be configured in the custom authorization server.
            scopes:
            - offline
            - all
    userAuth:
        openId:
            baseUrl: <https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6> # Okta with a custom Authorization Server
            scopes:
            - profile
            - openid
            # - offline_access # Uncomment if OIdC supports issuing refresh tokens.
            clientId: 0oakkheteNjCMERst5d6

I think those were the pieces I was missing when trying to get everything working. Thanks! Are you sure this issue hasn't been raised already? ☑︎ Yes Have you read the Code of Conduct? ☑︎ Yes flyteorg/flyte