adorable-engineer-57446
09/22/2023, 1:02 PMhelpful-church-28990
09/22/2023, 1:17 PMfreezing-airport-6809
adorable-engineer-57446
09/22/2023, 1:35 PMfreezing-airport-6809
freezing-airport-6809
adorable-engineer-57446
09/22/2023, 1:38 PMadorable-engineer-57446
09/22/2023, 1:39 PMadmin:
# For GRPC endpoints you might want to use dns:///flyte.myexample.com
endpoint: dns:///127.0.0.1:8089/
authType: Pkce
insecure: true
logger:
show-source: true
level: 0
adorable-engineer-57446
09/22/2023, 1:39 PMadorable-engineer-57446
09/22/2023, 1:40 PMfreezing-airport-6809
freezing-airport-6809
freezing-airport-6809
adorable-engineer-57446
09/22/2023, 1:54 PMaverage-finland-92144
09/22/2023, 3:31 PMadorable-engineer-57446
09/25/2023, 4:57 AMfreezing-airport-6809
adorable-engineer-57446
09/25/2023, 5:24 AMaverage-finland-92144
09/25/2023, 3:03 PMadorable-engineer-57446
09/26/2023, 7:34 AMadorable-engineer-57446
09/26/2023, 7:35 AMfreezing-airport-6809
average-finland-92144
09/26/2023, 2:34 PMhigh-park-82026
export FLYTE_SDK_LOGGING_LEVEL=10
pyflyte....
Can you try a different auth mode:
admin:
# For GRPC endpoints you might want to use dns:///flyte.myexample.com
endpoint: dns:///127.0.0.1:8089/
authType: DeviceFlow
insecure: true
logger:
show-source: true
level: 0
In the device flow mode, it should output a URL (with code embedded in the URL) for you to copy and run on a machine that has a browser, once authenticated, the CLI session will automatically pick that up and continue...
If you are trying to run an automation scenario (CI for example) where there will be no user involved, there is ClientCredentials mode that can be used... please let us know if that's what you are trying to do for further explanation š
Also 100% on the docs lacking, I take responsibility of that. We do need yours and everyone in the community who have setup Auth to help build a better version of this.average-finland-92144
09/27/2023, 3:46 PMflyte-core
in this section, what's the difference between clientId: flytectl
and selfAuthServer.staticClients.flyte-cli
? (see code)
a. David's guess is that the first one, under thirdPartyConfig
configures the client to interact with the external IdP, and the remaining staticClients
will interact with the internal auth server to obtain the tokens and complete the flows.
b. Shouldn't one of these be called `flyte-ui`to avoid confusions?
c. Why those two specific callback addresses? Especially this one that looks a bit arbitrary: - <http://localhost:12345/callback>
2. Is it possible to reset the auth token manually from Flyte?high-park-82026
thirdPartyConfig
should, therefore, refer to a client that exist within the staticClients
list.
c. If using an external OAuth Authorization Server, staticClients
is naturally completely irrelevant and thirdPartyConfig
should refer to a client that you have created as Native App OAuth Client in that external OAuth Authorization Server.
d. The client used by "the flyte ui" to authenticate is listed under oidc. The reason it's not called flyte UI is that it's only really only used to authenticate to the UI... When you authenticate to the CLI (see this diagram) it also uses the same client...
2. The access token the CLI obtained? it's stored in key-ring (or equivalent in windows/linux)... on OSX, you can open. KeyChain and find flyte_at
and delete that entry...average-finland-92144
09/27/2023, 9:37 PMCan you elaborate on what made PKCE work, @average-finland-92144?Besides the good work from Rob, their Pkce flow works on a machine with a GUI and a browser. In a GUI-less machine it doesn't work but no error logs are generated, it just remains waiting to invoke a browser that, well, it's not there. The other difference between the two machines is the Python version (works on 3.10, not on 3.11) but I'm not sure that's connected.
high-park-82026
freezing-airport-6809
average-finland-92144
09/28/2023, 10:16 AMadorable-engineer-57446
10/02/2023, 9:16 AM