Rob Ulbrich
09/22/2023, 1:02 PMVipul Goswami
09/22/2023, 1:17 PMKetan (kumare3)
Rob Ulbrich
09/22/2023, 1:35 PMKetan (kumare3)
Rob Ulbrich
09/22/2023, 1:38 PMadmin:
# For GRPC endpoints you might want to use dns:///flyte.myexample.com
endpoint: dns:///127.0.0.1:8089/
authType: Pkce
insecure: true
logger:
show-source: true
level: 0
Ketan (kumare3)
Rob Ulbrich
09/22/2023, 1:54 PMDavid Espejo (he/him)
09/22/2023, 3:31 PMRob Ulbrich
09/25/2023, 4:57 AMKetan (kumare3)
Rob Ulbrich
09/25/2023, 5:24 AMDavid Espejo (he/him)
09/25/2023, 3:03 PMRob Ulbrich
09/26/2023, 7:34 AMKetan (kumare3)
David Espejo (he/him)
09/26/2023, 2:34 PMHaytham Abuelfutuh
export FLYTE_SDK_LOGGING_LEVEL=10
pyflyte....
Can you try a different auth mode:
admin:
# For GRPC endpoints you might want to use dns:///flyte.myexample.com
endpoint: dns:///127.0.0.1:8089/
authType: DeviceFlow
insecure: true
logger:
show-source: true
level: 0
In the device flow mode, it should output a URL (with code embedded in the URL) for you to copy and run on a machine that has a browser, once authenticated, the CLI session will automatically pick that up and continue...
If you are trying to run an automation scenario (CI for example) where there will be no user involved, there is ClientCredentials mode that can be used... please let us know if that's what you are trying to do for further explanation š
Also 100% on the docs lacking, I take responsibility of that. We do need yours and everyone in the community who have setup Auth to help build a better version of this.David Espejo (he/him)
09/27/2023, 3:46 PMflyte-core
in this section, what's the difference between clientId: flytectl
and selfAuthServer.staticClients.flyte-cli
? (see code)
a. David's guess is that the first one, under thirdPartyConfig
configures the client to interact with the external IdP, and the remaining staticClients
will interact with the internal auth server to obtain the tokens and complete the flows.
b. Shouldn't one of these be called `flyte-ui`to avoid confusions?
c. Why those two specific callback addresses? Especially this one that looks a bit arbitrary: - <http://localhost:12345/callback>
2. Is it possible to reset the auth token manually from Flyte?Haytham Abuelfutuh
thirdPartyConfig
should, therefore, refer to a client that exist within the staticClients
list.
c. If using an external OAuth Authorization Server, staticClients
is naturally completely irrelevant and thirdPartyConfig
should refer to a client that you have created as Native App OAuth Client in that external OAuth Authorization Server.
d. The client used by "the flyte ui" to authenticate is listed under oidc. The reason it's not called flyte UI is that it's only really only used to authenticate to the UI... When you authenticate to the CLI (see this diagram) it also uses the same client...
2. The access token the CLI obtained? it's stored in key-ring (or equivalent in windows/linux)... on OSX, you can open. KeyChain and find flyte_at
and delete that entry...David Espejo (he/him)
09/27/2023, 9:37 PMCan you elaborate on what made PKCE work, @David Espejo (he/him)?Besides the good work from Rob, their Pkce flow works on a machine with a GUI and a browser. In a GUI-less machine it doesn't work but no error logs are generated, it just remains waiting to invoke a browser that, well, it's not there. The other difference between the two machines is the Python version (works on 3.10, not on 3.11) but I'm not sure that's connected.
Haytham Abuelfutuh
Ketan (kumare3)
David Espejo (he/him)
09/28/2023, 10:16 AMRob Ulbrich
10/02/2023, 9:16 AM