Rob Ulbrich09/22/2023, 1:02 PM
Vipul Goswami09/22/2023, 1:17 PM
Rob Ulbrich09/22/2023, 1:35 PM
Rob Ulbrich09/22/2023, 1:38 PM
admin: # For GRPC endpoints you might want to use dns:///flyte.myexample.com endpoint: dns:///127.0.0.1:8089/ authType: Pkce insecure: true logger: show-source: true level: 0
Rob Ulbrich09/22/2023, 1:54 PM
David Espejo (he/him)09/22/2023, 3:31 PM
Rob Ulbrich09/25/2023, 4:57 AM
Rob Ulbrich09/25/2023, 5:24 AM
David Espejo (he/him)09/25/2023, 3:03 PM
Rob Ulbrich09/26/2023, 7:34 AM
David Espejo (he/him)09/26/2023, 2:34 PM
Can you try a different auth mode:
export FLYTE_SDK_LOGGING_LEVEL=10 pyflyte....
In the device flow mode, it should output a URL (with code embedded in the URL) for you to copy and run on a machine that has a browser, once authenticated, the CLI session will automatically pick that up and continue... If you are trying to run an automation scenario (CI for example) where there will be no user involved, there is ClientCredentials mode that can be used... please let us know if that's what you are trying to do for further explanation 🙂 Also 100% on the docs lacking, I take responsibility of that. We do need yours and everyone in the community who have setup Auth to help build a better version of this.
admin: # For GRPC endpoints you might want to use dns:///flyte.myexample.com endpoint: dns:///127.0.0.1:8089/ authType: DeviceFlow insecure: true logger: show-source: true level: 0
David Espejo (he/him)09/27/2023, 3:46 PM
in this section, what's the difference between
? (see code) a. David's guess is that the first one, under
configures the client to interact with the external IdP, and the remaining
will interact with the internal auth server to obtain the tokens and complete the flows. b. Shouldn't one of these be called `flyte-ui`to avoid confusions? c. Why those two specific callback addresses? Especially this one that looks a bit arbitrary:
2. Is it possible to reset the auth token manually from Flyte?
should, therefore, refer to a client that exist within the
list. c. If using an external OAuth Authorization Server,
is naturally completely irrelevant and
should refer to a client that you have created as Native App OAuth Client in that external OAuth Authorization Server. d. The client used by "the flyte ui" to authenticate is listed under oidc. The reason it's not called flyte UI is that it's only really only used to authenticate to the UI... When you authenticate to the CLI (see this diagram) it also uses the same client... 2. The access token the CLI obtained? it's stored in key-ring (or equivalent in windows/linux)... on OSX, you can open. KeyChain and find
and delete that entry...
David Espejo (he/him)09/27/2023, 9:37 PM
Can you elaborate on what made PKCE work, @David Espejo (he/him)?Besides the good work from Rob, their Pkce flow works on a machine with a GUI and a browser. In a GUI-less machine it doesn't work but no error logs are generated, it just remains waiting to invoke a browser that, well, it's not there. The other difference between the two machines is the Python version (works on 3.10, not on 3.11) but I'm not sure that's connected.
David Espejo (he/him)09/28/2023, 10:16 AM
Rob Ulbrich10/02/2023, 9:16 AM