@Yee and
@Haytham Abuelfutuh I have a question about the okta setup. Flyte docs mentioned the creation of custom okta authorization server with the following custom settings - custom scopes (all and offline) and a custom auth server. I’ve experimented with it and this is what I’ve found:
- the offline scope is for using refresh_token. Okta has a built-in scope for that called offline_access, which is sent back to the client if you add the Refresh Token grant to your app. This works for the default auth server.
- the all scope is custom. We can create it via the default auth server. However we can create it via a custom auth server as well. Some okta org admins do not want to add custom scopes in the default auth server and keep it as vanilla as possible. I noticed that the all scope is hardcoded in the flyteadmin auth interceptor, so if we don’t pass it, okta auth does not work as expected.
- custom audience is optional, meaning that since flyte requires is to create a custom auth server with custom scopes, we might as well change the audience from the default of
api://default. By default okta returns an audiance equal to your clientId authenticating to Okta. We can set whatever audience we expect in the flyteadmin confing (auth.appAuth.externalAuthServer.allowedAudience) so we can use the default setting.
My question is why the all scope is needed and how can we configure flyte okta auth against an okta server with only the default auth server available.