https://flyte.org logo
#ask-the-community
Title
# ask-the-community
g

Georgi Ivanov

12/06/2023, 10:08 PM
Hi team, I have a couple of questions regarding the Flyte Auth. It is my understanding that userAuth section configures the OIDC provider which issues the id_token, while the appAuth section is for OAuth2 provider that issues the access_token and refresh_token. These providers can be the same - i.e. Okta, or they can be Okta for OIDC and the seflAuthServer for access tokens. If we have Okta for OIDC and selfAuth for OAuth, my question is how do these two related to each other? For example, it is my understanding that the built-in selfAuth server will issue access_token to anyone, however if we configure OIDC via Okta for id_tokens, would this act as an allowlist to who can login (UI and via GRPC)? If that is the case, does this mean that: - when we login in the flyteconsole we login once via the OIDC provider to get then id_token but - when we login via pyflyte/flytectl against the selfAuthServer we login twice meaning we fetch an id_token from okta and an access_token from the built-in Oauth2 server What happens if we don’t configure userAuth in flyte while we configure appAuth? Would that mean that Flyte will issue an access_token to everyone? I believe in the built-in server we can’t have the same client be configured to use both authorization_code and client credentials flow (i guess due to specification). If we need to use flytectl in both interactive and non-interactive way does this mean we need to create two static clients for it, one for each auth type?
I am asking this cause it is not entirely clear in this page - https://docs.flyte.org/en/latest/deployment/configuration/auth_appendix.html
some diagrams also are missing or looks messed up
Screenshot 2023-12-07 at 10.33.50.png,Screenshot 2023-12-07 at 10.33.46.png
@Kevin Su @Haytham Abuelfutuh?
s

Samhita Alla

12/07/2023, 10:59 AM
cc @David Espejo (he/him)
h

Haytham Abuelfutuh

12/08/2023, 6:56 PM
that userAuth section configures the OIDC provider which issues the id_token, while the appAuth section is for OAuth2 provider that issues the access_token and refresh_token
You got this right! You can't enable appAuth but not userAuth.
I believe in the built-in server we can’t have the same client be configured to use both authorization_code and client credentials flow
Also correct. Is there a reason you don't want to use Okta for both app and user auth?
g

Georgi Ivanov

12/11/2023, 2:45 PM
yes, we can’t setup custom authorization server in Okta, and hence I can’t configure it for appAuth (due to the hardcoded custom scopes in flyte)
d

David Espejo (he/him)

12/11/2023, 3:12 PM
@Georgi Ivanov what scopes do you need?
g

Georgi Ivanov

12/11/2023, 5:14 PM
i am not sure I understand the question. At present our okta only supports the default scopes
flyte injects the
all
scope and it needs i think the offline_access scope
the injection only works for the console, for flytectl, pyflyte and any other third party app or via the rest api the oauth provider needs to add this scope to the token
as far as I understand
currently we can’t add the all scope
hence we are using the built-in oauth server
@David Espejo (he/him)
d

David Espejo (he/him)

12/11/2023, 6:11 PM
ok I think I get it. Have you tried overriding the default scopes, adding only the ones supported by your IdP? As far as requirements for Flyte and judging by implementations with other IdPs, it would be
openid
,
email
,
offline_access
,
profile
This is in your
$HOME/.flyte/configm.yaml
Copy code
admin:
  endpoint: <your-flyte-URL>
  ...
  scopes: 
    - myscopes
I haven't tried this, so not entirely sure what'd be the result
g

Georgi Ivanov

12/13/2023, 3:27 PM
there is a hard requirement on the “all” scope
so if my IdP does not support custom scopes (to provide the
all
scope) i need to use the selfAuthServer
@David Espejo (he/him)?
d

David Espejo (he/him)

12/18/2023, 11:55 PM
so if my IdP does not support custom scopes (to provide the
all
scope) i need to use the selfAuthServer (edited)
this is my understanding too. Once I have better details I'll add them here
g

Georgi Ivanov

01/02/2024, 9:59 AM
Happy New Year!
Do you have some updates?
d

David Espejo (he/him)

01/02/2024, 3:52 PM
Hi @Georgi Ivanov happy new year. As for now, the
all
scope is hardcoded in a couple of places but it should be straightforward to make it configurable or override-able
4 Views