Hi team, I have a couple of questions regarding the Flyte Auth. It is my understanding that userAuth section configures the OIDC provider which issues the id_token, while the appAuth section is for OAuth2 provider that issues the access_token and refresh_token. These providers can be the same - i.e. Okta, or they can be Okta for OIDC and the seflAuthServer for access tokens. If we have Okta for OIDC and selfAuth for OAuth, my question is how do these two related to each other? For example, it is my understanding that the built-in selfAuth server will issue access_token to anyone, however if we configure OIDC via Okta for id_tokens, would this act as an allowlist to who can login (UI and via GRPC)? If that is the case, does this mean that: - when we login in the flyteconsole we login once via the OIDC provider to get then id_token but - when we login via pyflyte/flytectl against the selfAuthServer we login twice meaning we fetch an id_token from okta and an access_token from the built-in Oauth2 server What happens if we don’t configure userAuth in flyte while we configure appAuth? Would that mean that Flyte will issue an access_token to everyone? I believe in the built-in server we can’t have the same client be configured to use both authorization_code and client credentials flow (i guess due to specification). If we need to use flytectl in both interactive and non-interactive way does this mean we need to create two static clients for it, one for each auth type?

cc @David Espejo (he/him)

that userAuth section configures the OIDC provider which issues the id_token, while the appAuth section is for OAuth2 provider that issues the access_token and refresh_token

You got this right! You can't enable appAuth but not userAuth.

I believe in the built-in server we can’t have the same client be configured to use both authorization_code and client credentials flow

Also correct. Is there a reason you don't want to use Okta for both app and user auth?

yes, we can’t setup custom authorization server in Okta, and hence I can’t configure it for appAuth (due to the hardcoded custom scopes in flyte)

@Georgi Ivanov what scopes do you need?

i am not sure I understand the question. At present our okta only supports the default scopes

ok I think I get it. Have you tried overriding the default scopes, adding only the ones supported by your IdP? As far as requirements for Flyte and judging by implementations with other IdPs, it would be

openid

,

email

,

offline_access

,

profile

This is in your

$HOME/.flyte/configm.yaml

admin:
  endpoint: <your-flyte-URL>
  ...
  scopes: 
    - myscopes

I haven't tried this, so not entirely sure what'd be the result

there is a hard requirement on the “all” scope

so if my IdP does not support custom scopes (to provide the

all

scope) i need to use the selfAuthServer (edited)

this is my understanding too. Once I have better details I'll add them here

Happy New Year!

Hi @Georgi Ivanov happy new year. As for now, the

all

scope is hardcoded in a couple of places but it should be straightforward to make it configurable or override-able