I see that OAuth 2 0 Device Authorization Grant flow has bee Flyte #ask-the-community

I see that OAuth 2.0 Device Authorization Grant fl...

Greg Linklater

01/16/2024, 3:48 PM

I see that OAuth 2.0 Device Authorization Grant flow has been a part of Flyte since 1.5.0 (#3483) however I can’t seem to find any documentation about it. Can anyone help me find some explanation of how to configure this? https://github.com/flyteorg/flytekit/blob/892b4741d0c38bd61b9cdaf1defb002d729acba2/flytekit/configuration/__init__.py#L363C19-L363C29

Greg Linklater

01/16/2024, 3:52 PM

If I try and use this with flytekit I get the following:

Unable to retrieve Device Authentication Code for {…}, Reason Bad Request

Yee

01/16/2024, 4:40 PM

you need to be using an external auth server that supports device flow.

David Espejo (he/him)

01/16/2024, 4:45 PM

Have you configured the OIDC params in your Helm deployment? I see the authenticator builds the client from there

David Espejo (he/him)

01/16/2024, 4:46 PM

This includes

clientid

clientsecret

and

scopes

Greg Linklater

01/16/2024, 5:02 PM

@David Espejo (he/him) yes that’s correct. Pyflyte with

authType: Pkce

works perfectly against Keycloak. I’ve also verified that device auth works using curl directly to the idp

Greg Linklater

01/17/2024, 9:36 AM

I have discovered the problem. It was because PKCE was being enforced on that client in the Keycloak configuration. Device Auth Flow for flyte should definitely support PKCE as well… I will file an issue about it later.

Greg Linklater

01/17/2024, 2:19 PM

https://github.com/flyteorg/flyte/issues/4735

Open in Slack

Previous Next