https://flyte.org logo
#flyte-deployment
Title
# flyte-deployment
j

Julian

02/21/2024, 6:57 AM
Hi everyone šŸ‘‹, we are struggling to get flyte working with Keycloak external authorization. We got the authentication working but are very lost on the authorization part. I'll continue in a thread with details. Hopefully someone can help šŸ™
The authentication setup worked just as documented but we can't get the external Authorization Server working. In the Custom Authorization Server documentation for keycloak it says we should create new Client Scopes. As a Keycloak beginner I'm struggling to understand if there should be anything configured in the Client Scope and how this ties together with the Keycloak clients that are created in step 4 of the Keycloak documentation. For now, we just tried this with local port-forward, so our flytectl config looks like this
yaml Copy code
admin:
  endpoint: dns:///localhost:8089
  authType: Pkce
  insecure: true
logger:
  show-source: true
  level: 100
Our three Keycloak clients look like this (terraform code):
hcl Copy code
hcl
resource "keycloak_openid_client" "flyte" {
  realm_id = var.realm_id

  client_id   = "flyte"
  name        = "Flyte"
  description = "Client for the Flyte application"

  access_type              = "CONFIDENTIAL"
  service_accounts_enabled = true
  standard_flow_enabled    = true
  valid_redirect_uris = [
    "https://flyte.${var.base_domain_name}/callback",
    "http://localhost:30081/callback",
  ]

  base_url = "https://flyte.${var.base_domain_name}/callback"

  full_scope_allowed = true
}

resource "keycloak_openid_client" "flytectl" {
  realm_id = var.realm_id

  client_id   = "flytectl"
  name        = "flytectl"
  description = "Client for the Flytectl"

  access_type           = "PUBLIC"
  standard_flow_enabled = true
  valid_redirect_uris = [
    "http://localhost:53593/callback",
  ]

  base_url = "https://flyte.${var.base_domain_name}/callback"

  full_scope_allowed = true
}

resource "keycloak_openid_client" "flyte_propeller" {
  realm_id = var.realm_id

  client_id   = "flyte-propeller"
  name        = "flytePropeller"
  description = "Client for flytePropeller"

  access_type           = "CONFIDENTIAL"
  standard_flow_enabled = true
  valid_redirect_uris = [
    "https://flyte.${var.base_domain_name}/callback",
  ]

  base_url = "https://flyte.${var.base_domain_name}/callback"

  full_scope_allowed = true
}
And the Client Scope looks like this:
hcl Copy code
hcl
resource "keycloak_openid_client_scope" "openid_client_scope" {
  realm_id               = var.realm_id
  name                   = "flyte-access"
  include_in_token_scope = true
}
The relevant configuration for the
flyte-binary
chart then looks like this:
yaml Copy code
auth:
  enabled: true
  oidc:
    baseUrl: https://<keycloak-domain>/auth/realms/<realm>
    clientId: flyte
    clientSecret: <secret>
  authorizedUris:
    - https://flyte.<base_domain>
  internal:
    clientId: flyte-propeller
    clientSecret: <secret>
    clientSecretHash: <secretHash>
inline:
  auth:
    appAuth:
      authServerType: External
      externalAuthServer:
        baseUrl:  https://<keycloak-domain>/auth/realms/<realm>
        metadataUrl: .well-known/openid-configuration
        allowedAudience: https://flyte.<base_domain>
      thirdPartyConfig:
        flyteClient:
          # Use the clientID generated by your IdP for the `flytectl` app registration
          clientId: flytectl
          redirectUri: http://localhost:53593/callback
          scopes:
          - offline
          - all
    userAuth:
      openId:
      # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
      # baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
      # For Okta, use the Issuer URI of the custom auth server:
        baseUrl: https://<keycloak-domain>/auth/realms/<realm>
        scopes:
        - profile
        - openid
      # - offline_access # Uncomment if your IdP supports issuing refresh tokens (optional)
      # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide
        clientId: flyte
When we try to connect to flyte using
flytectl
we get the following error:
bash Copy code
āÆ flytectl create project --id "test" --name "Test"
{"json":{"src":"client.go:63"},"level":"info","msg":"Initialized Admin client","ts":"2024-02-21T07:49:48+01:00"}
{"json":{"src":"auth_interceptor.go:86"},"level":"debug","msg":"Request failed due to [rpc error: code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken]. If it's an unauthenticated error, we will attempt to establish an authenticated context.","ts":"2024-02-21T07:49:48+01:00"}
{"json":{"src":"auth_interceptor.go:91"},"level":"debug","msg":"Request failed due to [Unauthenticated]. Attempting to establish an authenticated connection and trying again.","ts":"2024-02-21T07:49:48+01:00"}
{"json":{"src":"token_source_provider.go:151"},"level":"warning","msg":"Failed fetching from cache. Will restart the flow. Error: no token found in the cache","ts":"2024-02-21T07:49:48+01:00"}
{"json":{"src":"auth_flow_orchestrator.go:77"},"level":"info","msg":"Opening the browser at https://<keycloak-domain>/auth/realms/<realm>/protocol/openid-connect/auth?client_id=flytectl\u0026redirect_uri=http%3A%2F%2Flocalhost%3A53593%2Fcallback\u0026response_type=code\u0026scope=offline+all\u0026code_challenge=<...>\u0026code_challenge_method=S256\u0026nonce=<...>\u0026state=<...>c","ts":"2024-02-21T07:49:48+01:00"}
Where the browser then gives this error:
html Copy code
html
Flyte Authentication
Error!
Error: invalid_scope
Error Hint:
Description: Invalid scopes: offline all
We already tried the Client scope mappers from this Slack thread, but to no avail. Can anyone help? šŸ™ˆ Thank you, Julian
45 Views