The authentication setup worked just as documented but we can't get the external Authorization Server working. In the Custom Authorization Server documentation for keycloak it says we should create new Client Scopes. As a Keycloak beginner I'm struggling to understand if there should be anything configured in the Client Scope and how this ties together with the Keycloak clients that are created in step 4 of the Keycloak documentation. For now, we just tried this with local port-forward, so our flytectl config looks like this

admin:
  endpoint: dns:///localhost:8089
  authType: Pkce
  insecure: true
logger:
  show-source: true
  level: 100

Our three Keycloak clients look like this (terraform code):

hcl
resource "keycloak_openid_client" "flyte" {
  realm_id = var.realm_id

  client_id   = "flyte"
  name        = "Flyte"
  description = "Client for the Flyte application"

  access_type              = "CONFIDENTIAL"
  service_accounts_enabled = true
  standard_flow_enabled    = true
  valid_redirect_uris = [
    "https://flyte.${var.base_domain_name}/callback",
    "http://localhost:30081/callback",
  ]

  base_url = "https://flyte.${var.base_domain_name}/callback"

  full_scope_allowed = true
}

resource "keycloak_openid_client" "flytectl" {
  realm_id = var.realm_id

  client_id   = "flytectl"
  name        = "flytectl"
  description = "Client for the Flytectl"

  access_type           = "PUBLIC"
  standard_flow_enabled = true
  valid_redirect_uris = [
    "http://localhost:53593/callback",
  ]

  base_url = "https://flyte.${var.base_domain_name}/callback"

  full_scope_allowed = true
}

resource "keycloak_openid_client" "flyte_propeller" {
  realm_id = var.realm_id

  client_id   = "flyte-propeller"
  name        = "flytePropeller"
  description = "Client for flytePropeller"

  access_type           = "CONFIDENTIAL"
  standard_flow_enabled = true
  valid_redirect_uris = [
    "https://flyte.${var.base_domain_name}/callback",
  ]

  base_url = "https://flyte.${var.base_domain_name}/callback"

  full_scope_allowed = true
}

And the Client Scope looks like this:

hcl
resource "keycloak_openid_client_scope" "openid_client_scope" {
  realm_id               = var.realm_id
  name                   = "flyte-access"
  include_in_token_scope = true
}

The relevant configuration for the

flyte-binary

chart then looks like this:

auth:
  enabled: true
  oidc:
    baseUrl: https://<keycloak-domain>/auth/realms/<realm>
    clientId: flyte
    clientSecret: <secret>
  authorizedUris:
    - https://flyte.<base_domain>
  internal:
    clientId: flyte-propeller
    clientSecret: <secret>
    clientSecretHash: <secretHash>
inline:
  auth:
    appAuth:
      authServerType: External
      externalAuthServer:
        baseUrl:  https://<keycloak-domain>/auth/realms/<realm>
        metadataUrl: .well-known/openid-configuration
        allowedAudience: https://flyte.<base_domain>
      thirdPartyConfig:
        flyteClient:
          # Use the clientID generated by your IdP for the `flytectl` app registration
          clientId: flytectl
          redirectUri: http://localhost:53593/callback
          scopes:
          - offline
          - all
    userAuth:
      openId:
      # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
      # baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
      # For Okta, use the Issuer URI of the custom auth server:
        baseUrl: https://<keycloak-domain>/auth/realms/<realm>
        scopes:
        - profile
        - openid
      # - offline_access # Uncomment if your IdP supports issuing refresh tokens (optional)
      # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide
        clientId: flyte

When we try to connect to flyte using

flytectl

we get the following error:

❯ flytectl create project --id "test" --name "Test"
{"json":{"src":"client.go:63"},"level":"info","msg":"Initialized Admin client","ts":"2024-02-21T07:49:48+01:00"}
{"json":{"src":"auth_interceptor.go:86"},"level":"debug","msg":"Request failed due to [rpc error: code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken]. If it's an unauthenticated error, we will attempt to establish an authenticated context.","ts":"2024-02-21T07:49:48+01:00"}
{"json":{"src":"auth_interceptor.go:91"},"level":"debug","msg":"Request failed due to [Unauthenticated]. Attempting to establish an authenticated connection and trying again.","ts":"2024-02-21T07:49:48+01:00"}
{"json":{"src":"token_source_provider.go:151"},"level":"warning","msg":"Failed fetching from cache. Will restart the flow. Error: no token found in the cache","ts":"2024-02-21T07:49:48+01:00"}
{"json":{"src":"auth_flow_orchestrator.go:77"},"level":"info","msg":"Opening the browser at https://<keycloak-domain>/auth/realms/<realm>/protocol/openid-connect/auth?client_id=flytectl\u0026redirect_uri=http%3A%2F%2Flocalhost%3A53593%2Fcallback\u0026response_type=code\u0026scope=offline+all\u0026code_challenge=<...>\u0026code_challenge_method=S256\u0026nonce=<...>\u0026state=<...>c","ts":"2024-02-21T07:49:48+01:00"}

Where the browser then gives this error:

html
Flyte Authentication
Error!
Error: invalid_scope
Error Hint:
Description: Invalid scopes: offline all

We already tried the Client scope mappers from this Slack thread, but to no avail. Can anyone help? 🙈 Thank you, Julian