https://flyte.org logo
#ask-the-community
Title
# ask-the-community
d

Devendra Johari

03/07/2024, 7:16 AM
Hey Everyone! As I am working on establishing authentication and authorization in flyte for other users. I successfully configured Authentication and Authorization with Microsoft Azure AD to Flyte Console (using flyte-binary). My kubernetes server (Single Node Cluster) is setup on Redhat Server which only has terminal. No GUI is there. Now the problem is with the authentication of flytectl. I configured it in the values file of helm chart of flyte-binary by providing following values.
Copy code
inline:
  auth:
    appAuth:
      authServerType: External
      externalAuthServer:
      # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
      # baseUrl: <https://login.microsoftonline.com/><tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
      # For Okta, use the Issuer URI of the custom auth server:
        baseUrl: <https://dev>-<org-id>.<http://okta.com/oauth2/<auth-server-id|okta.com/oauth2/<auth-server-id>>
        metadataUrl: .well-known/oauth-authorization-server
      thirdPartyConfig:
        flyteClient:
          # Use the clientID generated by your IdP for the `flytectl` app registration
          clientId: <flytectl-client-id>
          redirectUri: <http://localhost:53593/callback>
          scopes:
          - offline
          - all
    userAuth:
      openId:
      # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
      # baseUrl: <https://login.microsoftonline.com/><tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
      # For Okta, use the Issuer URI of the custom auth server:
        baseUrl: <https://dev>-<org-id>.<http://okta.com/oauth2/<auth-server-id|okta.com/oauth2/<auth-server-id>>
        scopes:
        - profile
        - openid
      # - offline_access # Uncomment if your IdP supports issuing refresh tokens (optional)
      # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide
        clientId: <oidc-clientId>
Also changed $HOME/.flyte/config.yaml to this:
Copy code
admin:
    # Update with the Flyte's ingress endpoint (e.g. flyteIngressIP for sandbox or <http://example.foobar.com|example.foobar.com>)
    # You must keep the 3 forward-slashes after dns:
    endpoint: dns:///<Flyte ingress url>

    # Update auth type to `Pkce` or `ClientSecret`
    authType: Pkce

    # Set to the clientId (will be used for both Pkce and ClientSecret flows)
    # Leave empty to use the value discovered through flyteAdmin's Auth discovery endpoint.
    clientId: <Id>

    # Set to the location where the client secret is mounted.
    # Only needed/used for `ClientSecret` flow.
    clientSecretLocation: </some/path/to/key>
But flytectl giving me following error on flytectl get projects. "/usr/xdg-open error" Also Note: I don't have GUI in my system. Can you guys suggest what approach i will use to get rid of this error and successfully authenticate with Microsoft Azure AD in flytectl as well.
d

David Espejo (he/him)

03/07/2024, 4:47 PM
Try setting
authType: DeviceFlow
d

Devendra Johari

03/07/2024, 4:52 PM
And do this authType need any type of other configurations as well? @David Espejo (he/him)
d

David Espejo (he/him)

03/07/2024, 4:54 PM
besides what you have already configured on the backend no
d

Devendra Johari

03/07/2024, 5:06 PM
Thank you @David Espejo (he/him).... Authentication successful although there is some change still needed in Azure AD to do. but Now i am one step ahead...Thanks for the help
d

David Espejo (he/him)

03/07/2024, 5:18 PM
there is some change still needed in Azure AD to do.
oh yes, I was about to mention that probably your IdP will require changes. Could you share what you had to change there?
d

Devendra Johari

03/18/2024, 12:55 PM
Yeah Sure @David Espejo (he/him) . I will send the article link here. It only needs to allow public traffic to Mobile and Device Applications.
Besides that there isn't problem solved after successfully authenticating via Mobile Device. There is one more error came. Error is attached with the message. Can you please help me out with that.
b

Blake Jackson

03/18/2024, 1:11 PM
Are you expecting to get an id_token back in your device code response? If so, did you ensure your grant type supports it within okta and that you passed the correct scope to get it?
d

Devendra Johari

03/18/2024, 1:21 PM
There are three tokens I should receive after successfully Authorization from Microsoft Azure IDP. Which is access_token, id_token and refresh_token. If I try to verify the authentication using Postman with same grant type scope and all it successfully give all three tokens in response. While in the flyte when i am using flytectl with DeviceFlow AuthType in command line it throws an error.
b

Blake Jackson

03/18/2024, 1:23 PM
can you try setting the scope in your config.yaml? https://docs.flyte.org/projects/flytectl/en/latest/gen/flytectl_config.html
you might need to add
openid
explicitly
d

Devendra Johari

03/18/2024, 1:24 PM
In config file of flyte?
b

Blake Jackson

03/18/2024, 1:24 PM
yea, where you configure the authType, there's also the ability to set
scopes
d

Devendra Johari

03/18/2024, 1:24 PM
I can add the scope there but like how can i add the open id
b

Blake Jackson

03/18/2024, 1:25 PM
So the request made to Microsoft Azure IDP, if you are getting an id_token back, then you must be adding the
openid
scope on the request
d

Devendra Johari

03/18/2024, 1:28 PM
Yeah i added the opeid configurations in values.yaml file as per in the Flyte Documentation..also flyte webui is working fine with authentication but cli is not working. although just give me few minutes i try to add the scope in config.yaml then try
b

Blake Jackson

03/18/2024, 1:28 PM
So the way device authorization grant works is that you hit the "/authorize" endpoint w/ the scopes you want. The authorization code should be for those scopes and will then be able to be exchanged for a token(s) at the "/token" endpoint
d

Devendra Johari

03/18/2024, 1:30 PM
Also one thing i wanna you to focus on is I don't have gnome-keyring daemon running .. So I think token can't be save in cache... Isn't it affect the process of authentication?
@Blake Jackson Same error after mentioning the scopes
b

Blake Jackson

03/18/2024, 2:28 PM
d

David Espejo (he/him)

03/19/2024, 3:52 PM
@Devendra Johari are you running on WSL?
d

Devendra Johari

03/20/2024, 12:20 PM
No It's on Prime Server....Btw that above error is solved by changing scope to <api//s|api//><client-id>/Custom.Scope in thirdPartyConfig Section of auth. But Now pyflyte is throwing me an error. Can you tell where i have to setup configuration for pyflyte. And I have to make sure that I can use delegated permissions not Application Permission of Azure IDP. So that It can be recognized which user is using pyflyte
Can you suggest me how to do that. Because pyflyte is asking to setup scope as "api://<client-id>/.default" which needed Application Permissions to setup in Azure. But In my requirements I have to setup Delegate Permissions only and pyflyte should work with that. And If I am changing the scope to something else that .default. It throws error of invalid scope. Please suggest me what to do ?