Hey Everyone! As I am working on establishing authentication and authorization in flyte for other users. I successfully configured Authentication and Authorization with Microsoft Azure AD to Flyte Console (using flyte-binary). My kubernetes server (Single Node Cluster) is setup on Redhat Server which only has terminal. No GUI is there. Now the problem is with the authentication of flytectl. I configured it in the values file of helm chart of flyte-binary by providing following values.

inline:
  auth:
    appAuth:
      authServerType: External
      externalAuthServer:
      # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
      # baseUrl: <https://login.microsoftonline.com/><tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
      # For Okta, use the Issuer URI of the custom auth server:
        baseUrl: <https://dev>-<org-id>.<http://okta.com/oauth2/<auth-server-id|okta.com/oauth2/<auth-server-id>>
        metadataUrl: .well-known/oauth-authorization-server
      thirdPartyConfig:
        flyteClient:
          # Use the clientID generated by your IdP for the `flytectl` app registration
          clientId: <flytectl-client-id>
          redirectUri: <http://localhost:53593/callback>
          scopes:
          - offline
          - all
    userAuth:
      openId:
      # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
      # baseUrl: <https://login.microsoftonline.com/><tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
      # For Okta, use the Issuer URI of the custom auth server:
        baseUrl: <https://dev>-<org-id>.<http://okta.com/oauth2/<auth-server-id|okta.com/oauth2/<auth-server-id>>
        scopes:
        - profile
        - openid
      # - offline_access # Uncomment if your IdP supports issuing refresh tokens (optional)
      # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide
        clientId: <oidc-clientId>

Also changed $HOME/.flyte/config.yaml to this:

admin:
    # Update with the Flyte's ingress endpoint (e.g. flyteIngressIP for sandbox or <http://example.foobar.com|example.foobar.com>)
    # You must keep the 3 forward-slashes after dns:
    endpoint: dns:///<Flyte ingress url>

    # Update auth type to `Pkce` or `ClientSecret`
    authType: Pkce

    # Set to the clientId (will be used for both Pkce and ClientSecret flows)
    # Leave empty to use the value discovered through flyteAdmin's Auth discovery endpoint.
    clientId: <Id>

    # Set to the location where the client secret is mounted.
    # Only needed/used for `ClientSecret` flow.
    clientSecretLocation: </some/path/to/key>

But flytectl giving me following error on flytectl get projects. "/usr/xdg-open error" Also Note: I don't have GUI in my system. Can you guys suggest what approach i will use to get rid of this error and successfully authenticate with Microsoft Azure AD in flytectl as well.

Try setting

authType: DeviceFlow

And do this authType need any type of other configurations as well? @David Espejo (he/him)

besides what you have already configured on the backend no

Thank you @David Espejo (he/him).... Authentication successful although there is some change still needed in Azure AD to do. but Now i am one step ahead...Thanks for the help

there is some change still needed in Azure AD to do.

oh yes, I was about to mention that probably your IdP will require changes. Could you share what you had to change there?

Yeah Sure @David Espejo (he/him) . I will send the article link here. It only needs to allow public traffic to Mobile and Device Applications.

Are you expecting to get an id_token back in your device code response? If so, did you ensure your grant type supports it within okta and that you passed the correct scope to get it?

There are three tokens I should receive after successfully Authorization from Microsoft Azure IDP. Which is access_token, id_token and refresh_token. If I try to verify the authentication using Postman with same grant type scope and all it successfully give all three tokens in response. While in the flyte when i am using flytectl with DeviceFlow AuthType in command line it throws an error.

can you try setting the scope in your config.yaml? https://docs.flyte.org/projects/flytectl/en/latest/gen/flytectl_config.html

In config file of flyte?

yea, where you configure the authType, there's also the ability to set

scopes

I can add the scope there but like how can i add the open id

So the request made to Microsoft Azure IDP, if you are getting an id_token back, then you must be adding the

openid

scope on the request

Yeah i added the opeid configurations in values.yaml file as per in the Flyte Documentation..also flyte webui is working fine with authentication but cli is not working. although just give me few minutes i try to add the scope in config.yaml then try

So the way device authorization grant works is that you hit the "/authorize" endpoint w/ the scopes you want. The authorization code should be for those scopes and will then be able to be exchanged for a token(s) at the "/token" endpoint

Also one thing i wanna you to focus on is I don't have gnome-keyring daemon running .. So I think token can't be save in cache... Isn't it affect the process of authentication?

ok, my guess is that https://github.com/flyteorg/flyte/blob/master/flyteidl/clients/go/admin/deviceflow/payload.go#L41 needs to support an optional id_token

@Devendra Johari are you running on WSL?

No It's on Prime Server....Btw that above error is solved by changing scope to <api//s|api//><client-id>/Custom.Scope in thirdPartyConfig Section of auth. But Now pyflyte is throwing me an error. Can you tell where i have to setup configuration for pyflyte. And I have to make sure that I can use delegated permissions not Application Permission of Azure IDP. So that It can be recognized which user is using pyflyte