Has anyone successfully setup authentication via J...
# flyte-supportb
bumpy-ghost-16726
06/17/2024, 9:42 PMHas anyone successfully setup authentication via Jumpcloud for Flyte Console, Control, and Propeller? I recall this was mentioned a few months ago but the messages were older than 90 days so they are gone.
If anyone has been able to set it up do you have any tips or instructions you could share? We're running into issues on configuring an authorization server. The step after #25. See here:https://github.com/davidmirror-ops/flyte-the-hard-way/blob/main/docs/aws/10-prepare-for-auth.md
a
average-finland-92144
06/17/2024, 9:44 PM@bumpy-ghost-16726 do you plan to use the External auth server or the one that runs with flyteadmin would suffice?
b
bumpy-ghost-16726
06/17/2024, 10:09 PM@cuddly-energy-9218
c
cuddly-energy-9218
06/17/2024, 10:09 PM@average-finland-92144 i work with Hal
cuddly-energy-9218
06/17/2024, 10:10 PMruns with flyteadmin should be fine.
a
average-finland-92144
06/17/2024, 10:11 PMcool, so you won't need to complete the steps in that section
average-finland-92144
06/17/2024, 10:12 PMyou'd just need to register a single app on Jumpcloud (not sure how that is done) and complete the steps in this section to let Flyte use an Identity token provided by Jumpcloud for flyteconsole, and the internal auth server for the rest of the components
https://docs.flyte.org/en/latest/deployment/configuration/auth_setup.html#apply-oidc-configuration
c
cuddly-energy-9218
06/17/2024, 10:13 PMis this look fine?
Copy code
auth:
enabled: true
enableAuthServer: true
oidc:
baseUrl: <https://oauth.id.jumpcloud.com/oauth2/auth> ##
clientId: <clintid-from-jumpcloud>
clientSecret: <client-secret-from-jump-cloud>
internal:
clientSecret: 'random-secret'
clientSecretHash: <encrypted-random-secret>
authorizedUris:
- <https://rpeter-flyte-testing.mydomain.com>a
average-finland-92144
06/17/2024, 10:14 PMit does
c
cuddly-energy-9218
06/17/2024, 10:20 PMwhile i try to login, i get with that config.
small fix current
baseUrl: <https://oauth.id.jumpcloud.com/>cuddly-energy-9218
06/17/2024, 10:21 PMi was under the assumption i can use the
Internal authorization servera
average-finland-92144
06/17/2024, 10:29 PMyou should, yes
average-finland-92144
06/17/2024, 10:29 PManything interesting in the flyte-binary Pod logs?
c
cuddly-energy-9218
06/17/2024, 10:31 PMwhile trying to login, no specific log message.
cuddly-energy-9218
06/17/2024, 10:31 PMmay be i should change the log level
a
average-finland-92144
06/17/2024, 10:37 PMyeah, I guess something should be logged eventually, especially due to that banner
c
cuddly-energy-9218
06/17/2024, 10:38 PMwhat log level i should try?
a
average-finland-92144
06/17/2024, 10:38 PM6 is the max If I remember correctly
c
cuddly-energy-9218
06/17/2024, 10:38 PMok
cuddly-energy-9218
06/17/2024, 10:42 PM Copy code
{"json":{"src":"cookie.go:77","x-request-id":"a-rc25h8hpvqf486p9dnfl"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2024-06-17T22:41:00Z"}
{"json":{"src":"handlers.go:293"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2024-06-17T22:41:00Z"}
{"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2024-06-17T22:41:00Z"}
{"json":{"src":"handlers.go:303"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2024-06-17T22:41:00Z"}
{"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2024-06-17T22:41:00Z"}
{"json":{"src":"cookie.go:77","x-request-id":"a-492jw6h9vstdgvp4vmld"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2024-06-17T22:41:00Z"}
{"json":{"src":"handlers.go:293"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2024-06-17T22:41:00Z"}
{"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2024-06-17T22:41:00Z"}
{"json":{"src":"handlers.go:303"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2024-06-17T22:41:00Z"}
{"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2024-06-17T22:41:00Z"}👀 1
a
average-finland-92144
06/17/2024, 10:42 PMbtw I think this is the old Slack thread:
https://discuss.flyte.org/t/15860713/has-anyone-integrated-flyte-with-jumpcloud-as-an-idp-i-m-hav
👍 1
c
cuddly-energy-9218
06/17/2024, 10:43 PM Copy code
{"json":{"src":"cookie.go:77"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2024-06-17T22:41:02Z"}
{"json":{"src":"handlers.go:86"},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2024-06-17T22:41:02Z"}
{"json":{"src":"handlers.go:142"},"level":"debug","msg":"Setting CSRF state cookie to xyeml3mydp and state to 5dc357d8275ec96312712f02ce7979c4183b3b8b937b71e50977a454a172fae8\n","ts":"2024-06-17T22:41:02Z"}
{"json":{"src":"handler_utils.go:169"},"level":"debug","msg":"validating whether redirect url: <https://rpeter-flyte-testing.labs.domain.com/console/projects/flytesnacks/domains/development> is authorized","ts":"2024-06-17T22:41:02Z"}
{"json":{"src":"handler_utils.go:172"},"level":"debug","msg":"authorizing redirect url: <https://rpeter-flyte-testing.labs.domain.com/console/projects/flytesnacks/domains/development> against authorized uri: <https://rpeter-flyte-testing.labs.domain.com>","ts":"2024-06-17T22:41:02Z"}a
average-finland-92144
06/17/2024, 10:46 PMhow your anonymized config on JumpCloud look like?
If we ever make this work, a docs PR would be great 🙂
👍 1
💯 1
c
cuddly-energy-9218
06/17/2024, 10:47 PMYou prefer a screenshot?
a
average-finland-92144
06/17/2024, 10:47 PMyeah, that works
c
cuddly-energy-9218
06/17/2024, 10:49 PMScreenshot 2024-06-17 at 3.48.14 PM.png
cuddly-energy-9218
06/17/2024, 11:43 PM@average-finland-92144 just making sure thats the info you looking for.
a
average-finland-92144
06/20/2024, 8:12 PMsorry for the delay
can you try making the Login URL without appending the
/consoleaverage-finland-92144
07/11/2024, 5:38 PMHey @cuddly-energy-9218 did you manage to make this work?
c
cuddly-energy-9218
07/11/2024, 5:38 PMYes
a
average-finland-92144
07/11/2024, 5:39 PMgreat. any learning you could share here for others trying to use Jumpcloud? 🤓
c
cuddly-energy-9218
07/11/2024, 5:40 PMAbsolutely, i can send you my values file, if you prefer.
cuddly-energy-9218
07/11/2024, 5:42 PMand i do not think its perfect, Jumpcloud just do the auth, authorization is not handled by Jumpcloud.
cuddly-energy-9218
07/11/2024, 5:44 PMHappy to jump on a call with you or share what you looking.
Keep in mind, I'm very very new to flyte. so keep a very low expectation 😄
cuddly-energy-9218
07/11/2024, 5:44 PMLMK
a
average-finland-92144
07/11/2024, 6:21 PMyeah, I think we can have a chat, mainly to see both side of the configs (Jumpcloud and Flyte)
Issue is that next week I'll be OOO so it had to be this week or later
c
cuddly-energy-9218
07/11/2024, 6:22 PMFeel free to ping me. im online during PST hours.
42 Views