https://flyte.org logo
Join Slack
Powered by
I am trying to setup the flyte core chart with aut...
# flyte-deployment
a
I am trying to setup the flyte core chart with authentication using keycloak and the internal authorization server. I will probably change the authorization server over later, but I figured it should be easier to start this way. I am trying to get just the ui auth working right now, but have run into some issues. Looking to see if anyone has resolved similar things before.
When the flyteadmin pod starts up it shows this error:
Copy code
{
  "json": {},
  "level": "error",
  "msg": "Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present",
  "ts": "2024-07-30T22:18:58Z"
}
If I go to the web ui I get a popup saying Authorization Required, if I click it's back to sign in button I get a 403 page with this url: https://my-url.com/callback?error=invalid_request&error_description=Missing+parameter%3A+code_challenge_method&state=91c4dd04c1826b70b09456fc2591a442146e69dd1eb0d3207280ac12e9409a2b&iss=mykeycloak I then see two more logs in flyteadmin:
Copy code
{"json":{},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2024-07-30T22:19:45Z"}
{"json":{},"level":"error","msg":"Error when exchanging code oauth2: \"invalid_grant\" \"Code not valid\"","ts":"2024-07-30T22:19:45Z"}
Here is what the related portions of my values file looks like:
Copy code
secrets:
  adminOauthClientCredentials:
    enabled: true
    clientSecret: "raw generated password"
    clientId: flytepropeller


  adminServer:
    server:
      security:
        secure: false
        useAuth: true
        allowCors: true
        allowedOrigins:
          # Accepting all domains for Sandbox installation
          - "*"
        allowedHeaders:
          - "Content-Type"
	auth:
	  appAuth:
	    thirdPartyConfig:
	      flyteClient:
	        clientId: flytectl
	        redirectUri: <http://localhost:53593/callback>
	        scopes:
	          - offline
	          - all
	    selfAuthServer:
	      staticClients:
	        flyte-cli:
	          id: flyte-cli
	          redirect_uris:
	          - <http://localhost:53593/callback>
	          - <http://localhost:12345/callback>
	          grant_types:
	            - refresh_token
	            - authorization_code
	          response_types:
	            - code
	            - token
	          scopes:
	            - all
	            - offline
	            - access_token
	          public: true
	        flytectl:
	          id: flytectl
	          redirect_uris:
	            - <http://localhost:53593/callback>
	            - <http://localhost:12345/callback>
	          grant_types:
	            - refresh_token
	            - authorization_code
	          response_types:
	            - code
	            - token
	          scopes:
	            - all
	            - offline
	            - access_token
	          public: true
	        flytepropeller:
	          id: flytepropeller
	          client_secret: "bcrypt hash of raw password"
	          redirect_uris:
	            - <http://localhost:3846/callback>
	          grant_types:
	            - refresh_token
	            - client_credentials
	          response_types:
	            - token
	          scopes:
	            - all
	            - offline
	            - access_token
	          public: false
	  authorizedUris:
	    - <https://my-url.com>
	    - <http://flyteadmin:80>
	    - <http://flyteadmin.flyte.svc.cluster.local:80>
	  userAuth:
	    openId:
	      baseUrl: "oidcBaseUrl"
	      clientId: "oidcClientId"
	      scopes:
	        - profile
	        - openid
I have also edited the flyte-admin-secret:
Copy code
k describe secret flyte-admin-secrets
Name:         flyte-admin-secrets
Namespace:    flyte
Labels:       <http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
Annotations:  <http://meta.helm.sh/release-name|meta.helm.sh/release-name>: flyte
              <http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: flyte

Type:  Opaque

Data
====
token_rsa_key.pem:    1679 bytes
claim_symmetric_key:  43 bytes
cookie_block_key:     43 bytes
cookie_hash_key:      86 bytes
oidc_client_secret:   32 bytes
f
Always auth haha
🥲 1
a
@ambitious-businessperson-90319 could you share details about your keycloak config? especially the PKCE part. We'll have to maybe have a screen sharing session to better explore this
👍 1
a
Ah so if I turn off PKCE it all works! But I would prefer if it is enabled. Are there some config options to support it?
a
yeah, it's better if we enable it.
Are there some config options to support it?
That's what we'll need to find out, bc seems to be something missing from the client side
@ambitious-businessperson-90319 thanks again for your time during the session. I was wondering if some of the info on this thread would be useful for you? https://github.com/flyteorg/flyte/issues/4955#issuecomment-1987407815 I still plan to reproduce the issue but wanted to share this in the meantime
a
Hmm, I had seen this before, but it only seemed relevant if you were using the external auth server. I'll try to look at it a bit again
a
yeah, maybe the name that Keycloak uses for some of the scopes is something to check
73 Views
Open in Slack
PreviousNext
Powered by