I've got a problem with Okta as my OIDC provider. I have a working setup using an

auth0

sandbox account but my company uses okta internally. The only thing I change between the working auth0 setup and the not working okta setup in Flyte are the

clientID

,

client_secret

and the

base_url

. I setup a web application in okta with OIDC and see the following errors in the

flyte-backend-binary

logs:

<domain> is the real and correct domain in reality

{"json":{"src":"cookie.go:77"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2024-08-23T13:47:37Z"}
{"json":{"src":"handlers.go:86"},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2024-08-23T13:47:37Z"}
{"json":{"src":"handlers.go:142"},"level":"debug","msg":"Setting CSRF state cookie to ka030rzmgc and state to 96c2493a0c36ca18f2fa54081e234def57f83e3edb7dca8ef3c90a30fc6b4e0d\n","ts":"2024-08-23T13:47:37Z"}
{"json":{"src":"handler_utils.go:169"},"level":"debug","msg":"validating whether redirect url: https://<domain>/console/select-project is authorized","ts":"2024-08-23T13:47:37Z"}
{"json":{"src":"handler_utils.go:172"},"level":"debug","msg":"authorizing redirect url: https://<domain>/console/select-project against authorized uri: <domain>","ts":"2024-08-23T13:47:37Z"}

I tested this on

flyte-binary 1.13.0

so I don't think it is this issue

But is it your redirect URL formatted including the

.../console/select-project

? I think you only need to use

<https://your-domain/callback|https://your-domain/callback>

It's just the

callback

url. The first URL that is hit coming back from the okta login screen is

<https://domain/callback?code=SBwXttdxL0c-uzo_4YA9MeMNYkL_I0k3L5TO93c5SmM&state=da98016e6608241a6ff81c5643648f26b725ba854bcaaf4008790e54e346a65b>

which interestingly gives a

502 bad gateway

- but if I refresh it gives a

403 Forbidden

. Not sure if that is a hint about what might be going on...

is this only for OIDC with the internal auth server right? I guess you already double-checked the steps from the docs?

Yes, only OIDC with internal auth server. Yes I've been following the docs and it works for auth0 but not for okta which is the weird thing...

is your deployment running behind a proxy?

Yes, but it's the same setup for okta and auth0 - just to be explicit about that.