https://flyte.org logo
Join Slack
Powered by
I implemented auth into my flyte-binary build, but...
# ask-ai
i
I implemented auth into my flyte-binary build, but now my flytectl doesn't work. Help me setup my config file to use pkce
j
To set up your 
flytectl
config file to use PKCE (Proof Key for Code Exchange) for authentication, you need to update the 
config.yaml
file. Here are the steps: 1. Update 
config.yaml
: Modify the 
config.yaml
file to include the necessary PKCE configuration.
Copy code
admin:
  # Update with the Flyte's ingress endpoint (e.g. flyteIngressIP for sandbox or example.foobar.com)
  # You must keep the 3 forward-slashes after dns:
  endpoint: dns:///<Flyte ingress url>
  
  # Update auth type to `Pkce`
  authType: Pkce
  
  # Set to the clientId (will be used for both Pkce and ClientSecret flows)
  # Leave empty to use the value discovered through flyteAdmin's Auth discovery endpoint.
  clientId: <Id>
  
  # Set to the location where the client secret is mounted.
  # Only needed/used for `ClientSecret` flow.
  clientSecretLocation: </some/path/to/key>
2. Environment Variables: Ensure the necessary environment variables are set for PKCE.
Copy code
export FLYTE_CREDENTIALS_CLIENT_ID=<client_id>
export FLYTE_CREDENTIALS_CLIENT_SECRET=<client_secret>
export FLYTE_CREDENTIALS_AUTH_MODE=basic
export FLYTE_CREDENTIALS_AUTHORIZATION_METADATA_KEY=<header name>
export FLYTE_CREDENTIALS_OAUTH_SCOPES=<idp defined scopes>
export FLYTE_PLATFORM_AUTH=True
3. Helm Chart Configuration: Ensure your Helm chart values file is correctly configured for PKCE.
Copy code
auth:
  appAuth:
    authServerType: External
    externalAuthServer:
      baseUrl: <https://login.microsoftonline.com>/<tenant-id>/oauth2/v2.0/authorize
      metadataUrl: .well-known/oauth-authorization-server
    thirdPartyConfig:
      flyteClient:
        clientId: <flytectl-client-id>
        redirectUri: http://localhost:53593/callback
        scopes:
          - offline
          - all
  userAuth:
    openId:
      baseUrl: <https://login.microsoftonline.com>/<tenant-id>/oauth2/v2.0/authorize
      scopes:
        - profile
        - openid
      clientId: <oidc-clientId>
For more detailed information, refer to the Flytectl configuration documentation. Would you like more detail on any specific part of the setup? Sources: - Flytectl Configuration - Flytectl Configuration 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.
i
@ancient-wolf-19325 this is my current helm config for a flyte-binary build. Anything I need to change? auth: enabled: true enableAuthServer: true oidc: baseUrl: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_acjb0eMJZ" clientId: "myid-redacted" clientSecret: "mysecret-redacted" internal: clientId: flytepropeller clientSecret: "mysecret-redacted" clientSecretHash: "" flyteClient: clientId: flytectl redirectUri: "https://my.domain.com/callback" scopes: - all audience: "" authorizedUris: - "https://my.domain.com" clientSecretsExternalSecretRef: ""
j
To ensure your 
flytectl
works with PKCE, you need to make a few adjustments to your Helm configuration. Specifically, you need to ensure that the 
authServerType
is set to 
External
and that the 
thirdPartyConfig
is correctly configured for PKCE. Here is the updated configuration:
Copy code
auth:
  enabled: true
  enableAuthServer: false  # Disable internal auth server
  oidc:
    baseUrl: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_acjb0eMJZ"
    clientId: "myid-redacted"
    clientSecret: "mysecret-redacted"
  internal:
    clientId: flytepropeller
    clientSecret: "mysecret-redacted"
    clientSecretHash: ""
  appAuth:
    authServerType: External  # Use external auth server
    externalAuthServer:
      baseUrl: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_acjb0eMJZ"
      metadataUrl: .well-known/openid-configuration
    thirdPartyConfig:
      flyteClient:
        clientId: flytectl
        redirectUri: "https://my.domain.com/callback"
        scopes:
          - all
  userAuth:
    openId:
      baseUrl: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_acjb0eMJZ"
      scopes:
        - profile
        - openid
      clientId: "myid-redacted"
  authorizedUris:
    - "https://my.domain.com"
  clientSecretsExternalSecretRef: ""
Key changes: 1. Disable Internal Auth Server: Set 
enableAuthServer
to 
false
. 2. Set External Auth Server: Add 
appAuth
section with 
authServerType
set to 
External
. 3. Configure 
thirdPartyConfig
: Ensure 
flyteClient
is configured with the correct 
clientId
, 
redirectUri
, and 
scopes
. Would you like more detail on any specific part of the setup? Sources: - https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#panel-3-Zmx5dGUtY29yZQ%3D%3D - https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#panel-2-QXp1cmUgQUQ%3D 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.
i
@ancient-wolf-19325 With those updates implemented, what should my flyte config file look like to use flytectl?
j
To configure 
flytectl
to use PKCE with the updated Helm configuration, you need to update your 
config.yaml
file accordingly. Here is what your 
flytectl
config.yaml
should look like:
Copy code
admin:
  # Update with the Flyte's ingress endpoint (e.g. flyteIngressIP for sandbox or example.foobar.com)
  # You must keep the 3 forward-slashes after dns:
  endpoint: dns:///<Flyte ingress url>
  
  # Update auth type to `Pkce`
  authType: Pkce
  
  # Set to the clientId (will be used for both Pkce and ClientSecret flows)
  # Leave empty to use the value discovered through flyteAdmin's Auth discovery endpoint.
  clientId: flytectl
  
  # Set to the location where the client secret is mounted.
  # Only needed/used for `ClientSecret` flow.
  clientSecretLocation: </some/path/to/key>
Additionally, ensure the necessary environment variables are set for PKCE:
Copy code
export FLYTE_CREDENTIALS_CLIENT_ID=flytectl
export FLYTE_CREDENTIALS_CLIENT_SECRET=<client_secret>
export FLYTE_CREDENTIALS_AUTH_MODE=basic
export FLYTE_CREDENTIALS_AUTHORIZATION_METADATA_KEY=<header name>
export FLYTE_CREDENTIALS_OAUTH_SCOPES=<idp defined scopes>
export FLYTE_PLATFORM_AUTH=True
This configuration ensures that 
flytectl
uses PKCE for authentication, aligning with the changes made in your Helm configuration. Would you like more detail on any specific part of the setup? Sources: - Flytectl Configuration - Flytectl Configuration 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.
a
@icy-queen-60245 I think the bot is leading you in a more complicated direction. So to understand: you plan to use Flyte's internal auth server and only leverage cognito for OIDC right?
i
Yes, pretty much
a
and it works on the UI but when you try 
flytectl
or 
pyflyte
it throws the error you shared right?
i
Correct. Now I'm able to get a printed url on that step but when I follow it into the browser, I get this error.
Copy code
{
  "error": "invalid_request",
  "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."
}
a
ok, so with flyte-binary and for OIDC only, you should use a config like this
Copy code
configuration:
  auth:
   enabled: true
   oidc:
     baseUrl: https://<your-IdP-base-url> # Uncomment 
     clientId: <client_ID>
     clientSecret: <client_secret>
   internal:
     clientSecret: '<your-random-password>'
     clientSecretHash: <your-hashed-password>

  authorizedUris:
   - https://<your-flyte-deployment-URL>
on your IdP, you should have an app or client registered with the 
https://<your-deployment-URL>/callback
as redirect URI
are you using ingress?
i
I am, yes
This is my current auth config auth: enabled: true oidc: baseUrl: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_2wfajfMJZ" clientId: "redacted" clientSecret: "redacted" internal: clientId: flytepropeller clientSecret: "redacted" clientSecretHash: "" flyteClient: clientId: flytectl redirectUri: "https://my.domain.com/callback" #http://localhost:53593/callback scopes: - all audience: "" authorizedUris: - "https://my.domain.com" clientSecretsExternalSecretRef: ""
a
internal:
clientId: flytepropeller
clientSecret: "redacted"
clientSecretHash: ""
flyteClient:
clientId: flytectl
redirectUri: "https://my.domain.com/callback" #http://localhost:53593/callback
scopes:
- all
audience: ""
authorizedUris:
- "https://my.domain.com"
clientSecretsExternalSecretRef: ""
I think this section has extra content that's midway between the internal auth server (what you need) and using your IdPs custom auth server (not the scope here). Using your IdP for OIDC only, requires that propeller registers to flyteadmin's auth server as a client, that's what 
internal
means here. So it would only need
Copy code
internal:
      clientSecret: '<your-random-password>'
      clientSecretHash: <your-hashed-password>
i
So I need to hash it as well and provide that?
a
yes, this is not the 
client secret
that your IdP gives you, it's just a random password you generate
i
Alright, well I updated those changes... I'm getting the same result. Trying to get projects prints out a url. But the page it opens shows "{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."}"
a
I don't have experience with Cognito as IdP, and haven't met anyone using it with Flyte, so not sure if there's something that Flyte is sending in a format different to what Cognito expects
22 Views
Open in Slack
PreviousNext
Powered by