https://flyte.org logo
Join Slack
Powered by
Hi everyone, We are currently facing authenticatio...
# flyte-deployment
n
Hi everyone, We are currently facing authentication issues while triggering Flyte workflows from the gRPC/HTTPS endpoint. About 10 days ago, workflows triggered in the same manner were working as expected. However, in the past few days, we’ve noticed that workflow creation is failing due to authentication issues, with the following log message:
"Please open the following link in your browser to authenticate:
[authentication URL]"
It seems like the authentication method being used is 
PKCE
(Proof Key for Code Exchange) rather than the expected 
Client Secret
method. Could someone help us to resolve this?
f
This is not pkce- this is code based flow. You have changed something on your IDP
n
Hi @freezing-airport-6809, I believe that we haven't made any changes to our IDP. We are using Azure AD as our IDP. Anyways, any idea what changes might have caused the workflows to switch from using the 
Client Secret
method to a code-based flow?
f
usually idps have a switch and a default
n
Didn't get you. Can you please elaborate ?
Primarily, we want to understand which settings in the Azure AD (IDP) app would cause Flyte workflows to use the 
code-based
flow instead of the 
ClientSecret
method.
a
@narrow-king-98655 is workflow creation triggered by an external system like a CI/CD platform?
v
not via cicd, using pyflyte register we are creating/registering workflows
n
Hi @average-finland-92144, just wanted to check if you have had a chance to check to this issue. If yes, can you let us know your findings here ?
a
@narrow-king-98655 could you share the `config,yaml`you're using to hit the flyteadmin endpoint? Any recent changes to the flyte config?
n
Hi @average-finland-92144, please find the attached 
config.yaml
file for flyteadmin. We haven't made any changes to the flyte configurations or helm values.
flyteadmin-config.yaml
a
thanks for sharing, I mean the 
$HOME/.flyte/config.yaml
on your machine, the one pyflyte register uses to connect to admin
v
Copy code
admin:
  endpoint: dns:///flyte.us.XXX.xxx.com
  insecure: false
  authType: ClientSecret
  clientId: f918e381-c854-4566-XXXX-1d99d1d7874d
  clientSecretLocation: /path/to/secret
  tokenUrl: <https://login.microsoftonline.com/0fa04d0d-XXXX-496e-XXXX-91ce76007b9a/oauth2/v2.0/token>
  scopes: <api://f918e381-XXXX-4566-XXXX-1d99d1d7874d/.default>
console:
  endpoint: <https://flyte.us.XXX.XXX.com>
logger:
  show-source: true
  level: 5
n
@average-finland-92144, just wanted to check if you have had a chance to check to this issue. If yes, can you let us know your findings here ?
Hi @average-finland-92144, can we a live session to debug this issue. If yes, can you please let us know your availability for coming Tuesday.
f
I don’t think you need tokenurl etc. But I am not an auth expert. I will let David point in some direction. But @narrow-king-98655 what is the problem that you see. Is it that you want to use client id but it ends up using device code?
a
@narrow-king-98655 yeah, I don't think tokenUrl is needed there, let's have the session and we can take a closer look
v
The problem is when authentication is enabled, any task we launch through api (i mean calling POST /executions), task pod starts but it will print like below and stays there for ever.
"Please open the following link in your browser to authenticate:
[authentication URL]"
n
Hi @average-finland-92144 and @freezing-airport-6809, as Satya mentioned, above is the issue we are facing.
f
what that is odd
there is no auth at runtime
are you trying to hit the endpoint using flyte remote?
19 Views
Open in Slack
PreviousNext
Powered by