@ancient-wolf-19325, External auth server as okta not working with authtype as PKCE. what is the config for this and any inputs/suggestions ?

To configure Flyte with an external auth server like Okta using PKCE, you need to ensure that your Flytectl's

config.yaml

is set up correctly. According to the Flytectl configuration guide, you should update the

config.yaml

as follows: 1. Set the

authType

to

Pkce

. 2. Provide the

clientId

that is registered with Okta. 3. Ensure the

endpoint

is correctly pointing to your Flyte ingress URL. Here's a basic example of what the

config.yaml

might look like:

admin:
  endpoint: dns:///<Flyte ingress url>
  authType: Pkce
  clientId: <your-client-id>

Additionally, ensure that your Okta setup includes the necessary scopes and redirect URIs. The redirect URI for Flytectl should be

http://localhost:53593/callback

, as mentioned in the Okta configuration guide. Would you like more detailed guidance on setting up Okta or troubleshooting specific issues? Sources: - Flytectl configuration guide - Okta configuration guide 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325, here clientid is from flyte or flytectl application ?

The

clientId

in the

config.yaml

for Flytectl should be the one registered with your external auth server, such as Okta, specifically for the Flytectl application. This client ID is used by Flytectl to authenticate with the external auth server using the PKCE flow. Would you like more detailed guidance on setting up the client ID for Flytectl? Sources: - Flytectl configuration guide 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 in okta flytectl application what is the client authentication option to be selected ? None or client secret or public key/private key ??

It seems likely that for Flytectl using PKCE with Okta, you should select "None" for the client authentication option. PKCE is designed for public clients that do not use a client secret, as it relies on a dynamically generated code verifier and code challenge to enhance security. Would you like more detailed guidance on configuring Okta for Flytectl with PKCE? Sources: - https://github.com/flyteorg/flyte/issues/3482 - https://github.com/flyteorg/flyte/issues/2849 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325, but still pyflyte register /pyflyte run failing with authtype pkce. Any other config change in flyte-adming-base-config.yaml ?

To address issues with

pyflyte register

or

pyflyte run

failing with

authType

set to PKCE, ensure that your Flyte admin configuration is correctly set up to support PKCE. According to the Flyte deployment guide, you should verify the following in your `flyte-admin-base-config.yaml`: 1. Auth Configuration: Ensure that the

auth

section is correctly configured to use an external auth server with PKCE. This includes setting the

authType

to

Pkce

and ensuring the

clientId

and

redirectUri

are correctly specified. 2. Scopes and Redirect URIs: Make sure the scopes include

openid

,

profile

, and any other necessary scopes. The redirect URI should match what is configured in your Okta application. 3. PKCE Flow: Ensure that the PKCE flow is enabled and correctly configured in both Flyte admin and your Okta application. Here's a snippet of what the relevant section might look like:

auth:
  appAuth:
    authServerType: External
    externalAuthServer:
      baseUrl: <https://your-okta-domain/oauth2/default>
      clientId: <your-client-id>
      redirectUri: <http://localhost:53593/callback>
      scopes:
      - openid
      - profile
      - offline_access

If these configurations are correct and the issue persists, it might be helpful to check the logs for any specific error messages that could provide more insight. Would you like more detailed guidance on troubleshooting this issue? Sources: - Flyte deployment guide 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325, still same issue. Also i didnt see any logs from external auth server side meaning no request received to okta. flyte admin logs: {"json":{"src":"handlers.go:249"},"level":"debug","msg":"gRPC server info in logging interceptor []method [/flyteidl.service.AuthMetadataService/GetPublicClientConfig]\n","ts":"2024-11-27T063124Z"} {"json":{"src":"handlers.go:249"},"level":"debug","msg":"gRPC server info in logging interceptor []method [/flyteidl.service.AuthMetadataService/GetOAuth2Metadata]\n","ts":"2024-11-27T063125Z"} {"json":{"src":"handlers.go:293"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2024-11-27T063125Z"} {"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2024-11-27T063125Z"} {"json":{"src":"handlers.go:303"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2024-11-27T063125Z"} {"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2024-11-27T063125Z"} {"json":{"src":"handlers.go:293"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2024-11-27T063125Z"}

The logs indicate that Flyte Admin is unable to retrieve a bearer token or ID token, which suggests that the authentication request is not reaching the external auth server (Okta). Here are a few steps to troubleshoot and resolve the issue: 1. Check Flytectl Configuration: Ensure that the

config.yaml

for Flytectl is correctly configured with the

authType

set to

Pkce

, and that the

clientId

matches the one registered in Okta for Flytectl. 2. Network and Connectivity: Verify that there are no network issues preventing Flytectl from reaching the Okta server. This includes checking firewall rules, DNS settings, and ensuring that the Okta domain is accessible from the environment where Flytectl is running. 3. Redirect URI: Confirm that the redirect URI specified in both Flytectl and Okta matches exactly. Any mismatch can prevent the authentication flow from completing. 4. Scopes and Permissions: Double-check that the scopes configured in Okta include

openid

,

profile

, and any other necessary scopes. Ensure that these scopes are also specified in the Flyte admin configuration. 5. Logs and Debugging: Increase the verbosity of the logs in Flytectl and Flyte Admin to capture more detailed information about the authentication process. This can help identify where the process is failing. 6. Okta Application Configuration: Review the Okta application settings to ensure that PKCE is enabled and that the application is set up to handle public clients without a client secret. If these steps do not resolve the issue, it may be helpful to capture network traffic to see if requests are being sent to Okta and to identify any potential errors in the request. Would you like more detailed guidance on any of these steps? Sources: - https://discuss.flyte.org/t/20826/i-am-setting-up-authentication-using-openid-connect-using-az/ - https://discuss.flyte.org/t/8579436/hi-community-i-tried-to-integrate-self-hosted-gitlab-as-an-e/ 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.