Hey, I am trying to use the

clientSecret

authflow to be able to build and register workflows in our GitHub Actions CI builds. I looked at the CI docs here, and getting the following error both locally and in our CI when I run the same command. Has anyone experienced anything similar? Flytectl config available in comments

☁  ~  flytectl get projects
Error: rpc error: code = Unauthenticated desc = transport: oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."}

The flow seems right to me. Can you double check if the client ID and secret are correct?

They are correct! Using the same ones in the admin. Should I do any encoding?

Hi @helpful-crowd-74546, Can you check your admin config and if the clientId matches what you are passing. Specifically this section and also from the log seems authServerType might not have been set in your case and defaulting to SelfAuth

appAuth:
        authServerType: External
        externalAuthServer:
          baseUrl: https://<provider-url>/oauth2/<auth-server-id>
        thirdPartyConfig:
          flyteClient:
            clientId: <client-id>
            redirectUri: <http://localhost:53593/callback>
            scopes:
            - all

Hey, the admin pod is crashlooping after I applied those changes:

☁  terraform [main] ⚡ k logs flyteadmin-7fc47f776d-ddn4n
Defaulted container "flyteadmin" out of: flyteadmin, run-migrations (init), seed-projects (init), sync-cluster-resources (init), generate-secrets (init)
time="2022-08-18T07:24:48Z" level=info msg="Using config file: [/etc/flyte/config/cluster_resources.yaml /etc/flyte/config/clusters.yaml /etc/flyte/config/db.yaml /etc/flyte/config/domain.yaml /etc/flyte/config/logger.yaml /etc/flyte/config/remoteData.yaml /etc/flyte/config/server.yaml /etc/flyte/config/storage.yaml /etc/flyte/config/task_resource_defaults.yaml]"
{"json":{},"level":"debug","msg":"Config section [notifications] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [domains] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [externalevents] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [queues] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [qualityofservice] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [task_resources] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [plugins] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [plugins.catalogcache] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [plugins.k8s] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [admin] updated. Firing updated event.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [remotedata] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [namespace_mapping] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [database] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [auth] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [server] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [scheduler] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [cloudevents] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [secrets] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"debug","msg":"Config section [storage] updated. No update handler registered.","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"info","msg":"setting metrics keys to [project domain wf task phase tasktype runtime_type runtime_version app_name]","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"info","msg":"Serving Flyte Admin Insecure","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"info","msg":"Starting profiling server on port [10254]","ts":"2022-08-18T07:24:48Z"}
{"json":{},"level":"error","msg":"Error creating resource server 404 Not Found: ","ts":"2022-08-18T07:24:48Z"}
Error: 404 Not Found:
Usage:
  flyteadmin serve [flags]

May be we are missing these things in the CI docs . Can you share your entire auth section of admin config. Do the baseUrl in appAuth match one thats in userAuth

Gotcha! No worries, sure one sec

Does this open up on your browser

<https://login.microsoftonline.com/tenantId/v2.0/.well-known/oauth-authorization-server>

No it doesn’t, only

openid-configuration

suffix works

Ok can you add

appAuth:
        authServerType: External
        externalAuthServer:
          baseUrl: <https://login.microsoftonline.com/tenantId/v2.0>
          metadataUrl: .well-known/openid-configuration

And check

Sure

Also if you can search for jwks_uri/jwksUri in .well-know config if it exists

jwks_uri is there!

cool . then it should not fail there any more with the new config update.

Trying now, just restarting pods

Ok . Seems there is offline_access instead for ms

Yeah, in your docs it says that the all scope is required. I could try only the offline_access scope

openid, email would also be required

Right, now I get this error

☁ ⚡ flytectl get projects
Error: rpc error: code = Unauthenticated desc = transport: oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"invalid_scope","error_description":"AADSTS1002012: The provided value for scope openid email offline_access is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier

Can you check this one https://docs.microsoft.com/en-us/answers/questions/750966/scope-used-for-authenticating-to-use-an-app-regist.html

Sure, will check it out and let you know how it goes! 🙂 Thanks for your support

Strange. what is the scope you added and also is your environment up with flytepropeller being able to communicate with admin .

i used this scope https://graph.microsoft.com/.default

Are you able to lunch any workflow from the flyteconsole UI and see the state changes being updated for the task

Yes I can run workflows from UI/flytectl

Thats strange. If propeller is able to do it so why can’t flytectl , Can you reuse flytepropeller’s client_id and client_secret and recheck in your original setup where things worked from UI .Change the clientId under flyteClient: to what you have configured for propeller

No need to apologise haha, really appreciate the help!

Hi @helpful-crowd-74546 can we get on a call to resolve this.

Hey! Sure we can do that, what’s your availability?

I am available now . we can do google meet if you are too