like if i can provide a cookis in config.yaml in ....
# flyte-support
e
like if i can provide a cookis in config.yaml in .flyte and then whosoever has that cookie only abel to access
a
oh I don't think this is available as a cookie, but I think the closest is the ClientCredentials flow You add to. your config.yaml
Copy code
admin:
  ...
  authType: ClientCredentials
  clientSecretLocation: /etc/secrets/client_secret
Whoever has the client_secret can get an access token, provided you have completed the config to register flyte as a client
it can be registered to the flyteadmin internal auth server or one coming from your IdP
and you also need OIDC
e
ohh cool
i have setup OIDC
a
I'm documenting this as we speak btw
e
i am abel to authenticate
but stuck up in authorization now
i was using pkce
with oidc thats not correct?
a
That's the default flow and it's correct too
can you get logs from the flyteadmin pod?
e
i am susing googlr
Copy code
Google IdP

Google IdP does not offer an OAuth2 Authorization Server that could be used to protect external services (For example Flyte). In this case, Google offers a separate Cloud Product called Google Cloud Identity. Configuration for Cloud Identity is not included in this guide. If unavailable, setup can stop here and FlyteAdmin BuiltIn OAuth2 Authorization Server can be used instead.
i see this
a
yeah I'm not sure that's up to date
for PKCE you should be fine with Google as OIDC layer and flyteadmin as the authz server
e
so i am using flyte binary
a
gotcha, so logs from that pod
e
ahh
Copy code
{
  "json": {
    "src": "handlers.go:91"
  },
  "level": "error",
  "msg": "Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present",
  "ts": "2025-03-27T21:38:23Z"
}
am i missing something
a
any other error?
could you also share your backend config? like the values you used to setup this
e
Copy code
{"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:309"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:317"},"level":"debug","msg":"Failed to parse ID Token from context. Error: [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
so i craeted an app in google and then i generated a random passwd and then hash it
Copy code
{"json":{"src":"cookie.go:80","x-request-id":"a-v8f4krwhj4nb54blms7x"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:299"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:309"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:317"},"level":"debug","msg":"Failed to parse ID Token from context. Error: [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"cookie.go:80","x-request-id":"a-5rfnq8cqd7zm7w47cf5z"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:299"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:309"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:317"},"level":"debug","msg":"Failed to parse ID Token from context. Error: [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"cookie.go:80"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:91"},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handlers.go:147"},"level":"debug","msg":"Setting CSRF state cookie to 4iram6bmhq and state to a0208ff5a7391cc93f80d981ac0afabeecb34c47f9acd2d41412dff80b632a36\n","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"handler_utils.go:166"},"level":"debug","msg":"not validating whether relative redirect url is authorized","ts":"2025-03-27T21:37:33Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:34Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:34Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:34Z"}
{"json":{"src":"cookie.go:80"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"handlers.go:91"},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"handlers.go:147"},"level":"debug","msg":"Setting CSRF state cookie to 877sitiuuw and state to 598dcebd4a0075f74be828969e530f6c317909057738abad782319f5f6990b1a\n","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"handler_utils.go:169"},"level":"debug","msg":"validating whether redirect url: <https://flyte.hyperpod.labs.lumalabs.ai/console/select-project> is authorized","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"handler_utils.go:173"},"level":"debug","msg":"authorizing redirect url: <https://flyte.hyperpod.labs.lumalabs.ai/console/select-project> against authorized uri: <https://flyte.hyperpod.labs.lumalabs.ai/console/callback>","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:35Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:36Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:36Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:36Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:37Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:37Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:37Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:38Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:38Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:38Z"}
{"json":{"src":"composite_workqueue.go:88"},"level":"debug","msg":"Subqueue handler batch round","ts":"2025-03-27T21:37:39Z"}
{"json":{"src":"composite_workqueue.go:98"},"level":"debug","msg":"Dynamically configured batch size [-1]","ts":"2025-03-27T21:37:39Z"}
{"json":{"src":"composite_workqueue.go:129"},"level":"debug","msg":"Exiting SubQueue handler batch round","ts":"2025-03-27T21:37:39Z"}
{"json":{"src":"execution_stats.go:63"},"level":"debug","msg":"Execution stats: ActiveExecutions: 0 ActiveNodes: 0, ActiveTasks: 0","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"client.go:171"},"level":"info","msg":"AgentDeployments support the following task types: [task_type_1, task_type_2]","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"cookie.go:80","x-request-id":"a-fh8tkfmjwv766mf4ctrv"},"level":"info","msg":"Could not detect existing cookie [flyte_idt]. Error: http: named cookie not present","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"handlers.go:299"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"token.go:80"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"handlers.go:309"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"token.go:100"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:40Z"}
{"json":{"src":"handlers.go:317"},"level":"debug","msg":"Failed to parse ID Token from context. Error: [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2025-03-27T21:37:40Z"}
this is whats coming when i try to login
a
from the logs, the redirectUri you configure in Google should be this:
<https://flyte.hyperpod.labs.lumalabs.ai>
, without the subpaths
e
is this not correct?
a
no Authorized redirect URI should be
<https://flyte.hyperpod.labs.lumalabs.ai>
e
my issue was even with annotation alb was not redirecting
as per doc
Copy code
Create an OAuth2 Client Credential following the official documentation and take note of the client_id and client_secret

In the Authorized redirect URIs field, add <http://localhost:30081/callback> for sandbox deployments, or https://<your-deployment-URL>/callback for other methods of deployment.
i can try what you said now
a
right, your deployment goes without
console
. It's the ingress
host
e
changed that in googl enow
change din helm and redeplyiong
why i am getting this
Copy code
Error 400: redirect_uri_mismatch
Screenshot 2025-03-27 at 2.52.21 PM.png
a
ah sorry!! Authorized redirect URI should be `https://flyte.hyperpod.labs.lumalabs.ai/callback`in Google AND
<https://flyte.hyperpod.labs.lumalabs.ai>
in Helm
e
hahah thats what i was sayiong earlier 🙂
a
haha sorry I'm on many threads now
e
still no luck
do i need to restart the app
i made th change in google
a
maybe a deployment restart doesn't hurt, executions should progress regardless
e
done
lets see
and my flyet config is
Copy code
admin:
  # For GRPC endpoints you might want to use dns:///flyte.myexample.com
  endpoint: <http://flyte.hyperpod.labs.lumalabs.ai:443|flyte.hyperpod.labs.lumalabs.ai:443> #Replace with your domain name
  authType: Pkce
  # authType: ClientCredentials
  # clientSecretLocation: /etc/secrets/client_secret
  insecure: false
  insecureSkipVerify: false
logger:
  show-source: true
  level: 6
is this correct?
that worked
tysm
ok last qt for now 🙂 how can i assign people rbac access to flyte
is it based on my EKS cluster??
a
If using an external auth server you can map the flyte app to a group of users but that's the extent of what's available in Flyte. Union comes with RBAC out of the box. It lets you assign policies to users at the project-domain level https://docs.union.ai/byoc/user-guide/administration/user-management Happy to demo if needed
e
how can i map??
a
For example in Okta, you can assign the app to groups inside your org
Not sure how it's done in Google
e
ahh ok i will check in google i think its based on identity center but will check
a
And you should be using Google as the authz server too, not flyteadmin
e
sure i will check how