Hi all I am trying to setup OIDC for flyte core via Keycloak Flyte #flyte-deployment

Hi all! I am trying to setup OIDC for flyte-core v...

high-park-16144

07/04/2025, 12:32 PM

Hi all! I am trying to setup OIDC for flyte-core via Keycloak, and getting stucked in flytePropeller config. As i can see from docs, flytePropeller need scope offline, but in keycloak it named as offline_access. How to change this behaviour? In thirdPartyConfig we can change this settings for flyteClient, but not for flytePropeller.

high-park-16144

07/04/2025, 12:32 PM

Here is flytepropeller logs:

Copy code

{
  "json": {
    "exec_id": "ax45bbq8d2rbxjlbpkpq",
    "ns": "my-project-development",
    "res_ver": "1068376961",
    "routine": "worker-1",
    "wf": "my-project:development:hello_world.hello_world_wf"
  },
  "level": "warning",
  "msg": "Event recording failed. Error [EventSinkError: Error sending event, caused by [rpc error: code = Unauthenticated desc = authenticated user doesn't have required scope]]",
  "ts": "2025-07-02T17:26:29Z"
}

Keycloak returns next scopes:

Copy code

"scope":"all profile email access_token offline_access"

gorgeous-waitress-5026

07/07/2025, 5:55 PM

IIRC, we ran into something similar -- but the problem is with the

all

scope needing to be added to your Keycloak client.

gorgeous-waitress-5026

07/07/2025, 5:55 PM

cc @gentle-umbrella-41187 who helped fix this on our end (and IIRC, we also landed an upstream patch)

gentle-umbrella-41187

07/07/2025, 5:59 PM

one pitfall here is the confusingly named

scope

claim vs.

scp

claim. IIRC, in keycloak, you will need to set the

scp

claim to something like:

"[\"all\"]"

gratitude thank you 1

gentle-umbrella-41187

07/07/2025, 6:00 PM

Here's good context I've found around this issue https://discuss.flyte.org/t/12065729/wave-i-m-running-into-an-auth-problem-with-flytectl-using-th And an explanation:

This is case when things are not conformant to the RFC and each OIDC provider implements them and have these pitfalls. In your case the provider you are using is conformant to use scope but the ones we have used like okta,azure ad, auth0 seems to use scp claims by default . there is no additional configuration that was needed to do this and hence probably was never included in the docs.

This is always a challenge with multiple implementations of the RFC and each provider some time choosing to deviate.

highfive 1

gentle-umbrella-41187

07/07/2025, 7:17 PM

To be more concrete here, what worked for us is to define the following Keycloak mapper

Copy code

{
  "protocol": "openid-connect",
  "protocolMapper": "oidc-hardcoded-claim-mapper",
  "name": "Flyte All Scope Claim",
  "config": {
    "claim.name": "scp",
    "claim.value": "[\"all\"]",
    "jsonType.label": "JSON",
    "id.token.claim": "false",
    "access.token.claim": "true",
    "userinfo.token.claim": "false",
    "introspection.token.claim": "true",
    "access.tokenResponse.claim": "false"
  }
}

And add it to the flytepropeller keycloak client

high-park-16144

07/07/2025, 7:21 PM

Thank you very much! I’ll try this tomorrow and follow up here with the results.

4 Views

Open in Slack

Previous Next