Hi How do I set up authentication Or Keycloak With `flyte bi Flyte #flyte-support

Hi! How do I set up authentication? Or - Keycloak...

brash-zebra-36072

10/23/2025, 3:19 PM

Hi! How do I set up authentication? Or - Keycloak? With

flyte-binary

. I'm struggling with authentication set up of

flyte-binary

Helm chart version 1.16.1 against Keycloak 23.0.6. The

values.yaml

is below. In general, may be (I'm not sure), my question is about what the exact requirements are for Flyte, in order to set up the requirements in Keycloak (KC) of the version. Certain scopes, for example, are absent:

offline

offline_access

all

is absent in KC and so on. I'm looking into "Configuring authentication" - https://www.union.ai/docs/v1/flyte/deployment/flyte-configuration/configuring-authentication/ I set the things up for web interface and

flytectl

to work. I hope I understood what a things should be set up from Keycloak perspective concerning

audience

, for example. At leats web interface and

flytectl

works. However, an executions are submitted successfuly, but unable to start. Flytepropeller (may be it is Propeller) complains on auth. with logs producing speed 0,5+ Mb/second. At least I have in logs:

Copy code

{"json":{"src":"interceptor.go:22","x-request-id":"a-fmktn2s6wf5f6rz7n5rb"},"level":"debug","msg":"authenticated user doesn't have required scope","ts":"2025-10-23T14:01:36Z"}
{"json":{"exec_id":"a5pwkw4w46snvz6xgvhj","ns":"flyteprj0005-development","res_ver":"217278987","routine":"worker-12","src":"auth_interceptor.go:213","wf":"flyteprj0005:development:workflows.hello_world.hello_world_wf"},"level":"debug","msg":"Request failed due to [rpc error: code = Unauthenticated desc = authenticated user doesn't have required scope]. If it's an unauthenticated error, we will attempt to establish an authenticated context.","ts":"2025-10-23T14:01:36Z"}
{"json":{"exec_id":"a5pwkw4w46snvz6xgvhj","ns":"flyteprj0005-development","res_ver":"217278987","routine":"worker-12","src":"auth_interceptor.go:236","wf":"flyteprj0005:development:workflows.hello_world.hello_world_wf"},"level":"debug","msg":"Request failed due to [Unauthenticated]. Attempting to establish an authenticated connection and trying again.","ts":"2025-10-23T14:01:36Z"}
{"json":{"src":"token_source_provider.go:257"},"level":"info","msg":"Fetched new token with expiry 2025-10-23 14:13:44.083157411 +0000 UTC m=+3572.209271697","ts":"2025-10-23T14:01:36Z"}
{"json":{"src":"token_source_provider.go:264"},"level":"info","msg":"retrieved token with expiry 2025-10-23 14:13:44.083157411 +0000 UTC m=+3572.209271697","ts":"2025-10-23T14:01:36Z"}
{"json":{"src":"token_utils.go:31"},"level":"debug","msg":"Token expiry : 2025-10-23 14:13:44.083157411 +0000 UTC m=+3572.209271697, Access token expiry : 2025-10-23 14:13:44 +0000 UTC, Are the equal : false","ts":"2025-10-23T14:01:36Z"}
{"json":{"src":"token_source_provider.go:238"},"level":"info","msg":"retrieved token from cache with expiry 2025-10-23 14:13:44.083157411 +0000 UTC m=+3572.209271697","ts":"2025-10-23T14:01:36Z"}
{"json":{"src":"handlers.go:271"},"level":"debug","msg":"Found existing metadata header flyte-authorization","ts":"2025-10-23T14:01:36Z"}
{"json":{"src":"handlers.go:299"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2025-10-23T14:01:36Z"}
{"json":{"src":"handlers.go:254"},"level":"debug","msg":"gRPC server info in logging interceptor [8d666489-6d2f-48e6-b020-9347945c991b]method [/flyteidl.service.AdminService/CreateWorkflowEvent]\n","ts":"2025-10-23T14:01:36Z"}
{"json":{"src":"interceptor.go:22","x-request-id":"a-nbdd4tx7w6tr8xzk88w6"},"level":"debug","msg":"authenticated user doesn't have required scope","ts":"2025-10-23T14:01:36Z"}

values.yaml

for the Helm chart is below:

Copy code

---

userSettings:
  hostName: "flyte"

configuration:
  logging:
    level: 6
    show-source: true
  database:
    username: "flyte_control_plane"
    password: "helm --set configuration.database.password=psql_pw"
    host: "postgres.test.daiger.ru"
    dbname: "flyte_control_plane"
  storage:
    type: "minio"
    metadataContainer: "flyte"
    userDataContainer: "flyte"
    provider: "s3"
    providerConfig:
      s3:
        region: "eu-west-1"  # Irrelevant for local but still needed.
        authType: "accesskey"
        endpoint: "<https://minio-api.test.k8s.daiger.ru:443>"
        accessKey: "helm --set configuration.storage.providerConfig.s3.accessKey=AWS_ACCESS_KEY_ID"
        secretKey: "helm --set configuration.storage.providerConfig.s3.secretKey=AWS_SECRET_ACCESS_KEY"
        disableSSL: "true"
        secure: "false"
  auth:
    enabled: true
    oidc:
      baseUrl: "<https://keycloak.daiger.ru/realms/daiger>"
      clientId: "flyteadmin_test"
      clientSecret: "helm --set configuration.auth.oidc.clientSecret=FLYTE_CREDENTIALS_OIDC_CLIENT_SECRET"
    internal:
      clientId: "flytepropeller_test"
      clientSecret: "helm --set configuration.auth.internal.clientSecret=FLYTE_CREDENTIALS_INTERNAL_CLIENT_SECRET"
      clientSecretHash: "helm --set configuration.auth.internal.clientSecretHash=FLYTE_CREDENTIALS_INTERNAL_CLIENT_SECRET_HASH"

    authorizedUris:
    - "<https://flyte.test.k8s.daiger.ru>"

  inline:
    auth:
      appAuth:
        authServerType: "External"
        externalAuthServer:
          baseUrl: "<https://keycloak.daiger.ru/realms/daiger>"
          metadataUrl: ".well-known/openid-configuration"
        thirdPartyConfig:
          flyteClient:
            clientId: "flytectl_test"
            redirectUri: "<http://localhost:53593/callback>"
            scopes:
            - "offline_access"
            - "offline"
            - "all"

            audience: "<https://flyte.test.k8s.daiger.ru>"
      userAuth:
        openId:
          baseUrl: "<https://keycloak.daiger.ru/realms/daiger>"
          scopes:
          - "profile"
          - "openid"
          clientId: "flyteconsole_test"

ingress:
  create: true
  ingressClassName: "nginx"
  commonAnnotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-buffering: "off"
    nginx.ingress.kubernetes.io/proxy-request-buffering: "off"

    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
    nginx.ingress.kubernetes.io/proxy-buffers: "4 16k"
    nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "32k"
    nginx.ingress.kubernetes.io/large-client-header-buffers: "8 16k"

  httpAnnotations:
    nginx.ingress.kubernetes.io/app-root: "/console"
  grpcAnnotations:
    nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
  host: "flyte.test.k8s.daiger.ru"
  separateGrpcIngress: true
  tls:
  - secretName: "tls-flyte-test-k8s-daiger-ru"
    hosts:
    - "flyte.test.k8s.daiger.ru"

serviceAccount:
  create: true
  name: "flyte"
  imagePullSecrets:
    - name: "image-pull-secret"

What are a requirements to be provided from Keycloak perspective??? Or is there an evident error in the materials above?

echoing-account-76888

10/31/2025, 2:27 AM

I think flyte expect getting scope from

scp

field in claim (ref to code) Could you try adding a new mapper in keycloak and add

scp

field with value

all

to it?

3 Views

Open in Slack

Previous Next