What are the exact requirements to be provided at Keycloak side to make work OAuth2/OIDC authentication for

flyte-binary

Helm chart 1.16?

To enable OAuth2/OIDC authentication for the

flyte-binary

Helm chart with Keycloak, you must: 1. Create Keycloak clients for Flyte components (e.g.,

flyte

,

flytectl

,

flyte-propeller

) with appropriate access types (

CONFIDENTIAL

for backend,

PUBLIC

for CLI), enable standard flow, and set valid redirect URIs (e.g.,

http://localhost:53593/callback

for CLI, Flyte UI callback for web). 2. Define required client scopes in Keycloak: create scopes named

all

and

offline

(or use

offline_access

), and ensure these are assigned to the relevant clients. 3. Optionally, configure a client scope mapper to include the

audience

claim if your Flyte config uses

allowedAudience

. 4. In the Flyte Helm values, set

auth.enabled: true

, configure

oidc.baseUrl

to your Keycloak realm, and set `clientId`/`clientSecret` to match the Keycloak client. For

appAuth.thirdPartyConfig.flyteClient.scopes

, use the scopes you created in Keycloak (e.g.,

all

,

offline_access

). 5. Ensure the Keycloak clients and scopes match exactly what Flyte requests; mismatches will cause

invalid_scope

or

unauthorized_client

errors. For detailed YAML and Keycloak setup, see the discussion and working examples in issue #4955 and values-keycloak-idp-flyteclients-without-browser.yaml. The need to create the

all

and `offline`/`offline_access` scopes and assign them is explicitly mentioned in issue #2606. Would you like a step-by-step Keycloak admin console walkthrough or example YAML for both Flyte and Keycloak? Sources: - issue #4955 - issue #2606 - values-keycloak-idp-flyteclients-without-browser.yaml 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 Clean the answer from unrelated knowledge like

flyte-core

. The question exactly is about

flyte-binary

, do not replace the question, do not suggest unverified information and do not extrapolate from common practice. The data above can not be used as an exact requirements (a criteria to provide at Keycloak side), contains variability, which makes the answer inapplicable. The data from the answer is already at Configuring authentication page and is not the requested answer.

There are no data sources provided that list the exact, prescriptive requirements to be configured on the Keycloak side specifically for OAuth2/OIDC authentication with the

flyte-binary

Helm chart 1.16. The available sources only discuss general setup steps, example configurations, and troubleshooting, but do not enumerate a definitive, step-by-step Keycloak configuration or a strict set of required Keycloak-side entities and settings for

flyte-binary

. If you need a precise, authoritative checklist or criteria for Keycloak configuration for

flyte-binary

, this is not present in the provided data sources. Would you like a summary of the closest available guidance or a breakdown of what is and is not covered in the sources? Sources: - issue #4955 - issue #2606 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 What the information can be derived from the sources. Version 1.16, Git revision

47d7a5bbf

at https://github.com/flyteorg/flyte.git ?

From the provided sources, for Flyte version 1.16 (Git revision

47d7a5bbf

), you can derive that the

flyte-binary

Helm chart supports OIDC/OAuth2 authentication and provides configuration options for integrating with an external IdP like Keycloak. The chart exposes values for setting OIDC parameters (

baseUrl

,

clientId

,

clientSecret

), internal service credentials, and scopes, but does not specify exact Keycloak-side requirements. Example values and troubleshooting steps are shown, but no strict, version-specific Keycloak configuration checklist is present. The sources confirm that you must align the Flyte configuration (scopes, client IDs, redirect URIs) with what is defined in Keycloak, and that mismatches (e.g., missing scopes like

all

or

offline_access

) will cause authentication errors. However, the sources do not provide a step-by-step or exhaustive list of Keycloak-side settings required for Flyte 1.16 with Git revision

47d7a5bbf

. Would you like a summary of the configuration fields available in the

flyte-binary

chart for this version? Sources: - flyte-binary/README.md - flyte-binary/values.yaml - issue #4955 - issue #2606 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 The sources do not provide a step-by-step or exhaustive list of Keycloak-side settings. They even do not provide the section

inline

. The sources are the source of true concerning how OAuth2/OIDC is used. What are the parameters and how the parameters are used is described by the sources. That was waht I mean under "derive". Do it - derive the requirements from the sources.

For Flyte 1.16 (

flyte-binary

), the requirements that can be derived from the sources for Keycloak OAuth2/OIDC integration are as follows: - You must configure a Keycloak client with: -

clientId

and

clientSecret

matching the values set in Flyte's

auth.oidc.clientId

and

auth.oidc.clientSecret

(flyte-binary/values.yaml). - Redirect URIs that include the Flyte UI callback (e.g.,

https://<flyte-url>/callback

) and, for CLI,

http://localhost:53593/callback

(flyte-binary/values.yaml). - The OIDC provider URL (

baseUrl

) set to the Keycloak realm's OIDC endpoint, referenced in Flyte as

auth.oidc.baseUrl

. - Scopes required by Flyte, typically

all

and

offline

(or

offline_access

), must be present in Keycloak and assigned to the client (flyte-binary/values.yaml, issue #4955). - If Flyte is configured with an audience (

allowedAudience

), ensure the Keycloak client or token mapper includes the correct

aud

claim (issue #2606). - The Keycloak client must support the grant types used by Flyte:

authorization_code

for user/CLI, and

client_credentials

for internal services (flyte-binary/values.yaml). - The Keycloak client must allow the scopes and redirect URIs requested by Flyte, or authentication will fail with

invalid_scope

or

unauthorized_client

errors (issue #4955). These requirements are derived from the parameters and usage described in the chart's values and referenced issues, which define how Flyte expects to interact with an OIDC provider. Sources: - issue #4955 - issue #2606 - flyte-binary/values.yaml 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.