Hi everyone! I'm wondering if others have had issues getting Keycloak to work as the OAuth2 Authorization Server. I have the console working correctly and can login through our Keycloak instance to the web ui, but when I try to enable the configMap.adminServer.auth.appAuth and thirdPartyConfig in the Helm chart, the Flyteadmin pod enters a crashloop on startup trying to create the oauth2ResourceServer (hitting this error point I think) because it is getting a "404" response. I've been able to see in access logs that it is looking for /auth/realms/myrealm/.well-known/oauth-authorization-server on the Keycloak instance and that endpoint doesn't exist, thus the 404. As far as I know, Keycloak only supports the .well-known/openid-configuration and not oauth-authorization-service endpoint, but I could be wrong since others seem to have it working? This is deploying with v1.0.2 of the helm chart, which uses v1.1.16 of flyteadmin, and v16 Keycloak instance.

I know there are few using key cloak- cc @boundless-pizza-95864 ?

Hi @acoustic-painting-95053 Can you check this section here https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#id1 Where commented section mentions the additional config needed for keycloak.

externalAuthServer:
         .....
            #baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for keycloak
            #metadataUrl: .well-known/openid-configuration #Uncomment for keycloak

🤦 I must have looked at those docs 10 times and somehow missed that every time! Thanks!

flytectl

now opens a browser and gives me a success message on the

localhost:53593

page, but back on the cli I get an error response with

code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken

. I can see the flytectl grpc request hit the

flyteadmin

server with what appears to be a valid JWT issued by Keycloak I'm hoping I haven't missed something else obvious in the docs!

@acoustic-painting-95053 please recommend doc updates if any

@freezing-airport-6809 Forgot to mention that I had added an issue with some recs

Hi, everyone. I'm trying to run Flyte using keycloak as external authorization server, but I'm facing errors in FlytePropeller when workflows are launched as shown below: [rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2: cannot fetch token: 401 Unauthorized I followed the Flyte authentication doc (https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html) and also configured the audience parameter based on issue about it (https://github.com/flyteorg/flyte/issues/2606). After that, the FlyteConsole and Flytectl are working correctly. So, each one of them is able to reach and interact with FlyteAdmin, but it is not possible to launch any workflow with successfully in FlytePropeller. In the FlyteConsole, the unknown status is displayed for each workflow sent to the FlyteAdmin. Could someone has any suggestion of configuration that can be missing for authenticated communication between FlyteAdmin and Propeller?