• Neal Feierabend

    Neal Feierabend

    2 months ago
    Hi everyone! I'm wondering if others have had issues getting Keycloak to work as the OAuth2 Authorization Server. I have the console working correctly and can login through our Keycloak instance to the web ui, but when I try to enable the configMap.adminServer.auth.appAuth and thirdPartyConfig in the Helm chart, the Flyteadmin pod enters a crashloop on startup trying to create the oauth2ResourceServer (hitting this error point I think) because it is getting a "404" response. I've been able to see in access logs that it is looking for /auth/realms/myrealm/.well-known/oauth-authorization-server on the Keycloak instance and that endpoint doesn't exist, thus the 404. As far as I know, Keycloak only supports the .well-known/openid-configuration and not oauth-authorization-service endpoint, but I could be wrong since others seem to have it working? This is deploying with v1.0.2 of the helm chart, which uses v1.1.16 of flyteadmin, and v16 Keycloak instance.
  • Ketan (kumare3)

    Ketan (kumare3)

    2 months ago
    I know there are few using key cloak- cc @Sören Brunk ?
  • p

    Prafulla Mahindrakar

    2 months ago
    Hi @Neal Feierabend Can you check this section here https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#id1 Where commented section mentions the additional config needed for keycloak.
    externalAuthServer:
             .....
                #baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for keycloak
                #metadataUrl: .well-known/openid-configuration #Uncomment for keycloak
  • Neal Feierabend

    Neal Feierabend

    2 months ago
    🤦 I must have looked at those docs 10 times and somehow missed that every time! Thanks!
    flytectl
    now opens a browser and gives me a success message on the
    localhost:53593
    page, but back on the cli I get an error response with
    code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken
    . I can see the flytectl grpc request hit the
    flyteadmin
    server with what appears to be a valid JWT issued by Keycloak I'm hoping I haven't missed something else obvious in the docs!
  • I figured it out: the audience settings needs to be changed. Need to add an
    allowedAudience
    setting along with the
    baseUrl
    and
    metadataUrl
    values, and then you need to add an audience mapper in Keycloak so that it gets added to the access token
  • Ketan (kumare3)

    Ketan (kumare3)

    2 months ago
    @Neal Feierabend please recommend doc updates if any
  • Neal Feierabend

    Neal Feierabend

    2 months ago
    @Ketan (kumare3) Forgot to mention that I had added an issue with some recs
  • Bruno Freitas

    Bruno Freitas

    2 weeks ago
    Hi, everyone. I'm trying to run Flyte using keycloak as external authorization server, but I'm facing errors in FlytePropeller when workflows are launched as shown below: [rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2: cannot fetch token: 401 Unauthorized I followed the Flyte authentication doc (https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html) and also configured the audience parameter based on issue about it (https://github.com/flyteorg/flyte/issues/2606). After that, the FlyteConsole and Flytectl are working correctly. So, each one of them is able to reach and interact with FlyteAdmin, but it is not possible to launch any workflow with successfully in FlytePropeller. In the FlyteConsole, the unknown status is displayed for each workflow sent to the FlyteAdmin. Could someone has any suggestion of configuration that can be missing for authenticated communication between FlyteAdmin and Propeller?