Title
a

Aleksander Lempinen

10/26/2022, 8:33 AM
Has anyone deployed flyte with AWS Cognito for authentication? I'm having some trouble with it.
k

Ketan (kumare3)

10/26/2022, 2:26 PM
No that we know of
a

Aleksander Lempinen

10/27/2022, 6:51 AM
Shame 😞 My main issue is that callback/redirect don't seem to work with the UI. When I go to flyte.<domain>/console I get redirected to Cognito auth.<domain> and I enter my credentials. I get redirected to flyte.<domain>/callback?code=<some string> and nothing happens. If I manually go to flyte.<domain>/console afterwards it lets me in just fine to the UI.
{"json":{},"level":"error","msg":"Error reading existing secure cookie [flyte_idt]. Error: [SECURE_COOKIE_ERROR] Error reading secure cookie flyte_idt, caused by: securecookie: the value is not valid" │
│ {"json":{},"level":"error","msg":"Error reading secure cookie flyte_idt securecookie: the value is not valid","ts":"2022-10-27T06:48:43Z"}                                                               │
│ {"json":{},"level":"error","msg":"Error reading existing secure cookie [flyte_idt]. Error: [SECURE_COOKIE_ERROR] Error reading secure cookie flyte_idt, caused by: securecookie: the value is not valid" │
│ {"json":{},"level":"error","msg":"Error reading secure cookie flyte_idt securecookie: the value is not valid","ts":"2022-10-27T06:48:43Z"}                                                               │
│ {"json":{},"level":"error","msg":"Error reading existing secure cookie [flyte_idt]. Error: [SECURE_COOKIE_ERROR] Error reading secure cookie flyte_idt, caused by: securecookie: the value is not valid" │
│ {"json":{},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Error reading existing secure cookie [flyte_idt]. Error: [SECURE_COOK │
│ {"json":{},"level":"error","msg":"Error getting user info from IDP oidc: failed to decode userinfo: json: cannot unmarshal string into Go struct field UserInfo.email_verified of type bool","ts":"2022- │
│ {"json":{},"level":"error","msg":"Failed to query user info. Error: error getting user info from IDP","ts":"2022-10-27T06:49:39Z"}
Here are some logs from the flyteadmin container
Okay. I found the "bug". Cognito has email_verified as a string (should be bool) and disabling it on Cognito side fixed it and I now get redirected without error.s But I still have a flytectl problem:
Error: Connection Info: [Endpoint: dns:///flyte.<domain>, InsecureConnection?: false, AuthMode: Pkce]: rpc error: code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken
It also opens a browser and redirects me to <domain>/oauth2/authorize_callback and gives an error
{"error":"error","error_description":"The error is unrecognizable"}
k

Ketan (kumare3)

10/27/2022, 1:58 PM
Cc @Haytham Abuelfutuh do you know of the top of your head?
h

Haytham Abuelfutuh

10/28/2022, 5:57 PM
so flytectl should work with Access token not ID Token.. Do you mind taking a look at flyteadmin logs (just like you did above for UI auth) when going to /authorize_callback happens?
a

Aleksander Lempinen

11/03/2022, 5:24 AM
It didn't print any logs. I switched to using ClientSecret in the cli and it works for now. I hope if there is more interest it would be great to get the cli to work using external oauth2 using Cognito in the future.
I currently use the built-in internal oauth2
h

Haytham Abuelfutuh

11/07/2022, 7:36 PM
Hey @Aleksander Lempinen apologies for dropping the ball here.
Please let me know if you want to setup a debugging session to try this again