https://flyte.org logo
Powered by
s

seunggs

07/08/2022, 2:11 AM
Hi using Google for flyte console auth and I can’t find documentation on how to use the refresh token - it logs me out constantly otherwise?
y

Yuvraj

07/08/2022, 3:15 AM
s

seunggs

07/08/2022, 3:16 AM
Yes this is the one I followed
For enabling refresh tokens, the configmap one has a commented line:
Copy code
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
This option doesn’t work with Google - it threw an error saying there is no such scope
And so I dug into Google doc on this and it seems to require sending some parameters with auth call, but since I’m not sure how Flyte is doing that underneath, I was hoping there’s some configuration (e.g. helm values) that could enable refresh tokens for Google auth
y

Yuvraj

07/08/2022, 3:18 AM
cc: @Prafulla Mahindrakar
k

Ketan (kumare3)

07/08/2022, 3:57 AM
@seunggs we have used Google for years now and no one in the team has experienced this. Are you sure you followed the docs
s

seunggs

07/08/2022, 3:59 AM
As far as I can tell I’ve followed the docs - I’ve changed the flyte-admin-secrets with the client secret (obviously since otherwise my auth wouldn’t work at all but it works fine) and then updated the config with these values:
Copy code
configmap: {
    adminServer: {
      auth: {
        userAuth: {
          openId: {
            baseUrl: '<https://accounts.google.com>',
            clientId: googleOauth2ClientId,
            scopes: ['profile', 'openid'],
          },
        },
        authorizedUris: [`https://${hostname}`],
      },
      server: {
        security: {
          secure: false,
          useAuth: true,
        },
      },
    },
  }
But it does kick me out very often, which is why I’m assuming refresh token isn’t working? Do you see anything wrong with my configmap settings above?
p

Prafulla Mahindrakar

07/08/2022, 6:38 AM
Those settings look correct . We have an internal environment which uses similar config and we donot see this issue.
Copy code
userAuth:
          openId:
            # Put the URL of the OpenID Connect provider.
            baseUrl: <https://accounts.google.com> # Uncomment for Google
            scopes:
              - profile
              - openid
            # Replace with the client id created for Flyte.
            clientId: <identitifier>.<http://apps.googleusercontent.com|apps.googleusercontent.com>
btw I am assuming your clientId is also of the above format . Can you check if you are seeing the same issue when you try flytectl . You can try getting projects using 
flytectl get projects --logger.level=6 --admin.endpoint dns:///<flyte-endpoint>
Following scopes are supported https://accounts.google.com/.well-known/openid-configuration and the one in the doc is actually used to enable refresh token for okta and is not needed for google idp.
👍 1
s

seunggs

07/08/2022, 4:13 PM
That command runs fine - maybe I’m mistaken about this. Let me investigate and get back to you if I continue to run into this issue. Thank you for your prompt attention!
2 Views
Powered by