Hi using Google for flyte console auth and I can t find docu Flyte #ask-the-community

Hi using Google for flyte console auth and I can’t...

seunggs

07/08/2022, 2:11 AM

Hi using Google for flyte console auth and I can’t find documentation on how to use the refresh token - it logs me out constantly otherwise?

Yuvraj

07/08/2022, 3:15 AM

https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#deployment-cluster-config-auth-setup did you follow the authentication docs ?

seunggs

07/08/2022, 3:16 AM

Yes this is the one I followed

seunggs

07/08/2022, 3:16 AM

For enabling refresh tokens, the configmap one has a commented line:

seunggs

07/08/2022, 3:16 AM

Copy code

# - offline_access # Uncomment if OIdC supports issuing refresh tokens.

seunggs

07/08/2022, 3:17 AM

This option doesn’t work with Google - it threw an error saying there is no such scope

seunggs

07/08/2022, 3:18 AM

And so I dug into Google doc on this and it seems to require sending some parameters with auth call, but since I’m not sure how Flyte is doing that underneath, I was hoping there’s some configuration (e.g. helm values) that could enable refresh tokens for Google auth

Yuvraj

07/08/2022, 3:18 AM

cc: @Prafulla Mahindrakar

Ketan (kumare3)

07/08/2022, 3:57 AM

@seunggs we have used Google for years now and no one in the team has experienced this. Are you sure you followed the docs

seunggs

07/08/2022, 3:59 AM

As far as I can tell I’ve followed the docs - I’ve changed the flyte-admin-secrets with the client secret (obviously since otherwise my auth wouldn’t work at all but it works fine) and then updated the config with these values:

seunggs

07/08/2022, 4:00 AM

Copy code

configmap: {
    adminServer: {
      auth: {
        userAuth: {
          openId: {
            baseUrl: '<https://accounts.google.com>',
            clientId: googleOauth2ClientId,
            scopes: ['profile', 'openid'],
          },
        },
        authorizedUris: [`https://${hostname}`],
      },
      server: {
        security: {
          secure: false,
          useAuth: true,
        },
      },
    },
  }

seunggs

07/08/2022, 4:00 AM

But it does kick me out very often, which is why I’m assuming refresh token isn’t working? Do you see anything wrong with my configmap settings above?

Prafulla Mahindrakar

07/08/2022, 6:38 AM

Those settings look correct . We have an internal environment which uses similar config and we donot see this issue.

Copy code

userAuth:
          openId:
            # Put the URL of the OpenID Connect provider.
            baseUrl: <https://accounts.google.com> # Uncomment for Google
            scopes:
              - profile
              - openid
            # Replace with the client id created for Flyte.
            clientId: <identitifier>.<http://apps.googleusercontent.com|apps.googleusercontent.com>

btw I am assuming your clientId is also of the above format . Can you check if you are seeing the same issue when you try flytectl . You can try getting projects using

flytectl get projects --logger.level=6 --admin.endpoint dns:///<flyte-endpoint>

Prafulla Mahindrakar

07/08/2022, 6:40 AM

Following scopes are supported https://accounts.google.com/.well-known/openid-configuration and the one in the doc is actually used to enable refresh token for okta and is not needed for google idp.

👍 1

seunggs

07/08/2022, 4:13 PM

That command runs fine - maybe I’m mistaken about this. Let me investigate and get back to you if I continue to run into this issue. Thank you for your prompt attention!

161 Views

Open in Slack

Previous Next