07/08/2022, 2:11 AM
Hi using Google for flyte console auth and I can’t find documentation on how to use the refresh token - it logs me out constantly otherwise?


07/08/2022, 3:16 AM
Yes this is the one I followed
For enabling refresh tokens, the configmap one has a commented line:
Copy code
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
This option doesn’t work with Google - it threw an error saying there is no such scope
And so I dug into Google doc on this and it seems to require sending some parameters with auth call, but since I’m not sure how Flyte is doing that underneath, I was hoping there’s some configuration (e.g. helm values) that could enable refresh tokens for Google auth


07/08/2022, 3:18 AM
cc: @Prafulla Mahindrakar

Ketan (kumare3)

07/08/2022, 3:57 AM
@seunggs we have used Google for years now and no one in the team has experienced this. Are you sure you followed the docs


07/08/2022, 3:59 AM
As far as I can tell I’ve followed the docs - I’ve changed the flyte-admin-secrets with the client secret (obviously since otherwise my auth wouldn’t work at all but it works fine) and then updated the config with these values:
Copy code
configmap: {
    adminServer: {
      auth: {
        userAuth: {
          openId: {
            baseUrl: '<>',
            clientId: googleOauth2ClientId,
            scopes: ['profile', 'openid'],
        authorizedUris: [`https://${hostname}`],
      server: {
        security: {
          secure: false,
          useAuth: true,
But it does kick me out very often, which is why I’m assuming refresh token isn’t working? Do you see anything wrong with my configmap settings above?

Prafulla Mahindrakar

07/08/2022, 6:38 AM
Those settings look correct . We have an internal environment which uses similar config and we donot see this issue.
Copy code
            # Put the URL of the OpenID Connect provider.
            baseUrl: <> # Uncomment for Google
              - profile
              - openid
            # Replace with the client id created for Flyte.
            clientId: <identitifier>.<|>
btw I am assuming your clientId is also of the above format . Can you check if you are seeing the same issue when you try flytectl . You can try getting projects using
flytectl get projects --logger.level=6 --admin.endpoint dns:///<flyte-endpoint>
Following scopes are supported and the one in the doc is actually used to enable refresh token for okta and is not needed for google idp.
👍 1


07/08/2022, 4:13 PM
That command runs fine - maybe I’m mistaken about this. Let me investigate and get back to you if I continue to run into this issue. Thank you for your prompt attention!