Hi using Google for flyte console auth and I can’t...
# ask-the-community
Hi using Google for flyte console auth and I can’t find documentation on how to use the refresh token - it logs me out constantly otherwise?
Yes this is the one I followed
For enabling refresh tokens, the configmap one has a commented line:
Copy code
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
This option doesn’t work with Google - it threw an error saying there is no such scope
And so I dug into Google doc on this and it seems to require sending some parameters with auth call, but since I’m not sure how Flyte is doing that underneath, I was hoping there’s some configuration (e.g. helm values) that could enable refresh tokens for Google auth
cc: @Prafulla Mahindrakar
@seunggs we have used Google for years now and no one in the team has experienced this. Are you sure you followed the docs
As far as I can tell I’ve followed the docs - I’ve changed the flyte-admin-secrets with the client secret (obviously since otherwise my auth wouldn’t work at all but it works fine) and then updated the config with these values:
Copy code
configmap: {
    adminServer: {
      auth: {
        userAuth: {
          openId: {
            baseUrl: '<https://accounts.google.com>',
            clientId: googleOauth2ClientId,
            scopes: ['profile', 'openid'],
        authorizedUris: [`https://${hostname}`],
      server: {
        security: {
          secure: false,
          useAuth: true,
But it does kick me out very often, which is why I’m assuming refresh token isn’t working? Do you see anything wrong with my configmap settings above?
Those settings look correct . We have an internal environment which uses similar config and we donot see this issue.
Copy code
            # Put the URL of the OpenID Connect provider.
            baseUrl: <https://accounts.google.com> # Uncomment for Google
              - profile
              - openid
            # Replace with the client id created for Flyte.
            clientId: <identitifier>.<http://apps.googleusercontent.com|apps.googleusercontent.com>
btw I am assuming your clientId is also of the above format . Can you check if you are seeing the same issue when you try flytectl . You can try getting projects using
flytectl get projects --logger.level=6 --admin.endpoint dns:///<flyte-endpoint>
Following scopes are supported https://accounts.google.com/.well-known/openid-configuration and the one in the doc is actually used to enable refresh token for okta and is not needed for google idp.
👍 1
That command runs fine - maybe I’m mistaken about this. Let me investigate and get back to you if I continue to run into this issue. Thank you for your prompt attention!