https://flyte.org logo
Powered by
#ask-the-community
Title
# ask-the-community
l

lgladh

02/17/2023, 4:49 PM
Hi! I have a single cluster deployment of Flyte. For authorization I am trying to setup OpenID with Azure AD. I have followed Authenticating in Flyte - Flyte, and the relevant part of my configuration currently looks like this:
Copy code
server: 
      security:
        secure: false
        useAuth: true
auth:
      authorizedUris:
        - https://<my public domain>
        - <http://flyteadmin:80>
        - <http://flyteadmin.mlops-services.svc.cluster.local:80>
      userAuth:
        redirectUrl: https://<my app url>/callback # Also added to redirect URI:s in Azure portal
        openId:
          baseUrl: <https://login.microsoftonline.com/><my tenant>/v2.0
          scopes:
            - email
            - openid
          clientId: <My client id from Azure portal>
I have the client secret in flyte-admin-secrets:
Copy code
data:
    oidc_client_secret: <base64 encoded client_secret from Azure portal>
Ingress rule looks like this:
Copy code
- backend:
    service:
      name: flyteadmin
      port:
        number: 80
    path: /callback
    pathType: ImplementationSpecific
- backend:
    service:
      name: flyteadmin
      port: 
        number: 80
    path: /callback/*
    pathType: ImplementationSpecific
Trying to access the public domain, the response is:
Copy code
Access to <my domain> was denied
You don't have the user rights to view this page
HTTP error 403
Looking at the logs from flyte admin it seems to be failing during the callback:
Copy code
{"json":{},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2023-02-17T13:04:21Z"}

{"json":{},"level":"error","msg":"Error generating encrypted accesstoken cookie [SECURE_COOKIE_ERROR] Error creating secure cookie, caused by: securecookie: the value is too long","ts":"2023-02-17T13:04:22Z"}

{"json":{},"level":"error","msg":"Error setting encrypted JWT cookie [SECURE_COOKIE_ERROR] Error creating secure cookie, caused by: securecookie: the value is too long","ts":"2023-02-17T13:04:22Z"}
It seems the generated cookie only is of length ~1400 I have tried different changes in the flyteadmin configmap, with the same result. Any advice on how to continue here?
d

David Espejo (he/him)

02/17/2023, 5:28 PM
Hi @Igladh If you execute 
kubectl get secrets/flyte-admin-secrets --template='{{.data.oidc_client_secret | base64decode}}'
Can you see the correct client secret?
l

lgladh

02/17/2023, 6:03 PM
Hey @David Espejo (he/him), I see the correct secret.
@David Espejo (he/him) Still haven't found a solution to this. I have tried setting up auth for another orchestrator using the same client secret etc., and it works. So, I guess it has to be something in the Flyte configuration? Anyone in particular I can try contacting to get help?
d

David Espejo (he/him)

02/21/2023, 4:05 PM
sorry for the delay Igladh, there's something that captures my attention in your config:
Copy code
scopes:
  - email
  - openid
isn't it missing the 
profile
scope?
l

lgladh

02/21/2023, 4:14 PM
I have tried adding profile as well, it does not fix the problem unfortunately.
d

David Espejo (he/him)

02/21/2023, 4:45 PM
cc @Yee in case you have ideas to help debug this problem
j

João Lobo Guerra Neto

03/10/2023, 4:09 PM
@Yee do you have any resolution for this problem? I same error here =(
39 Views
Powered by