[Docs] Additional Keycloak configuration settings

[nealf]

Description

The Authentication page includes some info on getting Flyte configured to use Keycloak, but it is missing some key pieces in the OAuth2 Authorization Server section. It should include a few notes on the configuration of Keycloak:

• Client scopes for offline and all need to be created as they do not exist in Keycloak by default. The offline one should likely include the offline_access role in the scope mapper
• The audience (aud) needs to be added the to the access token - one way to do this is creating a new client mapper

Additionally, the example Helm config yaml should include the allowedAudience: setting, for example, modifying what is there now:

auth:
    appAuth:
        # 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
        #    Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
        authServerType: External

        # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
        externalAuthServer:
            baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6
            #baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for keycloak
            #metadataUrl: .well-known/openid-configuration #Uncomment for keycloak
            #allowedAudience: Flytectl # Uncomment for keycloak, should match the audience keycloak returns in access. If not provided, the audience is expected to be the public Uri of the service token

    thirdPartyConfig:
        flyteClient:
            # 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
            clientId: flytectl

            # This should not change
            redirectUri: http://localhost:53593/callback

            # 4. "all" is a required scope and must be configured in the custom authorization server.
            scopes:
            - offline
            - all
    userAuth:
        openId:
            baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server
            scopes:
            - profile
            - openid
            # - offline_access # Uncomment if OIdC supports issuing refresh tokens.
            clientId: 0oakkheteNjCMERst5d6

I think those were the pieces I was missing when trying to get everything working. Thanks!

Are you sure this issue hasn't been raised already?

• Yes

Have you read the Code of Conduct?

• Yes

[welcome]

Thank you for opening your first issue here! 🛠

[samuel-sujith]

Hello @nealf. Thanks ffor your issue.

In my flyte deployment, I have 3 clients- a user client(ndsmlclient), flytectl and flytepropeller.

in the secrets section
secrets:
adminOauthClientCredentials:
# -- If enabled is true, helm will create and manage flyte-secret-auth and populate it with clientSecret.
# If enabled is false, it's up to the user to create flyte-secret-auth as described in
# https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server
enabled: true
clientSecret: "CO2n3hovN0J78FqxxOVtjOtkHH5fPL9C"
clientId: "flytepropeller"

and in the admin section

-- FlyteAdmin server configuration

adminServer:
# Refer to the server config.
server:
httpPort: 8088
grpcPort: 8089
security:
# -- Controls whether to serve requests over SSL/TLS.
secure: false
# -- Controls whether to enforce authentication. Follow the guide in https://docs.flyte.org/ on how to setup authentication.
useAuth: true
allowCors: true
allowedOrigins:
# Accepting all domains for Sandbox installation
- "*"
allowedHeaders:
- "Content-Type"
- "flyte-authorization"
# Refer to the full structure for documentation.
flyteadmin:
roleNameKey: "iam.amazonaws.com/role"
profilerPort: 10254
metricsScope: "flyte:"
metadataStoragePrefix:
- "metadata"
- "admin"
eventVersion: 2
testing:
host: http://flyteadmin
# -- Authentication configuration
auth:
authorizedUris:
# This should point at your public http Uri.
- https://
# This will be used by internal services in the same namespace as flyteadmin
- http://flyteadmin:80
# This will be used by internal services in the same cluster but different namespaces
- http://flyteadmin.nmlp.svc.cluster.local:80

  # Controls app authentication config
  appAuth:
    authServerType: External

    # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
    externalAuthServer:
        baseUrl: https://<kcrealm>/realms/nsdmlp
        metadataUrl: .well-known/openid-configuration
        allowedAudience: flytectl

    thirdPartyConfig:
      flyteClient:
        clientId: flytectl
        redirectUri: http://localhost:53593/callback
        scopes:
          - offline
          - all

  # Controls user authentication
  userAuth:
    openId:
      baseUrl: https://<kcrealm>/realms/nsdmlp
      scopes:
        - profile
        - openid
        - offline_access
      clientId: nsdmlclient

I am not getting this to work correctly.

I am getting this error in the logs
{"json":{},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2022-08-04T18:34:11Z"}
{"json":{},"level":"error","msg":"Error when exchanging code oauth2: cannot fetch token: 401 Unauthorized\nResponse: {"error":"unauthorized_client","error_description":"Invalid client secret"}","ts":"2022-08-04T18:34:12Z"}

Please assist if possible.

[joaolgn1985]

Any update about this issue?
I have the same problem and waiting for a resolution.

[ariel-retrain]

Any news? I got the same error.
The flyteadmin pod is running but throughs these error:
Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken
Flytescheduler is failing due to this error:
Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata

I use Helm in order to deploy Flyte chart version 1.6.0. The configuration for the authentication part is below:
We use Okta as our IdP.

          adminServer:
              server:
                security:
                  useAuth: true
              auth:
                authorizedUris:
                  - https://flyte.xxx.xxx
                  - http://flyteadmin:80
                  - http://flyteadmin.flyte.svc.cluster.local:80
                appAuth:
                  authServerType: External
                  externalAuthServer:
                    allowedAudience: flytepropeller # or flytectl --- did not understand where I should set this
                    baseUrl: https://xxx.okta.com/oauth2/xxx
                    metadataUrl: ".well-known/oauth-authorization-server"
                  thirdPartyConfig:
                    flyteClient:
                      clientId: xxx
                      redirectUri: http://localhost:53593/callback
                      scopes:
                        - offline
                        - all
                userAuth:
                  openId:
                    baseUrl: https://xxx.okta.com/oauth2/xxx
                    scopes:
                      - profile
                      - openid
                      - offline_access
                    clientId: xxx

Please assist if possible. I'm struggling with Flyte authentication for days... The documentation is not very clear about it.

[samuel-sujith]

In my case, the below setting worked out

appAuth:

    authServerType: External
    externalAuthServer:
      allowedAudience: flytepropeller
      baseUrl: ""
      metadataUrl: ".well-known/openid-configuration"

and the userauth sections has to be with the IDP address

Controls user authentication

  userAuth:
    redirectUrl: "https://flyte.url/console"
    cookieSetting:
      domain: "flyte.url"
      sameSitePolicy: DefaultMode
    openId:
      baseUrl: "https://keycloakrealm.url/auth/realms/realmname"
      scopes:
        - profile
        - openid
        - offline_access
      clientId: keycloakclient
      clientSecretName: oidc_client_secret

Another thing that needs to be ensured is that flytepropeller is able to reach the IDP. In my case there was a certificate issue and I had to load my IDP public key into the flytepropeller cert store.

[davidmirror-ops]

With the recent updates to the auth docs and the support for the audience parameter, most of the issues reported here can be addressed.
If you find a different behavior please raise a new issue. Thanks!