404 on /oidc/ui

[DrOfAwesomeness]

Hi there! I'm running into an issue where I can log in with OpenID Connect after deploying the plugin, but when I try to edit permissions (or get otherwise redirected to /oidc/ui), I get a 404 page.

I'm running MLFlow in Docker. I installed the plugin by including it in the pip install line in my Dockerfile:

FROM python:3.12
RUN groupadd --gid 1001 mlflow && \
  useradd --uid 1001 --gid mlflow --shell /bin/bash mlflow && \
  pip install psycopg2 boto3 mlflow-oidc-auth==2.0.0
RUN mkdir /work && chown mlflow:mlflow /work
USER mlflow
WORKDIR /work
CMD ["bash"]

And I set the environment variables described in the README in my docker-compose file:

services:
  db:
    image: postgres:16.4
    restart: always
    shm_size: 128mb
    environment:
      POSTGRES_USER: mlflow
      POSTGRES_PASSWORD: <snip>
      POSTGRES_DB: mlflow
    volumes:
      - mlflow_dbdata:/var/lib/postgresql/data
    networks:
      - mlflow_net
  mlflow:
    build:
      context: .
      dockerfile: Dockerfile.mlflow
    environment:
      OIDC_DISCOVERY_URL: <snip>
      OIDC_CLIENT_ID: <snip>
      OIDC_CLIENT_SECRET: <snip>
      OIDC_PROVIDER_DISPLAY_NAME: <snip>
      OIDC_USERS_DB_URI: <snip>
      OIDC_GROUP_NAME: "/MLFlow Users"
      OIDC_ADMIN_GROUP_NAME: "/MLFlow Admins"
      MLFLOW_S3_ENDPOINT_URL: <snip>
      AWS_ACCESS_KEY_ID: <snip>
      AWS_SECRET_ACCESS_KEY: <snip>
      OIDC_REDIRECT_URI: https://<snip>/callback
      OAUTHLIB_INSECURE_TRANSPORT: true # https is offloaded by cloudflared
      SECRET_KEY: <snip>
    networks:
      - mlflow_net
    ports:
      - 8080:8080
    command: ["mlflow", "server", "--app-name", "oidc-auth", "--backend-store-uri", "<snip>", "--artifacts-destination", "s3://<snip>", "--host", "0.0.0.0", "--port", "8080"]
networks:
  mlflow_net:
volumes:
  mlflow_dbdata:

If it's relevent, I'm running behind a Cloudflare tunnel, so Cloudflare is terminating TLS for me (which is why I have OAUTHLIB_INSECURE_TRANSPORT set).

When I go to my MLFlow URL, I see the login page, and I'm able to go through the login flow. When I am redirected back to MLFlow, it redirects me to /oidc/ui, which gives a 404. If I manually go to the root URL afterwords, I see my name in the top right corner, so it is successfully logging me in.

This is my first time rolling out MLFlow, so it's entirely possible I'm making a really obvious mistake - sorry if that's the case here!

[karandip]

Check your mlflow logs. I was facing similar issue (direct installation on ubuntu, not a docker), realized the "yarn install" command was failing with above error when running "./scripts/run-dev-server.sh". Resolved it using https://stackoverflow.com/questions/46013544/yarn-install-command-error-no-such-file-or-directory-install. Now, /oidc/ui is reachable.

[DrOfAwesomeness]

Thanks for the response! I don't see any yarn-related errors in my log:

Your question does make me curious, though - do I need Node.js/yarn installed to run this in production? I assumed the frontend stuff would already be built if I downloaded the plugin from pip, so I don't install any of the development dependencies or run any compilation seps when building the container right now.

[karandip]

There is a issue with the current build. During yarn build, it ends with maximum budget error. As a result, not all the files are getting build in the final package. Till the time the plugin owner resolves this, you need to build your own whl image.

To build your own image:

1. Either git clone or download the latest tar file.
2. Update the ./web-ui/angular.json file : change maximumError for "initial" budget to "2mb"
3. run ./scripts/release.sh from the folder
4. This will create a new folder named dist with the whl
5. Install this whl in dockerfile

Before changing the budget: (building with 1mb budget)

After changing the budget: (building with 2mb budget)

[DrOfAwesomeness]

That worked; thanks so much for the help, @karandip!

In case anyone comes across this issue and happens to have a setup like mine, here's the Dockerfile I'm using to build and deploy the whl:

FROM node:20 AS builder
RUN apt-get update && \
  apt-get install -y python3 python3-pip python3-build python3-venv python-is-python3 git && \
  git clone https://github.com/data-platform-hq/mlflow-oidc-auth.git /app
WORKDIR /app
RUN git checkout v2.0.0 && \
  sed -i 's/"maximumError": "1mb"/"maximumError": "2mb"/' web-ui/angular.json && \
  ./scripts/release.sh 2.0.0

FROM python:3.12
COPY --from=builder /app/dist/mlflow_oidc_auth-*.whl /tmp/
RUN groupadd --gid 1001 mlflow && \
  useradd --uid 1001 --gid mlflow --shell /bin/bash mlflow && \
  pip install psycopg2 boto3 && \
  pip install /tmp/mlflow_oidc_auth-*.whl

RUN mkdir /work && chown mlflow:mlflow /work
USER mlflow
WORKDIR /work
CMD ["bash"]