Open Jeinhaus opened 7 months ago
Thank you for opening your first issue here! 🛠
🤖
Based on the error message you're seeing, it seems like the scopes requested by Flyte do not match the ones configured in Keycloak. The "invalid_scope" error usually occurs when the scopes requested by the client application do not match the scopes configured in the authorization server.
In your Flyte configuration, the scopes requested by Flyte are configured with the flags "userAuth.openId.scopes" and "appAuth.thirdPartyConfig.flyteClient.scopes".
To resolve the "invalid_scope" error, you should ensure that the scopes requested by Flyte match the ones configured in Keycloak. Here are the steps you can follow:
Check the scopes requested by Flyte. You can find these in your Flyte configuration file or in the command line flags when starting your Flyte server. Look for the flags "userAuth.openId.scopes" and "appAuth.thirdPartyConfig.flyteClient.scopes".
Check the scopes configured in Keycloak. You can find these in your Keycloak admin console, under the client settings for Flyte.
Ensure that the scopes requested by Flyte match the ones configured in Keycloak. If they do not match, you should update the scopes in either Flyte or Keycloak so that they do match.
If you continue to experience issues after following these steps, please provide more information about your Flyte and Keycloak configuration so that we can better assist you.
Also, there was a similar issue reported in the Flyte repository: [Docs] Additional Keycloak configuration settings. The issue was resolved with recent updates to the auth docs and the support for the audience
parameter. You might find this issue helpful.
For more details, you can refer to the Flyte configuration flags in the source code: flyteadmin/auth/config/config_flags.go.
I'm in the process of setting up Keycloak as well, and there are 2 things of note here. I saw and resolved the same issue:
You need to add the all
client scope in Keycloak and make sure it's available to any Keycloak clients that need it (flytepropeller, etc)
The docs mention scopes like this under thirdPartyConfig
scopes:
- offline
- all
In Keycloak, offline
is actually called offline_access
, so you'll need to make that change for flytepropeller / flytescheduler to be able to contact Keycloak to generate tokens
Description
Hi everyone 👋, we are struggling to get flyte working with Keycloak external authorization. We got the authentication working but are very lost on the authorization part.
The authentication setup worked just as documented, but we can't get the external Authorization Server working.
In the Custom Authorization Server documentation for keycloak it says we should create new Client Scopes. As a Keycloak beginner I'm struggling to understand if there should be anything configured in the Client Scope and how this ties together with the Keycloak clients that are created in step 4 of the Keycloak documentation.
For now, we just tried this with local port-forward, so our flytectl config looks like this
Our three Keycloak clients look like this (terraform code):
And the Client Scope looks like this:
The relevant configuration for the
flyte-binary
chart then looks like this:When we try to connect to flyte using
flytectl
we get the following error:Where the browser then gives this error:
We already tried the Client scope mappers from this Slack thread, but to no avail.
Can anyone help? 🙈
Thank you, Julian
P.S.: I posted this here already.
Are you sure this issue hasn't been raised already?
Have you read the Code of Conduct?