search

langfuse / langfuse-k8s

Community-maintained Kubernetes config and Helm chart for Langfuse
https://langfuse.com
MIT License
52 stars 30 forks source link

Okta Integration Not Working as Expected with Langfuse #27

Open rjprosper opened 1 month ago

rjprosper commented 1 month ago

Description

We are attempting to integrate Langfuse with Okta for authentication, but encountering issues. The Okta login process initiates, but after authentication, we receive an error message suggesting lack of access to the application.

Current Configuration

We are using Helm to deploy Langfuse with the following configuration:

hcl
resource "helm_release" "langfuse-release" {
  name             = "langfuse"
  namespace        = "langfuse"
  create_namespace = true
  repository       = "https://langfuse.github.io/langfuse-k8s"
  chart            = "langfuse"
  version          = "0.4.0"

  values = [
    <<-EOT
    replicaCount: 2

    image:
      repository: "us-docker.pkg.dev/testdomain-nonprod-registry/images/langfuse"
      tag: "2.81.0"
      pullPolicy: IfNotPresent

    langfuse:
      nextauth:
        url: "https://langfuse.np.test.io"
        secret: "<REDACTED>"
      salt: "<REDACTED>"
      telemetryEnabled: false
      additionalEnv:
        - name: AUTH_DISABLE_USERNAME_PASSWORD
          value: "true"
        - name: AUTH_OKTA_CLIENT_ID
          value: "356748gsth"
        - name: AUTH_OKTA_CLIENT_SECRET
          value: "<REDACTED>"
        - name: AUTH_OKTA_ISSUER
          value: "https://testdomain.okta.com/oauth2/default"

    service:
      type: ClusterIP
      additionalLabels: []
    ingress:
      enabled: true
      className: "nginx"
      annotations:
        cert-manager.io/acme-challenge-type: dns01
        cert-manager.io/acme-dns01-provider: cloudflare
        cert-manager.io/cluster-issuer: cloudflare
      hosts:
        - host: langfuse.np.test.io
          paths:
            - path: /
              pathType: Prefix
      tls: 
       - secretName: langfuse-tls
         hosts:
           - langfuse.np.test.io
    postgresql:
      deploy: false
      auth:
        username: "langfuse"
        password: "<REDACTED>"
        database: "langfuse"
      host: "10.202.7.12"
      directUrl: "postgresql://langfuse:<REDACTED>@10.202.7.12:5432/langfuse"
    EOT
  ]
}

Error Message

After authenticating with Okta, we receive the following error:

json

Copy code
{
    "version": "1.0.0",
    "stateHandle": "02.id.qgcFYpXwSO0Mwi3MBI6-ovJG8AsmzbdlO46zhHsq~c.ySOGtYYYcVLfcojGKqyUffiNPlZYM0hPi4RuUjnT55nykn76uru51DnoqrNasyQqFszGhLPvTwEfpKjLrui99A5mxMGGKM1FHfQK2CEjLm-JQHC8189TkIeUtNSzLNbh0vAKF0dJAi2s4YVWUXyytd72JvbwUjNX7FqsApNXe6CAw7Yu-lYabWIiuWiCEoJwgcsuFSfS2MkAVvS48opfdM8EpsBzfe88SEOxraCcUjGg_YcFIdskDh-mQ2BIJV8JeY3BEmmZS5EC9DywTmqW-H2WwrxgMd_fyGcZaql6H4YcwPQ0cyXeOO8uDVer8ImOUS-_xnjK0aquoXz65iXU4AWWYakEFKAhlYaHkiQYjhFkvwWsc5p-q-gN-NSXKEj5rhFjgIbBKTO6MUsVnxFXGuylWMnqsRUmx0hCZOg65se_dD5Si5Lzfs02O4QD15qe9paqAmP9PNgTC6OgnueUy2VKEDjLHkVXzPqJ750ua5W-d98qPVuX-3m3x-QNnDip-50UbQ0r99t1f1NKhtQcqkkHdzsyG7Lgy4nUxGBcfCl0z9zwLuM9vq6nIwhyVvolVvSL1f3wp2cV7BvRrqFaWXdf3Bc4E4OjzM8LNNdgfVdUu5K5z1yWTuhmV7UWLm-MNvjN5WA09JQvqJKO4pBZQqJjsmYaQEHh3PhRSfG4oCBksXlb7eTbidPvYzaQzyxOzdzhwOYKFWFXzOVRi_ctmGDhRkK-cEYF15qlikndMnkwRWRBbndS_s6-vJbq_0Vz7J1cIOTZaluZYQdJj4OPZhfV_VfkThIjGaGRx86eSmOURLU13zqR9BptTesZ_fWcPLlMflqFEHdbMz4QGuddP1CzOlIWzYkDE8djbeRuzzqv0xNl4ghBVIhpXEY4OtKPLyXXkhS2PvPJg3fzRzYCiKICzDISrbhyc-z_amHhdRB4aGUQp4Ic5287XRD-ILhmNY4u8dh29HYsgRX3RE5iNb-4zKEAGyP4_EdZ5Uv_5oxF7N4aptrRHZ2d8SX4rdtjsVzCHQACxzMObBy0z45lSw_aB3t1spIE5L0Jd6HKQAb-ZEOtN1chBd12epJbMbfdIkLVcGtVBaluya4p43p9GJz_lb1I6jWmEEMGDu4u8kHvQVoWwqydSzN_OAC79jEq7TwEoqSPLO1BDS6GIU52SxycE_sToFtdB1fDb4AB5_ZjbEnt-NtiPEzrNARasS4vN7kSWcY27LQCOvaLVGKBsZl21VkmMFT0YtEqZZGphJ6TvfEGjIQf1h4sry5c4e3vmCdROHEGwX-T_DwVPumWbKJksfj9zwQzYk6I3jZcR_wtJTT6MBu9Y9FIxLk_SQTN5S9dChNk6OT_9pyEDpJAmneK05PDC5OcRPFUgodh3eVC3_VbgouajQgEWx6UouMzk2SZrBUYA0r-OmykNPqS7GEoBuvLJoPGPHQWTSdBRiEFrhoPcIRCWLz_sYq4p4tSvZenhtu24FgruOsvWVeFWp5nqysXErtgSTP04GW7DbMau3FQ8vS2CHS3Kp7ZQulLo4oCLoed3Ij1D0ds3szY8w",
    "expiresAt": "2024-10-07T19:12:31.000Z",
    "intent": "LOGIN",
    "messages": {
        "type": "array",
        "value": [
            {
                "message": "You are not allowed to access this app. To request access, contact an admin.",
                "i18n": {
                    "key": "idx.error.code.no_matching_policy"
                },
                "class": "ERROR"
            }
        ]
    },
    "user": {
        "type": "object",
        "value": {
            "id": "00u1ejpi99q3Cg5gM1d8",
            "identifier": "rjonnalagadda@testdomain.com",
            "profile": {
                "firstName": "Rajesh",
                "lastName": "Jonnalagadda",
                "timeZone": "America/Los_Angeles",
                "locale": "en_US",
                "email": "r***a@testdomain.com"
            }
        }
    },
    "failure": {
        "name": "failure-redirect",
        "href": "https://testdomain.okta.com/login/error/redirect?stateToken=02.id.qgcFYpXwSO0Mwi3MBI6-ovJG8AsmzbdlO46zhHsq"
    }
}

Expected Behavior

After successful authentication with Okta, we expect to be logged into Langfuse and have access to the application.

Questions

Is the current configuration correct for Okta integration? Are there any additional settings or environment variables required for Okta authentication? How does Langfuse handle user authorization after successful Okta authentication? Are there any known issues with Okta integration in the current version of Langfuse?

Additional Information

Langfuse Chart Version: 0.4.0 Langfuse App Version: 2.81.0

marcklingen commented 1 month ago

To me the error seems quite clear, does your user have access to the application created in Okta?

Context: many teams run langfuse with okta successfully in prod