Describe the bug

I am using Keycloak as identity provider in my setup.

I have setup 2 clients, flytectl(access type public) and flytepropeller(access type confidential with client Id and secret).

I am following the keycloak section in the https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#

My relevant values in the helm values file are as below

secrets: adminOauthClientCredentials: # – If enabled is true, helm will create and manage flyte-secret-auth and populate it with clientSecret. # If enabled is false, it’s up to the user to create flyte-secret-auth as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server enabled: true clientSecret: “CO2n3hovN0J78FqxxOVtjOtkHH5fPL9C” clientId: “flytepropeller”

– FlyteAdmin server configuration

adminServer: # Refer to the server config. server: httpPort: 8088 grpcPort: 8089 security: # – Controls whether to serve requests over SSL/TLS. secure: false # – Controls whether to enforce authentication. Follow the guide in https://docs.flyte.org/ on how to setup authentication. useAuth: true allowCors: true allowedOrigins: # Accepting all domains for Sandbox installation - “*” allowedHeaders: - “Content-Type” - “flyte-authorization” # Refer to the full structure for documentation. flyteadmin: roleNameKey: “iam.amazonaws.com/role” profilerPort: 10254 metricsScope: “flyte:” metadataStoragePrefix: - “metadata” - “admin” eventVersion: 2 testing: host: http://flyteadmin # – Authentication configuration auth: authorizedUris: # This should point at your public http Uri. - https://flytedeployment url # This will be used by internal services in the same namespace as flyteadmin - http://flyteadmin:80 # This will be used by internal services in the same cluster but different namespaces - http://flyteadmin.nmlp.svc.cluster.local:80

  # Controls app authentication config
  appAuth:
    thirdPartyConfig:
      flyteClient:
        clientId: flytectl
        redirectUri: https://<flyte deployment url>/callback
        scopes:
          - offline
          - all

  # Controls user authentication
  userAuth:
    openId:
      baseUrl: https://<keycloak production realm>/realms/nsdmlp
      scopes:
        - profile
        - openid
      clientId: flytepropeller

I have also edited the flyte-admin-secrets to have the correct client secret

apiVersion: v1 data: claim_symmetric_key: cWlBYzlYWHdLN3lnaksrWUJGdStFUlRYK0RDdlk4SjVjZFJtaXBTcDBhdw== cookie_block_key: ejZPdkhrZ1crWXdib21JZHdVZ05IOGJESVp0OE5KWnNZT285KzIyRVM1dw== cookie_hash_key: Q093TUY2RTdOMW5MeFZ4Rnk1dGNzZGN5NU5aeTNWN2JTMXRPTjBLUGhQQ2JWZ3hGby9XQkVRdi84Yjk4ZEIyeEV3Zm5KYURDVzFkSjBuSGZrbS8zYVE= oidc_client_secret: CO2n3hovN0J78FqxxOVtjOtkHH5fPL9C

With all the above setting, when i try to login to the flyte console via the ingress, it gives me the below message in the flyteadmin pod logs

{“json”:{},“level”:“error”,“msg”:“Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present”,“ts”:“2022-08-04T18:34:11Z”} {“json”:{},“level”:“error”,“msg”:“Error when exchanging code oauth2: cannot fetch token: 401 Unauthorized\nResponse: {"error":"unauthorized_client","error_description":"Invalid client secret"}”,“ts”:“2022-08-04T18:34:12Z”} Logs from 8/5/2022, 12:02:39 AM

And the chrome errors out with 403 access denied page.

I have tried secret and id with and without quotes(just in case if helm was acting crazy) but it still gives the same error.

Please assist.

Thanks, Sujith

Expected behavior

Setting up the secret and client must enable the correct oauth flow and let me login to the flyte

Additional context to reproduce

No response

Screenshots

No response

Are you sure this issue hasn’t been raised already?

• Yes

Have you read the Code of Conduct?

• Yes