Summary
The user is investigating an issue with Flyte Console, which displays the Flyte Console Okta App ID as the user identity instead of the logged-in Okta user. They have observed that Flyte Console only has ID token cookies and lacks access token cookies. The user notes that the Okta login flow generates both tokens correctly, with the access token containing the right user subject claim. They are also having trouble locating the /me
endpoint in Flyteadmin, which appears to return the ID token, complicating the issue. They clarify that the problem is related to grpc-gateway rather than the HTTP server.
sovietaced
Alright setting the Bearer: accessToken...
worked for me woo
sovietaced
Interestingly I'm getting a 401 because the access token doesn't have scope "all" heh.
sovietaced
Based on the auth interceptor logic it looks like it always prefers access token and falls back to ID token: https://github.com/flyteorg/flyte/blob/master/flyteadmin/auth/handlers.go#L297-L328
sovietaced
We also requests from our team to show the owner of the execution in the UI
sovietaced
And we're trying to plumb some of that identity info to our plugin as well
sovietaced
Right now our situation is that all pyflyte
executions have proper users attached to them but all the ones triggered in the UI have the global ID
sovietaced
It matters for a couple reasons
sovietaced
Well for Okta the subject claim will be different between the tokens. For the ID token the subject is 00udlb1wsfEdsiMGs1d7
(okta app id) and for access token its <mailto:jparraga@stackav.com|jparraga@stackav.com>
ytong
but why does that matter? if the whole system is using one id?
ytong
you’re saying the identity provided in the id token is different than the identity provided by the access token?
sovietaced
So once the requests hits the gRPC later you'll always see id token related identity (subject claim) instead of access token related identity
sovietaced
OK I'm fairly certain this is the reason: https://github.com/flyteorg/flyte/blob/master/flyteadmin/auth/handlers.go#L353-L396 This gateway middleware only ever sets the ID token scheme and never the Bearer scheme with the access token
sovietaced
Looks like when the requests gets to the gRPC layer the header is Authorization: IDToken ...
sovietaced
I'll report back after looking some more
sovietaced
Ah ok so this pulls from the identity context... which seems to be populated from the ID token which is not what I want..
sovietaced
Ah its grpc-gateway and not on the http server got it
sovietaced
Where is this /me
handler defined?
sovietaced
Yeah so /me
which I can't find in flyteadmin yet seems to return the id token which is my problem
ytong
would be most grateful. helps us keep track when the person who’s actually going to benefit is the issue creator
ytong
make that other ticket also when you get a chance plz
ytong
is it in /me
sovietaced
const apiContext = useFlyteApi();
const userId = profile.value?.subject ?? '';```
sovietaced
Need to figure out how flyte console determines what user it is
sovietaced
Yeah the access token is definitely available.. I wonder why filtering by execution IDs results in a request like api/v1/executions/inference/development?filters=eq(user,00udlb1wsfEdsiMGs1d7)&limit=100&sort_by.direction=DESCENDING&sort_by.key=created_at
sovietaced
I think you're right but I need to do some testing since I never seen the access token cookie for some reaosn
sovietaced
I'm going to test out a fix in a bit
sovietaced
There are no calls to that method.
ytong
or am i missing something
ytong
ytong
is it not?
sovietaced
Hmm that seems like a bug because there is code to delete/retrieve the access token cookie but never any code that writes it
sovietaced
Looks like the cookie manager never stores a secure cookie for the access token.
sovietaced
Hello. I'm investigating an issue where the user identity for Flyte Console based requests always seems to be our Flyte Console Okta App ID (despite logging in as an Okta user). From the limited investigation I've done I've noticed that Flyte Console only seems to have ID tokens related cookies and no access token related cookies. I'm curious if anyone else has any ideas why this is the case before I dig further into the code. I validated that the login flow with Okta produces both an ID token and an access token. The access token is the one with a proper user subject claim.