F

Flyte enables you to build & deploy data & ML pipelines, hassle-free. The infinitely scalable and flexible workflow orchestration platform that seamlessly unifies data, ML and analytics stacks. Explore and Join the Flyte Community!

Issue with Flyte Console User Identity

Summary

The user is investigating an issue with Flyte Console, which displays the Flyte Console Okta App ID as the user identity instead of the logged-in Okta user. They have observed that Flyte Console only has ID token cookies and lacks access token cookies. The user notes that the Okta login flow generates both tokens correctly, with the access token containing the right user subject claim. They are also having trouble locating the /me endpoint in Flyteadmin, which appears to return the ID token, complicating the issue. They clarify that the problem is related to grpc-gateway rather than the HTTP server.

Status
resolved
Tags
  • grpc-gateway
  • flyte
  • Okta
  • /me
  • Developer
  • Question
  • Bug Report
Source
#ask-the-community
    s

    sovietaced

    11/7/2024

    Alright setting the Bearer: accessToken... worked for me woo

    s

    sovietaced

    11/7/2024

    Interestingly I'm getting a 401 because the access token doesn't have scope "all" heh.

    s

    sovietaced

    11/7/2024

    Based on the auth interceptor logic it looks like it always prefers access token and falls back to ID token: https://github.com/flyteorg/flyte/blob/master/flyteadmin/auth/handlers.go#L297-L328

    s

    sovietaced

    11/7/2024

    We also requests from our team to show the owner of the execution in the UI

    s

    sovietaced

    11/7/2024

    And we're trying to plumb some of that identity info to our plugin as well

    s

    sovietaced

    11/7/2024

    Right now our situation is that all pyflyte executions have proper users attached to them but all the ones triggered in the UI have the global ID

    s

    sovietaced

    11/7/2024

    It matters for a couple reasons

    1. It breaks filtering my executions
    2. Any execution triggered by the UI is triggered under the same global user
    s

    sovietaced

    11/7/2024

    Well for Okta the subject claim will be different between the tokens. For the ID token the subject is 00udlb1wsfEdsiMGs1d7 (okta app id) and for access token its <mailto:jparraga@stackav.com|jparraga@stackav.com>

    y

    ytong

    11/7/2024

    but why does that matter? if the whole system is using one id?

    y

    ytong

    11/7/2024

    you’re saying the identity provided in the id token is different than the identity provided by the access token?

    s

    sovietaced

    11/7/2024

    So once the requests hits the gRPC later you'll always see id token related identity (subject claim) instead of access token related identity

    s

    sovietaced

    11/7/2024

    OK I'm fairly certain this is the reason: https://github.com/flyteorg/flyte/blob/master/flyteadmin/auth/handlers.go#L353-L396 This gateway middleware only ever sets the ID token scheme and never the Bearer scheme with the access token

    s

    sovietaced

    11/7/2024

    Looks like when the requests gets to the gRPC layer the header is Authorization: IDToken ...

    s

    sovietaced

    11/7/2024

    I'll report back after looking some more

    s

    sovietaced

    11/7/2024

    Ah ok so this pulls from the identity context... which seems to be populated from the ID token which is not what I want..

    s

    sovietaced

    11/7/2024

    Ah its grpc-gateway and not on the http server got it

    s

    sovietaced

    11/7/2024

    Where is this /me handler defined?

    s

    sovietaced

    11/7/2024

    Yeah so /me which I can't find in flyteadmin yet seems to return the id token which is my problem

    y

    ytong

    11/7/2024

    would be most grateful. helps us keep track when the person who’s actually going to benefit is the issue creator

    y

    ytong

    11/7/2024

    make that other ticket also when you get a chance plz

    y

    ytong

    11/7/2024

    is it in /me

    s

    sovietaced

    11/7/2024
      const apiContext = useFlyteApi();
      const userId = profile.value?.subject ?? '';```
    
    s

    sovietaced

    11/7/2024

    Need to figure out how flyte console determines what user it is

    s

    sovietaced

    11/7/2024

    Yeah the access token is definitely available.. I wonder why filtering by execution IDs results in a request like api/v1/executions/inference/development?filters=eq(user,00udlb1wsfEdsiMGs1d7)&amp;limit=100&amp;sort_by.direction=DESCENDING&amp;sort_by.key=created_at

    s

    sovietaced

    11/7/2024

    I think you're right but I need to do some testing since I never seen the access token cookie for some reaosn

    s

    sovietaced

    11/7/2024

    I'm going to test out a fix in a bit

    s

    sovietaced

    11/7/2024

    There are no calls to that method.

    y

    ytong

    11/7/2024

    or am i missing something

    y

    ytong

    11/7/2024

    is it not?

    s

    sovietaced

    11/6/2024

    Hmm that seems like a bug because there is code to delete/retrieve the access token cookie but never any code that writes it

    s

    sovietaced

    11/6/2024

    Looks like the cookie manager never stores a secure cookie for the access token.

    s

    sovietaced

    11/6/2024

    Hello. I'm investigating an issue where the user identity for Flyte Console based requests always seems to be our Flyte Console Okta App ID (despite logging in as an Okta user). From the limited investigation I've done I've noticed that Flyte Console only seems to have ID tokens related cookies and no access token related cookies. I'm curious if anyone else has any ideas why this is the case before I dig further into the code. I validated that the login flow with Okta produces both an ID token and an access token. The access token is the one with a proper user subject claim.