Flyte implements authentication using OpenID Connect (OIDC) for browser-based user login and OAuth2 for service-to-service authentication. This covers configuring both.
Overview
Flyte’s auth system has two layers:
- Identity layer (OIDC): Verifies who a user is. Requires registering Flyte as an OIDC client with your Identity Provider (IdP).
- Authorization server: Issues access tokens to clients (
flytectl, pyflyte, FlytePropeller, FlyteConsole). Flyte ships with a built-in authorization server, or you can use an external one (Okta, Azure AD, Keycloak).
Authentication requires a public domain name and TLS. Sandbox (flytectl demo start) uses a different insecure setup and does not require this.
Prerequisites
- A public domain name (e.g.,
flyte.example.com) pointing to your Flyte Ingress
- A registered OIDC application in your IdP
Identity provider support
| Feature | Okta | Google | GCP Identity | Azure AD | Auth0 | Keycloak | GitHub |
|---|
| OpenID Connect (OIDC) | Yes | Yes | Yes | Yes | Yes | Yes | No |
| Custom auth server | Yes | No | Yes | Yes | ? | Yes | No |
Step 1: Register Flyte with your IdP
Okta
Google
Azure AD
Keycloak
- Create an OIDC - OpenID Connect app integration with type Web Application
- Add sign-in redirect URI:
https://<your-flyte-url>/callback
- Optionally add logout URI:
https://<your-flyte-url>/logout
- Note the Client ID and Client Secret
- Create an OAuth2 client credential in Google Cloud Console following the official docs
- Add authorized redirect URI:
https://<your-flyte-url>/callback
- Note the Client ID and Client Secret
- In Azure Portal, go to Microsoft Entra ID → App registrations → New registration
- Under Redirect URIs, add Web:
https://<your-flyte-url>/callback
- Create a client secret under Certificates & secrets
- Add API permissions:
email, openid, profile, offline_access, User.Read
- Under Authentication, add Mobile and desktop platform with URI
http://localhost:53593/callback for flytectl
- Enable Allow public client flows
- Note the Application (client) ID and Directory (tenant) ID
- Create a realm in the Keycloak admin console
- Create an OIDC client with a client secret
- Set login redirect URI:
https://<your-flyte-url>/callback
- Note the Client ID and Client Secret
Step 2: Generate an internal client secret
FlytePropeller authenticates to FlyteAdmin using a shared secret. Generate one and compute its bcrypt hash:
pip install bcrypt
python -c '
import bcrypt, base64, secrets
pwd = secrets.token_hex(16)
hash = base64.b64encode(bcrypt.hashpw(pwd.encode(), bcrypt.gensalt(6)))
print(f"Password: {pwd}")
print(f"Hash: {hash.decode()}")
'
Step 3: Apply OIDC configuration
Add the following to your values.yaml and run helm upgrade:configuration:
auth:
enabled: true
oidc:
# Uncomment the correct baseUrl for your IdP:
# baseUrl: https://accounts.google.com
# baseUrl: https://<keycloak-url>/auth/realms/<realm>
# baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0
baseUrl: https://dev-<org-id>.okta.com/oauth2/default
clientId: <client_ID>
clientSecret: <client_secret>
internal:
clientSecret: '<your-random-password>'
clientSecretHash: <your-hashed-password>
authorizedUris:
- https://<your-flyte-deployment-URL>
helm upgrade flyte-backend flyteorg/flyte-binary \
--namespace flyte \
--values values.yaml
Store the IdP client secret in the flyte-admin-secrets Kubernetes Secret:kubectl edit secret -n flyte flyte-admin-secrets
stringData:stringData:
oidc_client_secret: <client_secret_from_idp>
configmap:
adminServer:
server:
security:
useAuth: true
allowCors: true
allowedOrigins: ["*"]
auth:
appAuth:
selfAuthServer:
staticClients:
flytectl:
id: flytectl
redirect_uris:
- http://localhost:53593/callback
grant_types: [refresh_token, authorization_code]
scopes: [all, offline, access_token]
public: true
flytepropeller:
id: flytepropeller
client_secret: "<bcrypt-hash>"
redirect_uris:
- http://localhost:3846/callback
grant_types: [refresh_token, client_credentials]
scopes: [all, offline, access_token]
public: false
authorizedUris:
- https://<your-flyte-deployment-URL>
- http://flyteadmin:80
- http://flyteadmin.flyte.svc.cluster.local:80
userAuth:
openId:
baseUrl: https://dev-<org-id>.okta.com/oauth2/default
clientId: <client_ID>
scopes: [profile, openid]
secrets:
adminOauthClientCredentials:
enabled: true
clientSecret: "<your-random-password>"
clientId: flytepropeller
Step 4: Update the local flytectl config
After enabling auth, update ~/.flyte/config.yaml to use PKCE flow:
admin:
endpoint: dns:///flyte.example.com
authType: Pkce # Use Pkce instead of clientCred
insecure: false
Using an external authorization server
If your IdP provides a custom OAuth2 authorization server (Okta, Azure AD, Keycloak), you can replace Flyte’s built-in server:
configuration:
inline:
auth:
appAuth:
authServerType: External
externalAuthServer:
baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
metadataUrl: .well-known/oauth-authorization-server
thirdPartyConfig:
flyteClient:
clientId: <flytectl-client-id>
redirectUri: http://localhost:53593/callback
scopes: [offline, all]
userAuth:
openId:
baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
scopes: [profile, openid]
clientId: <oidc-clientId>
CI/CD with client credentials
For automated workflows (CI pipelines, scheduled jobs), use the client credentials flow:
Environment variables
flytectl config
export FLYTE_CREDENTIALS_CLIENT_ID=<client_id>
export FLYTE_CREDENTIALS_CLIENT_SECRET=<client_secret>
export FLYTE_CREDENTIALS_AUTH_MODE=basic
export FLYTE_CREDENTIALS_AUTHORIZATION_METADATA_KEY=<header_name>
export FLYTE_CREDENTIALS_OAUTH_SCOPES=<idp_scopes>
export FLYTE_PLATFORM_AUTH=True
admin:
endpoint: dns:///flyte.example.com
authType: ClientSecret
clientId: <client_id>
clientSecretLocation: /etc/flyte/client_secret
Disable Helm secret management
To create the FlytePropeller secret manually (e.g., from an external secret manager):
secrets:
adminOauthClientCredentials:
enabled: true
clientSecret: null # Disables Helm from creating the secret
clientId: flytepropeller
apiVersion: v1
kind: Secret
metadata:
name: flyte-secret-auth
namespace: flyte
type: Opaque
stringData:
client_secret: <client_secret>
