Reducing GetPublicClientConfig API call For Pkce and ClientCredential#1105
Reducing GetPublicClientConfig API call For Pkce and ClientCredential#1105edwardsun-union wants to merge 15 commits into
Conversation
edwardsun-union
force-pushed
the
reducerCall
branch
2 times, most recently
from
c3c10eb to
c9956d8
Compare
| if cfg.token_endpoint is None: | ||
| raise ValueError("token_endpoint is required for client credentials authentication") |
There was a problem hiding this comment.
Wont this break existing clients who haven't generated there new configs. Ideally we want to keep it backward compat
There was a problem hiding this comment.
I addressed this by keeping ClientConfig untouched and pack my changes into LocalClientConfigOverrides, this way is cleaner and ensure backward compatibility for existing client
edwardsun-union
force-pushed
the
reducerCall
branch
from
ba416a6 to
60821f4
Compare
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
Signed-off-by: Edward Sun <edward.sun@union.ai>
edwardsun-union
force-pushed
the
reducerCall
branch
from
60821f4 to
8b34025
Compare
Signed-off-by: Edward Sun <edward.sun@union.ai>
| kwargs = set_if_exists( | ||
| kwargs, "authorization_header", _internal.Platform.AUTHORIZATION_HEADER.read(config_file) | ||
| ) | ||
| redirect_uri = _internal.Platform.REDIRECT_URI.read(config_file) |
There was a problem hiding this comment.
this var is not used other that in L120. Can use similar pattern to L121
| "mcp>=1.26.0", | ||
| "starlette", | ||
| "uvicorn", | ||
| "debugpy>=1.8.20", |
There was a problem hiding this comment.
Do we need this dependency
There was a problem hiding this comment.
@pmahindrakar-oss yes, it is needed to enable breakpoints and it is dev dependency only
| local_client_config_overrides=local_client_config_overrides, | ||
| audience=audience, |
There was a problem hiding this comment.
Any reason to keep audience different from local_client_config_overrides
| def has_required_public_client_fields(self) -> bool: | ||
| return bool(self.client_id and self.redirect_uri and self.header_key and self.scopes) |
There was a problem hiding this comment.
are we missing audience
| if not org: | ||
| raise click.BadParameter("--endpoint or --org must be provided") |
There was a problem hiding this comment.
Check if this could break for local-persistence mode.
--local-persistence enables a local SQLite-backed record of local runs. The data comes from the SDK process itself while it executes locally: task/
run metadata, inputs/outputs references, status, timestamps, etc. It is written to local storage, then tools like the local TUI can read it back.
| admin["clientId"] = f"{org}-uctl" | ||
| admin["insecure"] = insecure | ||
| admin["authorizationHeader"] = "flyte-authorization" | ||
| admin["redirectUri"] = "http://localhost:53593/callback" | ||
| admin["scopes"] = ["all"] |
There was a problem hiding this comment.
We want to make sure these defaults are ok to be used in selfhosted environments.
cc : @mhotan .
There was a problem hiding this comment.
I think as an escape hatch , can we allow these to be passed, for eg in cases of selfhosted or where there are deviations in these defaults. An explicit args would help here.
There was a problem hiding this comment.
Thinking about this more, we can populate this from GetPublicClientConfig call so we remove these unknowns. We only call this API on create config call and once that data exists in cli's config, it doesn't need to refetch it
2 participants
- Description
This PR is made as effort to reduce GetPublicClientConfig API call for Pkce and ClientCredential authType. Currently, this API is called unconditionally to extract metadata like scopes, authenticationHeader, redirectUri. To optimize the auth workflow, necessary metadata are added as static to client configuration so that GetPublicClientConfig became conditional call. Required changes also applied to
flyte create configutility so that required auth fields are written for remote authentication.- Testing
before change:
In local env, triggering flyte run task that will be execute in dogfood staging. Example test command below:
flyte -vvv -c ./.flyte/config.yaml run ./basics/types/int_collection.py main --numbers '[1,2,3,4,5,10,20,30]'For client configuration refer to dogfood staging config v2
observed that GetPublicClientConfig call is captured in Grafana dashboard for every flyte run execution
after change:
connectrpc/0.10.1