Add azure ad auth setup doc (flyteorg#3625)

Signed-off-by: byhsu <[email protected]>

doc-requirements.txt

@@ -6,19 +6,19 @@
 #
 alabaster==0.7.13
     # via sphinx
-astroid==2.14.1
+astroid==2.15.4
     # via sphinx-autoapi
-babel==2.11.0
+babel==2.12.1
     # via sphinx
-beautifulsoup4==4.11.2
+beautifulsoup4==4.12.2
     # via
     #   furo
     #   sphinx-code-include
 certifi==2022.12.7
     # via requests
 cfgv==3.3.1
     # via pre-commit
-charset-normalizer==3.0.1
+charset-normalizer==3.1.0
     # via requests
 distlib==0.3.6
     # via virtualenv
@@ -27,25 +27,25 @@ docutils==0.17.1
     #   sphinx
     #   sphinx-panels
     #   sphinx-tabs
-filelock==3.9.0
+filelock==3.12.0
     # via virtualenv
 furo @ git+https://github.com/flyteorg/furo@main
     # via -r doc-requirements.in
-googleapis-common-protos==1.58.0
+googleapis-common-protos==1.59.0
     # via grpcio-status
 grpcio==1.48.2
     # via
     #   -r doc-requirements.in
     #   grpcio-status
 grpcio-status==1.48.2
     # via -r doc-requirements.in
-identify==2.5.17
+identify==2.5.23
     # via pre-commit
 idna==3.4
     # via requests
 imagesize==1.4.1
     # via sphinx
-importlib-metadata==6.0.0
+importlib-metadata==6.6.0
     # via sphinx
 jinja2==3.0.3
     # via
@@ -58,26 +58,22 @@ markupsafe==2.1.2
     # via jinja2
 nodeenv==1.7.0
     # via pre-commit
-packaging==23.0
+packaging==23.1
     # via sphinx
-pbr==5.11.1
-    # via sphinxcontrib-video
-platformdirs==2.6.2
+platformdirs==3.3.0
     # via virtualenv
-pre-commit==3.0.4
+pre-commit==3.2.2
     # via sphinx-tags
-protobuf==4.21.12
+protobuf==4.22.3
     # via
     #   googleapis-common-protos
     #   grpcio-status
-pygments==2.14.0
+pygments==2.15.1
     # via
     #   furo
     #   sphinx
     #   sphinx-prompt
     #   sphinx-tabs
-pytz==2022.7.1
-    # via babel
 pyyaml==6.0
     # via
     #   pre-commit
@@ -93,7 +89,7 @@ six==1.16.0
     #   sphinxext-remoteliteralinclude
 snowballstemmer==2.2.0
     # via sphinx
-soupsieve==2.3.2.post1
+soupsieve==2.4.1
     # via beautifulsoup4
 sphinx==4.5.0
     # via
@@ -109,14 +105,15 @@ sphinx==4.5.0
     #   sphinx-prompt
     #   sphinx-tabs
     #   sphinx-tags
-    #   sphinxcontrib-youtube
+    #   sphinxcontrib-video
+    #   sphinxcontrib-yt
 sphinx-autoapi==2.0.1
     # via -r doc-requirements.in
 sphinx-basic-ng==1.0.0b1
     # via furo
 sphinx-code-include==1.1.1
     # via -r doc-requirements.in
-sphinx-copybutton==0.5.1
+sphinx-copybutton==0.5.2
     # via -r doc-requirements.in
 sphinx-fontawesome==0.0.6
     # via -r doc-requirements.in
@@ -138,29 +135,29 @@ sphinxcontrib-htmlhelp==2.0.1
     # via sphinx
 sphinxcontrib-jsmath==1.0.1
     # via sphinx
-sphinxcontrib-mermaid==0.7.1
+sphinxcontrib-mermaid==0.8.1
     # via -r doc-requirements.in
 sphinxcontrib-qthelp==1.0.3
     # via sphinx
 sphinxcontrib-serializinghtml==1.1.5
     # via sphinx
-sphinxcontrib-video==0.0.1.dev3
+sphinxcontrib-video==0.1.1
     # via -r doc-requirements.in
 sphinxcontrib-youtube==1.2.0
     # via -r doc-requirements.in
 sphinxext-remoteliteralinclude==0.4.0
     # via -r doc-requirements.in
-typing-extensions==4.4.0
+typing-extensions==4.5.0
     # via astroid
 unidecode==1.3.6
     # via sphinx-autoapi
-urllib3==1.26.14
+urllib3==1.26.15
     # via requests
-virtualenv==20.17.1
+virtualenv==20.22.0
     # via pre-commit
-wrapt==1.14.1
+wrapt==1.15.0
     # via astroid
-zipp==3.12.0
+zipp==3.15.0
     # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:

rsts/deployment/configuration/auth_setup.rst

@@ -271,45 +271,134 @@ To set up an external OAuth2 Authorization Server, follow the instructions below
        5. Flytectl should be created with `Access Type Public` and standard flow enabled.
        6. FlytePropeller should be created as an `Access Type Confidential`, standard flow enabled, and note the client ID and client Secrets provided.
 
+   .. group-tab:: Azure AD
+
+      1. Navigate to tab **Overview**, obtain ``<client id>`` and ``<tenant id>``
+      2. Navigate to tab **Authentication**, click ``+Add a platform``
+      3. Add **Web** for flyteconsole and flytepropeller, **Mobile and desktop applications** for flytectl.
+      4. Add URL ``https://<console-url>/callback`` as the callback for Web
+      5. Add URL ``http://localhost:53593/callback`` as the callback for flytectl
+      6. In **Advanced settings**, set ``Enable the following mobile and desktop flows`` to **Yes** to enable deviceflow
+      7. Navigate to tab **Certificates & secrets**, click ``+New client secret`` to create ``<client secret>``
+      8. Navigate to tab **Token configuration**, click ``+Add optional claim`` and create email claims for both ID and Access Token
+      9.  Navigate to tab **API permissions**, add ``email``, ``offline_access``, ``openid``, ``profile``, ``User.Read``
+      10. Navigate to tab **Expose an API**, Click ``+Add a scope`` and ``+Add a client application`` to create ``<custom scope>``
+
+
 Apply Configuration
 ^^^^^^^^^^^^^^^^^^^
 
 It is possible to direct FlyteAdmin to use an external authorization server. To do so, edit the same config map once
 more and follow these changes:
 
-.. code-block:: yaml
+.. tabs::
+   .. group-tab:: Okta
+      .. code-block:: yaml
 
-     auth:
-         appAuth:
-             # 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
-             #    Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
-             authServerType: External
-
-             # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
-             externalAuthServer:
-                 baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6
-                 #baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for keycloak
-                 #metadataUrl: .well-known/openid-configuration #Uncomment for keycloak
-
-             thirdPartyConfig:
-                 flyteClient:
-                     # 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
-                     clientId: flytectl
-                     # This should not change
+         auth:
+            appAuth:
+               # 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
+               #    Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
+               authServerType: External
+
+               # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
+               externalAuthServer:
+                  baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6
+
+               thirdPartyConfig:
+                  flyteClient:
+                        # 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
+                        clientId: flytectl
+                        # This should not change
+                        redirectUri: http://localhost:53593/callback
+                        # 4. "all" is a required scope and must be configured in the custom authorization server.
+                        scopes:
+                        - offline
+                        - all
+
+            userAuth:
+               openId:
+                  baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server
+                  scopes:
+                  - profile
+                  - openid
+                  # - offline_access # Uncomment if OIdC supports issuing refresh tokens.
+                  clientId: <client id>
+   .. group-tab:: Keycloak
+      .. code-block:: yaml
+
+         auth:
+               appAuth:
+                  # 1. Choose External if you will use an external Authorization Server (e.g. a Custom Authorization server in Okta)
+                  #    Choose Self (or omit the value) to use FlyteAdmin's internal (albeit limited) Authorization Server.
+                  authServerType: External
+
+                  # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
+                  externalAuthServer:
+                     baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm>
+                     metadataUrl: .well-known/openid-configuration
+
+                  thirdPartyConfig:
+                     flyteClient:
+                           # 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
+                           clientId: flytectl
+                           # This should not change
+                           redirectUri: http://localhost:53593/callback
+                           # 4. "all" is a required scope and must be configured in the custom authorization server.
+                           scopes:
+                           - offline
+                           - all
+
+               userAuth:
+                  openId:
+                     baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server
+                     scopes:
+                     - profile
+                     - openid
+                     # - offline_access # Uncomment if OIdC supports issuing refresh tokens.
+                     clientId: <client id>
+   .. group-tab:: Azure AD
+      .. code-block:: yaml
+
+         secrets:
+         adminOauthClientCredentials:
+            enabled: true
+            clientSecret: <client secret>
+            clientId: <client id>
+         ---
+         configmap:
+         admin:
+            admin:
+               endpoint: <admin endpoint>
+               insecure: true
+               clientId: <client id>
+               clientSecretLocation: /etc/secrets/client_secret
+               scopes:
+               - api://<client id>/.default
+               useAudienceFromAdmin: true
+         ---
+         auth:
+            appAuth:
+               authServerType: External
+               externalAuthServer:
+                  baseUrl: https://login.microsoftonline.com/<tenant id>/v2.0/
+                  metadataUrl: .well-known/openid-configuration
+                  AllowedAudience:
+                     - api://<client id>
+               thirdPartyConfig:
+                  flyteClient:
+                     clientId: <client id>
                      redirectUri: http://localhost:53593/callback
-                     # 4. "all" is a required scope and must be configured in the custom authorization server.
                      scopes:
-                     - offline
-                     - all
-
-         userAuth:
-             openId:
-                 baseUrl: https://dev-14186422.okta.com/oauth2/auskngnn7uBViQq6b5d6 # Okta with a custom Authorization Server
-                 scopes:
-                 - profile
-                 - openid
-                 # - offline_access # Uncomment if OIdC supports issuing refresh tokens.
-                 clientId: 0oakkheteNjCMERst5d6
+                     - api://<client id>/<custom-scope>
+
+            userAuth:
+               openId:
+                  baseUrl: https://login.microsoftonline.com/<tenant id>/v2.0
+                  scopes:
+                     - openid
+                     - profile
+                  clientId: <client id>
 
 .. tabs::