[Core feature] pyflyte should store tokens after DeviceFlow auth

[EternalDeiwos]

Motivation: Why do you think this is important?

Its currently quite annoying to authenticate for every pyflyte command I run against a remote cluster. I am fairly sure that current behaviour of authType=Pkce is to store the access and refresh tokens and use them to maintain an active session and prevent the user from having to re-login too much.

Goal: What should the final outcome look like, ideally?

It would be nice if pyflyte stored the access and refresh tokens and automatically maintained the user's session according to the configuration of the external IdP (e.g. token expiration, maximum session length, etc.)

Describe alternatives you've considered

Completing the entire device-code flow for every instruction (as per current implementation)

Propose: Link/Inline OR Additional context

No response

Are you sure this issue hasn't been raised already?

• Yes

Have you read the Code of Conduct?

• Yes

[dosubot]

🤖

Hey there @EternalDeiwos! Great to cross paths with you again in the world of code. How's it going on your end? 🚀

Thank you for your suggestion, it's indeed a valid point to improve the user experience with pyflyte.

As you've mentioned, the current behavior of authType=Pkce is to store the access and refresh tokens and use them to maintain an active session. This behavior can be extended to pyflyte as well.

In Python, we can create a similar interface using abstract base classes. Here's a rough example:

from abc import ABC, abstractmethod
from oauthlib.oauth2 import Token

class TokenCache(ABC):
    @abstractmethod
    def save_token(self, token: Token) -> None:
        pass

    @abstractmethod
    def get_token(self) -> Token:
        pass

You can then implement this interface with a concrete class that handles the actual storage and retrieval of tokens. The storage could be a simple file, a database, or any other method of persistent storage.

Once you have this, you can modify the authentication flow in pyflyte to save the token after successful authentication and attempt to retrieve it before starting the device-code flow. If a valid token is found in the cache, it can be used to maintain the user session without needing to re-authenticate.

This is a high-level overview and the actual implementation may vary based on the specifics of your application and environment.

As for the current authentication flow in pyflyte, I wasn't able to find specific details within the repository. If you have more information about this, it would be helpful to understand the current implementation and how best to integrate the proposed changes.

Please let me know if you have any questions or need further clarification. I'm here to help!

Best,
Dosu

Sources

• flyteidl/clients/go/admin/cache/token_cache.go

---

This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

If you want to continue the conversation, start your reply with @dosu-bot.

[thomasjhuang]

Hi @EternalDeiwos, I'm an engineer on the Flyte team at LinkedIn, I believe we solved this issue earlier this year, and I could look into seeing if our internal changes may directly resolve this. Will keep this thread posted.

[Sovietaced]

Our company uses DeviceFlow without issue. I believe flytekit caches tokens in the os keyring. We had issues with this on some of our headless machines and it was resolved by installing keyrings.alt per the recommendation of @kumare3.