Thank you thanos, I finally solve my problem. It turns out that wandb document forgot to mention OIDC_SECRET
environment which is necessary for SSO login, with out which wandb won’t redirect to SSO login on clicking Login
button. That’s why I mentioned wandb.auth0.com. I thought their should be a page for user to choose from simple login or SSO login.
After setting OIDC_SECRET
environment and restart the server, I can get redirected to SSO login. However, since I can’t find Okta’s oidc secret, I tried to use lark suite like this:
sudo docker run -itd \
-e HOST=https://localhost:10087 \
-e LICENSE=xxx \
-e OIDC_ISSUER=https://anycross.feishu.cn/sso/{app_id} \
-e OIDC_CLIENT_ID={client_id} \
-e OIDC_AUTH_METHOD=pkce \
-e OIDC_SECRET={client_secret} \
-p 8900:8080 \
--name wandb-local \
wandb/local
I can login to lark suite and get redirect back to somewhere like https://localhost:10087/oidc/callback?code=5q4yYL71wrzxHxTnB9si9lhchA3i4NGE7aOvXI30ei4.mom6ZxjNWNdctNddkFRV4bc7vNIdk7mA7wl_Ih8Gbm0&scope=openid+profile+email&state=Mmh2TldnY2Q3ajJkWEhDUA%3D%3D
, but wandb failed to finish login and reported this:
We’re sorry, but there was a problem authenticating your account: Invalid PKCE code exchange: authentication error: invalid_request, description: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Only support one client credential way.
I guess this is about my SSO provider settings (especially the return_type), but I am not sure what wandb wants. Here is my SSO provider configuration:
Translate this into English:
# tip: The default login protocol used when accessing the authentication address directly. If implicit
# is turned on, make sure the callback addresses are all HTTPS protocols!
grant_type: authorization_code, refresh_token
scope: openid, profile, email
# tip: Configure the data items that lark supports to return from the authorization endpoint,
# code for support to return authorization code, token for support to return Access Token, id_token
# for support to return ID Token. if you don't actively ask lark for it when you initiate a request,
# lark won't proactively return the corresponding data
#
# there is only one choice, perhaps lark's SSO provider is imperfect and incompatible with wandb?
return_type: code
# tip: choosing HS256 needs to verify the signature with App Secret, while RS256 needs to verify
# with public key, the public key is obtained from `JWKS public key entpoint`
ID_Token_Signature_Algorithm: HS256
# tip: When turned on, lark will return encrypted ID Token, you need to decrypt the ID Token with
# your private key before verifying its signature. Note that turning this option on or off may
# require modifying the current application logic for obtaining and parsing ID Token.
encrypt_ID_Token: false
aquire_Token_authentication_method: client_secret_post
Can you please help confirm if this SSO provider is compatible with wandb local?
Thanks for all your help and it would be great if you update the document and add OIDC_SECRET
in https://docs.wandb.ai/guides/hosting/env-vars
and https://docs.wandb.ai/guides/hosting/sso