From 0d1f7b026051fc47056c523f6cae7315a549d5f3 Mon Sep 17 00:00:00 2001
From: Mark Waylonis <mwaylonis@gmail.com>
Date: Mon, 3 Mar 2025 11:00:34 -0800
Subject: [PATCH] Add allowedAudience to flyte-core external auth deployment
 documentation (#5124)

* Add allowedAudience to flyte-core external auth deployment documentation

Signed-off-by: Mark Waylonis <mwaylonis@gmail.com>

* Update auth_setup.rst

Signed-off-by: Eduardo Apolinario <653394+eapolinario@users.noreply.github.com>

---------

Signed-off-by: Mark Waylonis <mwaylonis@gmail.com>
Signed-off-by: Eduardo Apolinario <653394+eapolinario@users.noreply.github.com>
Co-authored-by: Eduardo Apolinario <653394+eapolinario@users.noreply.github.com>
---
 docs/deployment/configuration/auth_setup.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/deployment/configuration/auth_setup.rst b/docs/deployment/configuration/auth_setup.rst
index 92eeb89d9d..9b19cfd8d6 100644
--- a/docs/deployment/configuration/auth_setup.rst
+++ b/docs/deployment/configuration/auth_setup.rst
@@ -605,6 +605,8 @@ Follow the steps in this section to configure `flyteadmin` to use an external au
 
                # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
                externalAuthServer:
+               # Replace this with your deployment URL.  It will be used by flyteadmin to validate the token audience
+                 allowedAudience: https://<your-flyte-deployment-URL>
                # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
                # baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
                # For Okta, use the Issuer URI of the custom auth server: