Argo-cd: sso login with cli doesn't work

Created on 20 Aug 2019  路  5Comments  路  Source: argoproj/argo-cd

Describe the bug
Similar to #1266 - i can login via the web interface, but the cli fails. I have the same callback URL set for the web and cli interface, using an external dex. Here's the configuration from that:

staticClients:
- id: "argocd"
  name: "argocd"
  redirectURIs: [ "https://argocd.example.com/auth/callback", "http://localhost:8085/auth/callback" ]
  secret: "supersecret"

When I run the cli login flow, I get this

DEBU[0000] OIDC Configuration:
DEBU[0000]   supported_scopes: [openid email groups profile offline_access]
DEBU[0000]   response_types_supported: [code]
Opening browser for authentication
Performing authorization_code flow login: https://dex.example.com/auth?access_type=offline&client_id=argocd&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups+offline_access&state=<state>
DEBU[0004] Callback: /auth/callback?code=<code>&state=VrAEaiNlmd
FATA[0004] oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"Invalid client credentials."}

I can see in the dex logs that the dex implementation returns the relevant groups etc. My argocd config map looks like this

apiVersion: v1
data:
  oidc.config: |
    name: dex
    issuer: https://dex.example.com
    clientID: argocd
    clientSecret: $dex.clientSecret
  url: https://argo.example.com

Any ideas what this might be?

bug
Source
picture jaxxstorm

Most helpful comment

are you doing argoco login --sso?

picture alexec on 20 Aug 2019
👍2

All 5 comments

are you doing argoco login --sso?

alexec picture alexec on 20 Aug 2019
👍2

Yep

jaxxstorm picture jaxxstorm on 21 Aug 2019

It looks like you credentials are invalid. Have you tried inlining them?

alexec picture alexec on 21 Aug 2019

Im not sure how that's possible. The sso login opens a localhost browser, the SSO authentication is successful through that.

I can see the claims in dex being successfully returned and a successful authentication event:

{"level":"info","msg":"login successful: connector \"microsoft\", username=\"Lee Briggs\", email=\"[email protected]\", groups=[long list of groups here]","time":"2019-08-21T20:29:21Z"}

However it seems that token isn't sent back to argo correctly, or the token cannot be retrieved?

Note, I haven't included cliClientID in my config because my understanding is it'll use clientID

jaxxstorm picture jaxxstorm on 21 Aug 2019

Sorry for the confusion, it seems public:true is required on the client

jaxxstorm picture jaxxstorm on 21 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

KarstenSiemer picture KarstenSiemer  路  3Comments
alexec picture alexec  路  3Comments
rosscdh picture rosscdh  路  3Comments
duboisf picture duboisf  路  3Comments
ksaito1125 picture ksaito1125  路  3Comments