Argo-cd: Username is empty when authenticating with dex connector

Created on 10 Sep 2020 · 4Comments · Source: argoproj/argo-cd

Describe the bug

We are using the openshift dex-connector for authentication.
But when a user logs in then the username is not recognized:

2020-09-10_11h07_13

In the logs of the dex-server everythings looks fine (also the username is printed correctly):

2020-09-10_11h09_27

This is an important information as we need to know extactly who was triggering the Sync.
But now there is always "unknown", because argocd doesn't recognize the username properly.

2020-09-10_11h14_26

And on the API:

"initiatedBy": {}

If i login with the local "admin" and then initiate a sync, then everything is displayed correctly.

Version

argocd: v1.7.0+24b9319
  BuildDate: 2020-08-25T18:57:27Z
  GitCommit: 24b93197e05d02e31f6b788e53b529cadcf2ccd4
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: linux/amd64
argocd-server: v1.7.3+b4c79cc
  BuildDate: 2020-09-01T23:19:02Z
  GitCommit: b4c79ccb88173604c3786dcd34e83a9d7e8919a5
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: {Version:kustomize/v3.6.1 GitCommit:c97fa946d576eb6ed559f17f2ac43b3b5a8d5dbd BuildDate:2020-05-27T20:47:35Z GoOs:linux GoArch:amd64}
  Helm Version: version.BuildInfo{Version:"v3.2.0", GitCommit:"e11b7ce3b12db2941e90399e874513fbd24bcb71", GitTreeState:"clean", GoVersion:"go1.13.10"}
  Kubectl Version: v1.17.8

bug

Source

thomasrepnik

👍3

Most helpful comment

Think the issue is here:

https://github.com/argoproj/argo-cd/blob/master/pkg/apiclient/session/session.pb.go#L232

Username             string   `protobuf:"bytes,2,opt,name=username,proto3" json:"username,omitempty"

in the log of the argo-server i can see the result of the call:

/session.SessionService/GetUserInfo" grpc.method=GetUserInfo grpc.request.claims="{\"at_hash\":\"EsAmC1UZDb-fug231t35RA\",\"aud\":\"argo-cd\",\"email_verified\":false,\"exp\":1608286358,\"groups\":[\"system:authenticated\",\"system:authenticated:oauth\"],\"iat\":1608199958,\"iss\":\"https://argo-ui-dirien-test.apps-sandbox.cmpf.schwarz/api/dex\",\"name\":\"dirien\",\"preferred_username\":\"dirien\",\"sub\":\"CiQxMDhkY2Y3Ni01NDcxLTExZTktYTQyOS0wMDUwNTZiNDViZWESCW9wZW5zaGlmdA\"}" grpc.request.content= grpc.service=session.SessionService grpc.start_time="2020-12-17T10:12:59Z" span.kind=server system=grpc
time="2020-12-17T10:12:59Z" level=info msg="finished unary call

As i can see is that username != name or preferred_username

dirien on 17 Dec 2020

👍2 🚀1

All 4 comments

:+1:, this would be really really useful for auditing who synced an application and when on OpenShift

chrisob on 30 Sep 2020

I can confirm the same issue with OCP 4.5 and ArgoCD

u849296 on 1 Dec 2020

i can confirm this issue. The question would be: is this an argo issue or an Dex issue?

dirien on 17 Dec 2020

Think the issue is here:

https://github.com/argoproj/argo-cd/blob/master/pkg/apiclient/session/session.pb.go#L232

Username             string   `protobuf:"bytes,2,opt,name=username,proto3" json:"username,omitempty"

in the log of the argo-server i can see the result of the call:

/session.SessionService/GetUserInfo" grpc.method=GetUserInfo grpc.request.claims="{\"at_hash\":\"EsAmC1UZDb-fug231t35RA\",\"aud\":\"argo-cd\",\"email_verified\":false,\"exp\":1608286358,\"groups\":[\"system:authenticated\",\"system:authenticated:oauth\"],\"iat\":1608199958,\"iss\":\"https://argo-ui-dirien-test.apps-sandbox.cmpf.schwarz/api/dex\",\"name\":\"dirien\",\"preferred_username\":\"dirien\",\"sub\":\"CiQxMDhkY2Y3Ni01NDcxLTExZTktYTQyOS0wMDUwNTZiNDViZWESCW9wZW5zaGlmdA\"}" grpc.request.content= grpc.service=session.SessionService grpc.start_time="2020-12-17T10:12:59Z" span.kind=server system=grpc
time="2020-12-17T10:12:59Z" level=info msg="finished unary call

As i can see is that username != name or preferred_username

dirien on 17 Dec 2020

👍2 🚀1

Was this page helpful?

0 / 5 - 0 ratings