Possible bug around OIDC when using keycloak

[lknite]

Checklist

• [x] I've searched the issue queue to verify this is not a duplicate bug report.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted logs, if applicable.

Description

After successfully being redirected to keycloak for login, and logging in successfully, I'm redirected back to kargo where the kargo login screen reappears.

Troubleshooting

I'm able to see the new session within keycloak, which if deleted, causes kargo to again perform the workflow with keycloak.

Am experiencing the same issue at work and in my homelab, so I think it may be kargo.

OIDC used to work so I think maybe something changed, either a bug, or maybe I need to specify the helm chart values differently. I've reviewed the helm chart and believe I'm providing the needed values there.

After logging in (via keycloak redirect) I see a 'code' in the url, which I believe is showing the workflow worked:

https://kargo.admin.k.home.net/login?session_state=c30c4d53-5f4c-4006-b957-52f1a9048dca&iss=https%3A%2F%2Fkeycloak.admin.k.home.net%2Frealms%2Fhome&code=978b983f-3dca-40be-b43c-5f7170751381.c30c4d53-5f4c-4006-b957-52f1a9048dca.3bcf69e3-87c0-46f4-b588-c5d9c2616f22

I can switch over to argocd where SSO is functioning, and verify that I'm in the group that is specified in the values.yaml below.

The claims are reaching the 'kargo-admin' service account:

$ k get sa kargo-admin -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    ... snip ...
    rbac.kargo.akuity.io/claim.groups: admin-app-kargo-admin

Steps to Reproduce

values.yaml:

          - name: kargo.api.oidc.enabled
            value: "true"
          - name: kargo.api.oidc.issuerURL
            value: "https://keycloak.admin.k.home.net/realms/home"
          - name: kargo.api.oidc.clientID
            value: "default"
          - name: kargo.api.oidc.additionalScopes[0]
            value: "groups"
          - name: kargo.api.oidc.admins.claims.groups[0]
            value: "admin-app-kargo-admin"
          - name: kargo.api.oidc.dex.enabled
            value: "false"
          - name: kargo.api.logLevel
            value: "DEBUG"
          - name: kargo.controller.logLevel
            value: "DEBUG"
          - name: kargo.managementController.logLevel
            value: "DEBUG"
          - name: kargo.webhooksServer.logLevel
            value: "DEBUG"

Chart.yaml

dependencies:
- name: kargo
  version: 1.0.3
  repository: oci://ghcr.io/akuity/kargo-charts

Logs

In the keycloak log I saw two errors which I resolved, and am no longer seeing any errors.

Although I have increased the logLevel to DEBUG I see next to nothing in the kargo logs:

[kargo-api-66f7896bc-xn5lf api] time="2024-11-18T15:04:44Z" level=info msg="finished unary call" connect.duration="14.18µs" connect.method=GetPublicConfig connect.service=akuity.io.kargo.service.v1alpha1.KargoService connect.start_time="2024-11-18T15:04:44Z"
[kargo-api-66f7896bc-xn5lf api] time="2024-11-18T15:04:48Z" level=info msg="finished unary call" connect.duration="19.88µs" connect.method=GetPublicConfig connect.service=akuity.io.kargo.service.v1alpha1.KargoService connect.start_time="2024-11-18T15:04:48Z"

[krancour]

Some things to try:

1. Try logging in from the CLI with the --sso option and see what happens.
2. Use browser tools to examine web traffic during the login flow. When you're redirected, is it after the Kargo API server responding with a 401? If you see no such responses, then it sounds more like the UI deciding on its own that the token is, for some reason, invalid.

These may help narrow down the source of the problem.

[lknite]

1

After adding the callback url 'http://localhost/auth/callback' logging in with --sso worked:

kargo login --sso https://kargo.admin.k.home.net

2

I see a CORS error.

I have in my helm chart:

          - name: kargo.api.permissiveCORSPolicyEnabled
            value: "true"

I changed permissiveCORSPolicyEnabled to false, and am getting the same error.

Verified the value is getting passed to the configmap kargo-api and I restarted the kargo-api just to be sure:

[travis@wb]$ k get cm kargo-api -o yaml
apiVersion: v1
data:
  ... snip ...
  OIDC_ISSUER_URL: https://keycloak.admin.k.home.net/realms/home
  PERMISSIVE_CORS_POLICY_ENABLED: "false"

[krancour]

PERMISSIVE_CORS_POLICY_ENABLED has to do with how the Kargo API server deals with incoming cross-origin requests.

The problematic request here is one out to to keycloak.

I am wondering if this is in some way connected to recent changes @Marvin9 made to proactively detect invalid tokens.

@Marvin9 any thoughts here?

[lknite]

I got it working by adding a '+' to Web origins in keycloak.

Other apps have been working without that such as argocd, so not sure why it was needed here. I don't think I've ever used that option before in the last couple years. In any case, its working now so closing.

[krancour]

Glad this is sorted out!

Other apps have been working without that such as argocd, so not sure why it was needed here.

Kargo does OIDC with PKCE, which means the browser talks directly to the IDP. Argo CD can do that now as well, but I think it's opt in. So if you haven't had to do this before, it is probably because the API server for Argo CD or whatever else is a middle man between you and the IDP and with Kargo that isn't the case.