Open Drugoy opened 1 year ago
I'm a bit of an OIDC noob, but I believe the problem is that Keycloak expects the CLI to send a "client secret," which the client does not hold. I think that the CLI is a "public client" in the language of the Keycloak docs. Perhaps "public client" needs to be enabled on the Keycloak side.
The fact that you can log in via the UI makes me second-guess myself though...
We use keycloak + argocd and could never get the -sso to work because it requires launching a browser. In the end, we use keycloak to log into the argocd web UI, but in a pod at the command line we use the argocd admin user and password and not the keycloak-based login, like this:
./argocd login argo-cd-argocd-server --grpc-web --plaintext --username=admin --password=****
where the password is the admin.password configured in the argocd-secret.
The same secret typically has a key called oidc.keycloak.clientSecret
configured, it's just that the argocd command line utility doesn't make use of the oidc configuration when using -sso even though you'd expect it to do so.
@anthony-zawacki basically confirmed the ticket, we are experiencing the same.
I'm also having the same problem, trying to get Keycloak to work with my setup but it dumps me back on the login screen. This is the configuration of how I deploy ArgoCD.
Argocd CLI login currently requires a public client, because contrary to expectations the login is not proxied via the webinterface which would be able to hold a client secret.
相关:#11025
Hi! The keycloak 20 version has no access type: public option. How do you solve it?
Argocd CLI 登录当前需要公共客户端,因为与预期相反,登录不是通过能够保存客户端机密的 Web 界面代理的。
相关:#11025
Hi! The keycloak 20 version has no access type: public option. How do you solve it?
Argocd CLI 登录当前需要公共客户端,因为与预期相反,登录不是通过能够保存客户端机密的 Web 界面代理的。
From the keycloak docs:
Capability Config
Client authentication
The type of OIDC client.
ON
For server-side clients that perform browser logins and require client secrets when making an Access Token Request. This setting should be used for server-side applications.
OFF
For client-side clients that perform browser logins. As it is not possible to ensure that secrets can be kept safe with client-side clients, it is important to restrict access by configuring correct redirect URIs.
Set it to OFF
相关:#11025
Hi! The keycloak 20 version has no access type: public option. How do you solve it?
Argocd CLI 登录当前需要公共客户端,因为与预期相反,登录不是通过能够保存客户端机密的 Web 界面代理的。
From the keycloak docs:
Capability Config Client authentication The type of OIDC client. ON For server-side clients that perform browser logins and require client secrets when making an Access Token Request. This setting should be used for server-side applications. OFF For client-side clients that perform browser logins. As it is not possible to ensure that secrets can be kept safe with client-side clients, it is important to restrict access by configuring correct redirect URIs.
Set it to OFF
Not working for me
I am currently getting
UI SSO access works just fine, only CLI is ❌
@nlucansk the URLs inside Keykloak client config shoud be adjusted. like this: https://github.com/argoproj/argo-cd/issues/12124#issuecomment-2204904239
We are using KeyCloak and I can login via web just fine. But running
argocd login --insecure ${argocd_host} -sso
from console produces this log:The browser opens KeyCloak page prompting login + password, I enter them once and then get redirected to
http://localhost:8085/auth/callback?state=${some_short_hash}&session_state=${some_uid}&code=${two_uids_concatenated_with_dot}
which says: