search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.32k stars 5.26k forks source link

Using Azure AD with ArgoCD DEX returns all AD groups a user belongs too #11523

Open toralf-hlag opened 1 year ago

toralf-hlag commented 1 year ago

We configured ArgoCD to use DEX in the following manner:

  - type: microsoft
    id: microsoft
    name: Azure AD
    config:
      clientID: $argocd-azure-ad-oauth:client-id
      clientSecret: $argocd-azure-ad-oauth:client-secret-value
      redirectURI: $argocd-azure-ad-oauth:redirect-uri
      tenant: $argocd-azure-ad-oauth:tenant
      useLoginAsID: false

We configured MS Azure AD to return only the application specific groups. But we do get all groups (about 600) of a user. An MS developer told us that this is not a bug but an application specific behavior (of DEX).

Therefore, please enhance DEX to not query MS Graph for all groups of a user. Instead, DEX should only return the (in Azure AD defined groups) for the application, if configured so in Azure AD.

toralf-hlag commented 1 year ago

maybe this is better done in https://github.com/dexidp/dex/issues/2752 ?

AurimasNav commented 2 months ago

I would add that the documentation here: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#setup-permissions-for-entra-id-application is not full, as with dex we also need Directory.Read.All at the moment.