ziouf
commented
1 year ago It is still an issue on my side with v2.6.0
Open skan-splunk opened 1 year ago
ziouf
commented
1 year ago It is still an issue on my side with v2.6.0
icecoffee531
commented
1 year ago When I set the oidc provider config to public:true it works perfectly (in my case using keycloak)
jfdoube
commented
1 year ago Still an issue here as well
eranreshef-starkware
commented
1 year ago Ran into this also. @icecoffee531 I tried your suggestion and it didn't work for me. Did you do anything else I might have missed?
billabongrob
commented
9 months ago We've attempted to do the same with Okta and were running into the same issues even with public: true
Setting the cliClientID helped us, FWIW.
# Some OIDC providers require a separate clientID for different callback URLs.
# For example, if configuring Argo CD with self-hosted Dex, you will need a separate client ID
# for the 'localhost' (CLI) client to Dex. This field is optional. If omitted, the CLI will
# use the same clientID as the Argo CD server
cliClientID: vvvvwwwwxxxxyyyyzzzz
stefanandres
commented
9 months ago @billabongrob
Setting the cliClientID helped us, FWIW.
What did you do on Okta for this? Did you create another Okta app with localhost as callback url or something? It would be great if you could elaborate on what exactly you needed to do to get it working.
billabongrob
commented
9 months ago Absolutely, sorry for being vague - end of the day response! 😃 Yes, we created a Native type OIDC Okta app for the CLI and set it to use Authorization Code + PKCE. The sign in redirect URI was http://localhost:8085/auth/callback and the sign out redirect URI was http://localhost:8085
eranreshef-starkware
commented
9 months ago Thanks @billabongrob your solution worked for me too :tada:
zentavr
commented
4 days ago @billabongrob I have Keykloak at my side and adding Valid redirect URIs.
Also I'd adjusted Web origins:
Other settings are the next:
There is still the issue:
$ argocd login argocd-k8s-production.example.io --sso --name argocd-k8s-production
WARN[0003] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web.
Opening browser for authentication
Performing authorization_code flow login: https://sso.example.io/realms/Example/protocol/openid-connect/auth?access_type=offline&client_id=argocd-production-k8s-shared&code_challenge=iI8mfDBZNByRXPnZUruwZhJ5oLHnZouqrumI1KWSjYs&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups+offline_access&state=vHlgeXwhAfriUvkGtFrWCPVK
FATA[0013] oauth2: "unauthorized_client" "Invalid client or Invalid client credentials"Have that after entering login+password in the pop up browser window.
Maybe this might be an issue: https://github.com/argoproj/argo-cd/issues/10029#issuecomment-1190685925
zentavr
commented
4 days ago So the reply to my question above: https://github.com/argoproj/argo-cd/issues/10029#issuecomment-1673301634
For keykloak this needs to be done:
Client authentication: OFF
Describe the bug
Attempting to use argocd CLI and authenticating with
argocd login <server> --ssoand Okta SSO, and receiving the following output and error in the CLI:After Okta authentication, I get an accepted callback to the URL:
http://localhost:8085/auth/callback?code={blah}&state={blah}which has the error:Authenticating directly into ArgoCD UI works fine, additionally able to authenticate using
--auth-tokenflag. Expected behaviorRun
argocd login <server> --sso, authenticate via okta SSO login, successVersion ArgoCD v2.5.3