Open skan-splunk opened 1 year ago
It is still an issue on my side with v2.6.0
When I set the oidc provider config to public:true
it works perfectly (in my case using keycloak)
Still an issue here as well
Ran into this also. @icecoffee531 I tried your suggestion and it didn't work for me. Did you do anything else I might have missed?
We've attempted to do the same with Okta and were running into the same issues even with public: true
Setting the cliClientID helped us, FWIW.
# Some OIDC providers require a separate clientID for different callback URLs.
# For example, if configuring Argo CD with self-hosted Dex, you will need a separate client ID
# for the 'localhost' (CLI) client to Dex. This field is optional. If omitted, the CLI will
# use the same clientID as the Argo CD server
cliClientID: vvvvwwwwxxxxyyyyzzzz
@billabongrob
Setting the cliClientID helped us, FWIW.
What did you do on Okta for this? Did you create another Okta app with localhost as callback url or something? It would be great if you could elaborate on what exactly you needed to do to get it working.
Absolutely, sorry for being vague - end of the day response! 😃 Yes, we created a Native type OIDC Okta app for the CLI and set it to use Authorization Code + PKCE. The sign in redirect URI was http://localhost:8085/auth/callback and the sign out redirect URI was http://localhost:8085
Thanks @billabongrob your solution worked for me too :tada:
@billabongrob I have Keykloak at my side and adding Valid redirect URIs
.
Also I'd adjusted Web origins
:
Other settings are the next:
There is still the issue:
$ argocd login argocd-k8s-production.example.io --sso --name argocd-k8s-production
WARN[0003] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web.
Opening browser for authentication
Performing authorization_code flow login: https://sso.example.io/realms/Example/protocol/openid-connect/auth?access_type=offline&client_id=argocd-production-k8s-shared&code_challenge=iI8mfDBZNByRXPnZUruwZhJ5oLHnZouqrumI1KWSjYs&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups+offline_access&state=vHlgeXwhAfriUvkGtFrWCPVK
FATA[0013] oauth2: "unauthorized_client" "Invalid client or Invalid client credentials"
Have that after entering login+password in the pop up browser window.
Maybe this might be an issue: https://github.com/argoproj/argo-cd/issues/10029#issuecomment-1190685925
So the reply to my question above: https://github.com/argoproj/argo-cd/issues/10029#issuecomment-1673301634
For keykloak this needs to be done:
Client authentication: OFF
Describe the bug
Attempting to use argocd CLI and authenticating with
argocd login <server> --sso
and Okta SSO, and receiving the following output and error in the CLI:After Okta authentication, I get an accepted callback to the URL:
http://localhost:8085/auth/callback?code={blah}&state={blah}
which has the error:Authenticating directly into ArgoCD UI works fine, additionally able to authenticate using
--auth-token
flag. Expected behaviorRun
argocd login <server> --sso
, authenticate via okta SSO login, successVersion ArgoCD v2.5.3