search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.86k stars 5.45k forks source link

Login Error using Azure SSO OIDC Authentication, Invalid Redirect URL #12873

Open markpakeltis opened 1 year ago

markpakeltis commented 1 year ago

Describe the bug

Time to time when trying to login to ArgoCD using Azure SSO which is configured using OIDC - Azure AD App Registration Auth using OIDC, the following error appears: Invalid redirect URL: the protocol and host (including port) must match and the path must be within allowed URLs if provided. Issue is no consistent, after refresh looks like working again, but while trying to login/logout multiple times approximately 1 of 5 times if fails with error above. Can be fixed by simply refreshing browser, but sometimes it doesn't help and clear cache/cookies helps. Logs from both application doesn't shows the reason. There is some failures/interactions in Azure logs, but they are not related to this errors.

To Reproduce

---
argo-cd:
  configs:
    rbac:
      policy.default: role:readonly
      policy.csv: |
        p, role:oidc-org-admin, applications, *, */*, allow
        p, role:oidc-org-admin, clusters, get, *, allow
        p, role:oidc-org-admin, repositories, get, *, allow
        p, role:oidc-org-admin, repositories, create, *, allow
        p, role:oidc-org-admin, repositories, update, *, allow
        p, role:oidc-org-admin, repositories, delete, *, allow
        g, "ddcd9307-1461-4990-983d-xxxxxxxxxxxxx", role:oidc-org-admin
    cm:
      url: "https://argocd.someurl.net"
      oidc.config: |
        name: Azure
        issuer: https://login.microsoftonline.com/30d91adf-8d2e-4258-bc92-aaaaaaaaaaa/v2.0
        clientID: a34d1f6e-34b6-4552-a8a2-bbbbbbbbbbb
        clientSecret: $oidc.azure.clientSecret
        requestedIDTokenClaims:
          groups:
            essential: true
        requestedScopes:
          - openid
          - profile
          - email
  server:
    ingress:
      enabled: true
      hosts: [argocd.someurl.net]
      annotations:
        alb.ingress.kubernetes.io/backend-protocol: "HTTPS"
        alb.ingress.kubernetes.io/ssl-redirect: "443"
        alb.ingress.kubernetes.io/scheme: internet-facing
        alb.ingress.kubernetes.io/target-type: ip
        alb.ingress.kubernetes.io/group.name: tenant
        alb.ingress.kubernetes.io/auth-type: oidc
        alb.ingress.kubernetes.io/auth-scope: openid profile email
        alb.ingress.kubernetes.io/auth-session-timeout: "86400"
        alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
        alb.ingress.kubernetes.io/wafv2-acl-arn: "arn:aws:wafv2:eu-central-1:111111111111:regional/webacl/dev-eu-central-1/8b19425f-f02e-48da-a187-zzzzzzzzzz"
        alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-central-1:111111111111:certificate/725eefa2-d9e6-47c3-9007-cccccccccccc"
        alb.ingress.kubernetes.io/auth-idp-oidc: |
          {
            "issuer": "https://login.microsoftonline.com/30d91adf-8d2e-4258-bc92-aaaaaaaaaaa/v2.0",
            "authorizationEndpoint": "https://login.microsoftonline.com/30d91adf-8d2e-4258-bc92-aaaaaaaaaaa/oauth2/v2.0/authorize",
            "tokenEndpoint": "https://login.microsoftonline.com/30d91adf-8d2e-4258-bc92-aaaaaaaaaaa/oauth2/v2.0/token",
            "userInfoEndpoint": "https://graph.microsoft.com/oidc/userinfo",
            "secretName": "argocd-secret"
          }
      labels:
        app: argocd
        app.kubernetes.io/instance: argocd
      ingressClassName: alb
      paths:
        - /
      pathType: Prefix
      backend:
        service:
          name: argocd-server
          port:
            name: https

Expected behavior

User is able to login without error described above. Authentication is successfull.

Helm Chart version

version: 2.5.5
appVersion: 5.16.13

Logs

Logs from argocd-server pod:

time="2023-03-15T11:16:14Z" level=info msg="received unary call /version.VersionService/Version" grpc.method=Version grpc.request.content= grpc.service=version.VersionService grpc.start_time="2023-03-15T11:16:14Z" span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Version grpc.service=version.VersionService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=15.366 span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2023-03-15T11:16:14Z" span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=14.458 span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="received unary call /version.VersionService/Version" grpc.method=Version grpc.request.content= grpc.service=version.VersionService grpc.start_time="2023-03-15T11:16:14Z" span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Version grpc.service=version.VersionService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=15.637 span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2023-03-15T11:16:14Z" span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=16.109 span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="received unary call /session.SessionService/GetUserInfo" grpc.method=GetUserInfo grpc.request.content= grpc.service=session.SessionService grpc.start_time="2023-03-15T11:16:14Z" span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=GetUserInfo grpc.service=session.SessionService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=6.111 span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = no session information" grpc.code=Unauthenticated grpc.method=List grpc.service=cluster.ClusterService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=5.429 span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = no session information" grpc.code=Unauthenticated grpc.method=List grpc.service=application.ApplicationService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=8.121 span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="received unary call /session.SessionService/GetUserInfo" grpc.method=GetUserInfo grpc.request.content= grpc.service=session.SessionService grpc.start_time="2023-03-15T11:16:14Z" span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=GetUserInfo grpc.service=session.SessionService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=5.089 span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2023-03-15T11:16:14Z" span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="received unary call /session.SessionService/GetUserInfo" grpc.method=GetUserInfo grpc.request.content= grpc.service=session.SessionService grpc.start_time="2023-03-15T11:16:14Z" span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=GetUserInfo grpc.service=session.SessionService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=8.642 span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=9.557 span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2023-03-15T11:16:14Z" span.kind=server system=grpc
time="2023-03-15T11:16:14Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2023-03-15T11:16:14Z" grpc.time_ms=9.521 span.kind=server system=grpc
time="2023-03-15T11:16:15Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2023-03-15T11:16:15Z" span.kind=server system=grpc
time="2023-03-15T11:16:15Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2023-03-15T11:16:15Z" grpc.time_ms=13.06 span.kind=server system=grpc
time="2023-03-15T11:16:16Z" level=info msg="RequestedClaims: map[groups:essential:true ]\n"

Logs from Azure:

2023-03-15T11:16:10Z,"bf9f9ecf-b78c-416e-b2a6-a4940c9e1f00","9df6e826-fd2f-4fe2-879b-816d49525bb2","1d875f25-8d6e-475c-b6d8-2eeab7a8fa72","User Name","user@email.com","member","none","none","none","z56fv4y3bkGypqSUDJ4fAA","none","ArgoCD_system_auth","a34d1f6e-34b6-4552-a8a2-bbbbbbbbbbb","Microsoft Graph","00000003-0000-0000-c000-000000000000","30d91adf-8d2e-4258-bc92-aaaaaaaaaaa","30d91adf-8d2e-4258-bc92-aaaaaaaaaaa","","x.x.x.x","Frankfurt Am Main, Hessen, DE","Success","","Other.","Browser","","Chrome 110.0.0","MacOs","false","false","","MFA requirement satisfied by claim in the token","","","Multifactor authentication","","","16509","false","Azure AD","None","","159","Success"
2023-03-15T11:16:10Z,"d3f8cc0e-266c-4778-b31a-a4a96c401d00","9df6e826-fd2f-4fe2-879b-816d49525bb2","1d875f25-8d6e-475c-b6d8-2eeab7a8fa72","User Name","user@email.com","member","none","none","none","Dsz402wmeEezGqSpbEAdAA","none","ArgoCD_system_auth","a34d1f6e-34b6-4552-a8a2-bbbbbbbbbbb","Microsoft Graph","00000003-0000-0000-c000-000000000000","30d91adf-8d2e-4258-bc92-aaaaaaaaaaa","30d91adf-8d2e-4258-bc92-aaaaaaaaaaa","","x.x.x.x","Frankfurt Am Main, Hessen, DE","Interrupted","50097","Device authentication is required.","Browser","","Chrome 110.0.0","MacOs","false","false","","This is not an error - this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed succesfully or failed.","","","Multifactor authentication","","","16509","false","Azure AD","None","","161","Failure"
joaocc commented 4 months ago

Hi. Any news on this issue? Thanks

prashil-g commented 4 months ago

we are still seeing this issue, do we have possible RCA?

prashil-g commented 2 months ago

Any update on this fix