Azure AD App Registration Auth using Dex not working.

[leelax22]

Checklist:

• [O] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [O] I've included steps to reproduce the bug.
• [O] I've pasted the output of argocd version.

Describe the bug

https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#azure-ad-app-registration-auth-using-dex

I followed this link to test integrating Azure AD with Argocd login.

For #3, Azure AD App Registration Auth using Dex, it says to follow the same steps as in step 2 with different configurations.

Authentication via OIDC and RBAC worked fine with step 2.

In step 2, the user info showed the group I specified as the SSO target. However, when I follow step 3, it shows all the tenant groups that I belong to, not the group that I targeted for SSO.

The target group registered in the enterprise app is the same for both.

To Reproduce

Expected behavior

Sign in with a user account that belongs to the SSO target group, and assign RBAC according to the policy. But it looks like worked as default reader role. RBAC is not working so I can't create app.

Screenshots

Version

v2.7.2+cbee7e6.dirty

Logs

I used helm chart.

OIDC values.yaml

configs:
  params:
    server.insecure: true

  secret:
    extra:
      oidc.azure.clientSecret: aaaaaaaaaaaaaaaaaaaaaaaaa

  cm:
    url: https://argocd.newjeans.life
    oidc.config: |
      name: Azure
      issuer: https://login.microsoftonline.com/785087ba-1e72-4e7d-b1d1-4a9639137a66/v2.0
      clientID: aaaaaaaaaaaaaaaaaaaaaaaaa
      clientSecret: $oidc.azure.clientSecret
      requestedIDTokenClaims:
        groups:
          essential: true
      requestedScopes:
        - openid
        - profile
        - email

  rbac:
    policy.default: 'role:readonly'
    policy.csv: |
      p, role:org-admin, applications, *, */*, allow
      p, role:org-admin, clusters, get, *, allow
      p, role:org-admin, repositories, get, *, allow
      p, role:org-admin, repositories, create, *, allow
      p, role:org-admin, repositories, update, *, allow
      p, role:org-admin, repositories, delete, *, allow
      p, role:org-admin, projects, *, *, allow
      g, "3decc637-662d-4e20-b6e4-b5df55b4a34d", role:org-admin

DEX values.yaml

configs:
  params:
    server.insecure: true

  cm:
    url: https://argocd.newjeans.life
    dex.config: |
      connectors:
      - type: microsoft
        id: microsoft
        name: myapp
        config:
          clientID: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
          clientSecret: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
          redirectURI: http://localhost:8080/api/dex/callback
          tenant: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
          groups:
            - bamidev

  rbac:
    policy.default: 'role:readonly'
    policy.csv: |
      p, role:org-admin, applications, *, */*, allow
      p, role:org-admin, clusters, get, *, allow
      p, role:org-admin, repositories, get, *, allow
      p, role:org-admin, repositories, create, *, allow
      p, role:org-admin, repositories, update, *, allow
      p, role:org-admin, repositories, delete, *, allow
      p, role:org-admin, projects, *, *, allow
      g, "3decc637-662d-4e20-b6e4-b5df55b4a34d", role:org-admin

OIDC app manifest

{
    "id": "2ac03445-58e3-41da-994e-eec5b02ff99a",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": null,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "7c8a5031-cff5-4050-96e7-901e675306c4",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2023-05-17T23:43:30Z",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": "ApplicationGroup",
    "identifierUris": [],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "argocdoidc",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": {
        "idToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "accessToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "saml2Token": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ]
    },
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [
        {
            "customKeyIdentifier": null,
            "endDate": "2025-05-16T23:46:49.513Z",
            "keyId": "0e214400-930f-4188-8ca8-37d8902a447f",
            "startDate": "2023-05-17T23:46:49.513Z",
            "value": null,
            "createdOn": "2023-05-17T23:47:05.4399722Z",
            "hint": "MCU",
            "displayName": "sso"
        }
    ],
    "preAuthorizedApplications": [],
    "publisherDomain": "zenithn.com",
    "replyUrlsWithType": [
        {
            "url": "http://localhost:8085/auth/callback",
            "type": "InstalledClient"
        },
        {
            "url": "https://argocd.newjeans.life/auth/callback",
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADMyOrg",
    "tags": [],
    "tokenEncryptionKeyId": null
}

DEX app manifest

{
    "id": "fbf461b1-28cc-4c97-8e8e-f9c27829b862",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": null,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "002ca0a1-8ca8-43e4-a15c-b37455001f85",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2023-05-18T04:12:42Z",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": "ApplicationGroup",
    "identifierUris": [],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "argodex01",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": {
        "idToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "accessToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "saml2Token": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ]
    },
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [
        {
            "customKeyIdentifier": null,
            "endDate": "2024-11-13T04:13:28.161Z",
            "keyId": "6cccd7d0-bee2-40e4-b76a-03acf321c8da",
            "startDate": "2023-05-18T04:13:28.161Z",
            "value": null,
            "createdOn": "2023-05-18T04:13:32.8804903Z",
            "hint": "IJV",
            "displayName": "sec"
        }
    ],
    "preAuthorizedApplications": [],
    "publisherDomain": "zenithn.com",
    "replyUrlsWithType": [
        {
            "url": "http://localhost:8000/api/dex/callback",
            "type": "InstalledClient"
        },
        {
            "url": "https://argocd.newjeans.life/api/dex/callback",
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADMyOrg",
    "tags": [],
    "tokenEncryptionKeyId": null
}

argocd pod log

time="2023-05-18T05:00:31Z" level=info msg="received unary call /project.ProjectService/Update" grpc.method=Update grpc.request.claims="{\"at_hash\":\"_jPPZr2zvM0BtRX2_4bXeA\",\"aud\":\"argo-cd\",\"c_hash\":\"pgcOfi1PGowF670GoJundA\",\"email\":\"cmlee@zenithn.com\",\"email_verified\":true,\"exp\":1684472416,\"iat\":1684386016,\"iss\":\"https://argocd.newjeans.life/api/dex\",\"name\":\"이창민\",\"sub\":\"CiRmYWVmMGIzMy1mZTg5LTQ1ZDktYmFmMi1mNDE5Yzk4ZTJiMjASCW1pY3Jvc29mdA\"}" grpc.request.content="project:<TypeMeta:<kind:\"\" apiVersion:\"\" > metadata:<name:\"asdfa\" generateName:\"\" namespace:\"argocd\" selfLink:\"\" uid:\"7c008e10-3c0d-4314-858e-3af4d3afde49\" resourceVersion:\"96298\" generation:1 creationTimestamp:<2023-05-18T04:59:14Z> clusterName:\"\" managedFields:<manager:\"argocd-server\" operation:\"Update\" apiVersion:\"argoproj.io/v1alpha1\" time:<2023-05-18T04:59:14Z> fieldsType:\"FieldsV1\" fieldsV1:<Raw:\"{\\\"f:spec\\\":{\\\".\\\":{},\\\"f:description\\\":{}},\\\"f:status\\\":{}}\" > subresource:\"\" > > spec:<description:\"sdfasfddd\" permitOnlyProjectScopedClusters:false > status:<> > " grpc.service=project.ProjectService grpc.start_time="2023-05-18T05:00:31Z" span.kind=server system=grpc
time="2023-05-18T05:00:31Z" level=warning msg="finished unary call with code PermissionDenied" error="rpc error: code = PermissionDenied desc = permission denied: projects, update, asdfa, sub: CiRmYWVmMGIzMy1mZTg5LTQ1ZDktYmFmMi1mNDE5Yzk4ZTJiMjASCW1pY3Jvc29mdA, iat: 2023-05-18T05:00:16Z" grpc.code=PermissionDenied grpc.method=Update grpc.service=project.ProjectService grpc.start_time="2023-05-18T05:00:31Z" grpc.time_ms=6.453 span.kind=server system=grpc
time="2023-05-18T05:00:31Z" level=info msg="received unary call /project.ProjectService/ListLinks" grpc.method=ListLinks grpc.request.claims="{\"at_hash\":\"_jPPZr2zvM0BtRX2_4bXeA\",\"aud\":\"argo-cd\",\"c_hash\":\"pgcOfi1PGowF670GoJundA\",\"email\":\"cmlee@zenithn.com\",\"email_verified\":true,\"exp\":1684472416,\"iat\":1684386016,\"iss\":\"https://argocd.newjeans.life/api/dex\",\"name\":\"이창민\",\"sub\":\"CiRmYWVmMGIzMy1mZTg5LTQ1ZDktYmFmMi1mNDE5Yzk4ZTJiMjASCW1pY3Jvc29mdA\"}" grpc.request.content="name:\"asdfa\" " grpc.service=project.ProjectService grpc.start_time="2023-05-18T05:00:31Z" span.kind=server system=grpc
time="2023-05-18T05:00:31Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=ListLinks grpc.service=project.ProjectService grpc.start_time="2023-05-18T05:00:31Z" grpc.time_ms=10.345 span.kind=server system=grpc

[cpoyatos1]

Have you already found a solution? I'm currently having the same problem.

[leelax22]

Have you already found a solution? I'm currently having the same problem.

Unfortunately not yet