argocd-server authentication middleware does not work correctly on each ArgoCD's endpoint.

[GeorgiYosifov]

Describe the bug

I have configured ArgoCD with OIDC authentication. On each login my IDP provider provides new JWT token and ArgoCD set it to cookies. On logout ArgoCD remove it from cookies and request IDP to revoke the current JWT token, but if I have already saved the token and add it to the cookies storage manually I can login to the ArgoCD UI without problem because ArgoCD does not verify that current token is already revoked and added to the Redis list: "revoked-token|...jti..." or just to request IDP provider and see that the token is already revoked.

Expected behavior

I expect ArgoCD to check on each request if needed that JWT token is revoked or not. Also the request's respond status should be "unauthenticated"(401) or "ok"(200) accordingly.

Version

v2.7.1+5e54351.dirty Maybe it can occur on lower or upper versions, I will continue to look at the code and see if there is a resolution of this issue. Hope for information if I have missed something!

Logs

Successfully retrieving ArgoCD data with revoked JWT token from IDP.

[crenshaw-dev]

I believe the revoked-token Redis key refers to Argo CD-issued tokens and does not currently support OIDC tokens.

I'd definitely love to support proper invalidation of OIDC tokens.

[GeorgiYosifov]

I did also find that "admin:login" token does not have a "Expiration time" check. Fix it in the PR.

[GeorgiDimv]

@crenshaw-dev please review pr https://github.com/argoproj/argo-cd/pull/15004 .