oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."

[mconigliaro]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug

SSO authentication doesn't work in the CLI, but it works just fine in the web UI. Our identity provider is Jumpcloud.

To Reproduce

oidc.config:
  name: JumpCloud
  issuer: https://oauth.id.jumpcloud.com/
  clientID: REDACTED
  clientSecret: REDACTED
dex:
  enabled: false

$ argocd login REDACTED --grpc-web --sso
Opening browser for authentication
Performing authorization_code flow login: https://oauth.id.jumpcloud.com/oauth2/auth?access_type=offline&client_id=REDACTED&code_challenge=Pn8Qe1URVDoBNW9g6hQVttT_cIaDRNl09aVsYwVk8ek&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups+offline_access&state=dhgljZvoVBWnyXEluhWMySFX
FATA[0003] oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."

Version

argocd: v2.8.4+c279299.dirty
  BuildDate: 2023-09-13T22:00:14Z
  GitCommit: c27929928104dc37b937764baf65f38b78930e59
  GitTreeState: dirty
  GoVersion: go1.21.1
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v2.8.4+c279299
  BuildDate: 2023-09-13T19:12:09Z
  GitCommit: c27929928104dc37b937764baf65f38b78930e59
  GitTreeState: clean
  GoVersion: go1.20.6
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v5.1.0 2023-06-19T16:58:18Z
  Helm Version: v3.12.1+gf32a527
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.20.0

[patrickshan]

we are having similar issues with argocd cli sso login using Okta:

oauth2: "invalid_client" "Client authentication failed. Either the client or the client credentials are invalid."

I did add cliClientID into the argocd-cm configuration which is the same as clientID as we are sharing the same APP for both web browser login and argocd command line cli login.

argocd cli version: 2.8.5 argocd server version: 2.8.5

[mconigliaro]

I also tried setting cliClientID, but it didn't help. If the docs are correct, it defaults to the value of clientID anyway, so there's no point in doing that if the web UI and the CLI share the same IDP app. Out of desperation, I tried creating a dedicated IDP app for the CLI (so clientID and cliClientID could be different), but that didn't help either.

[b8kings0ga]

having the same issue right now

[alexlokshin-czi]

Same problem here!

[patrickshan]

Just tested with latest v2.9.5 release and same issues still exists

[llavaud]

same problem here with latest v2.10.1 version

[fcrespofastly]

Same problem with latest

[TheDevMinerTV]

Same issue here happening when using Authentik as our IdP.

[dothinh316]

same issue here with okta

[zentavr]

Had it been resolved for 9 month so far??

[zentavr]

Someone had it working here: https://github.com/argoproj/argo-cd/issues/12124#issuecomment-1717865942

[zentavr]

The solution for Keykloak is here: https://github.com/argoproj/argo-cd/issues/12124#issuecomment-2204914627

[dothinh316]

Someone had it working here: #12124 (comment)

Thank you! this was helpful and worked!

[zentavr]

@alexmt probably this should be added to the docs and the case could be closed

[llavaud]

I have the same problem with Jumpcloud IdP, I am not sure about the config I need to set with Jumpcloud

[santiagon610]

I have the same problem with Jumpcloud IdP, I am not sure about the config I need to set with Jumpcloud

@llavaud - This is what I'm using in my values file with Jumpcloud as an IdP, hopefully it works for you with appropriate tweaking:

  configs:
    cm:
      create: true
      oidc.config: |
          name: "Jumpcloud"
          issuer: "https://oauth.id.jumpcloud.com/"
          clientID: "MY_JUMPCLOUD_CLIENT_ID"
          clientSecret: "MY_JUMPCLOUD_CLIENT_SECRET"
          requestedScopes:
            - openid
            - email
            - profile
            - groups
    rbac:
      create: true
      scopes: "[groups]"
      policy.csv: |
        p, role:clusterAdmin, *, *, *, allow
        p, role:noPerms, *, *, *, deny
        g, MY_JUMPCLOUD_ADMIN_GROUP, role:clusterAdmin
        g, MY_JUMPCLOUD_READONLY_GROUP, role:readonly

In Jumpcloud, I have the following as an authorized redirect URI: https://MY-ARGOCD-FQDN/auth/callback, and am including the group attribute of groups.

Hope this helps!