search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
16.33k stars 4.93k forks source link

OIDC: PKCE Incorrectly Uses Base Redirect URL for ArgoCD Hosted Under Custom Path #18045

Open ptr1120 opened 2 weeks ago

ptr1120 commented 2 weeks ago

Checklist:

Describe the bug

I'm hosting ArgoCD at a custom base path (mycompany.org/infra/argocd) and using Keycloak as an external IdP. The configuration functions as expected until I enable PKCE (Proof Key for Code Exchange). Specifically, when enablePKCEAuthentication is set to true in the argocd-cm config map, the ArgoCD frontend incorrectly uses window.location.origin as the redirect URL, as demonstrated in the getPKCERedirectURI function located in utils.ts.

To Reproduce

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
data:
  url: https://mycompany.org/infra/argocd/
  enablePKCEAuthentication: true
  oidc.config: >-
    name: Keycloak
    issuer: https://<redacted>
    clientID: <redacted>
    clientSecret: $oidc.keycloak.clientSecret
    requestedScopes:
    - openid
    - profile
    - email
    - roles
    logoutURL: https://<redacted>/protocol/openid-connect/logout?redirect_uri={{logoutRedirectURL}}&id_token_hint={{token}}
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cmd-params-cm
data:
  - server.rootpath=/infra/argocd
  - server.basehref=/infra/argocd

Expected behavior

ArgoCD should respect one of the configured parameters (server.rootpath, server.basehref, or url from the argocd-cm or argocd-cmd-params-cm config map) to determine the correct base URL for redirects.

Version

v2.11.0-rc3+20fd621
Marvin9 commented 2 weeks ago

So the expected redirect url should be https://mycompany.org/infra/argocd/pkce/verify instead of https://mycompany.org/pkce/verify?

ptr1120 commented 2 weeks ago

Exactly, it schould be https://mycompany.org/infra/argocd/pkce/verify

Marvin9 commented 2 weeks ago

Thanks @ptr1120 , normally if you navigate through pages does that prefix /infra/argocd is preserved in your browser URL?

ptr1120 commented 2 weeks ago

Yes @Marvin9 it is preserved in my browser Url but window.location.origin seems to be only about the host part of the Url. See also image

Marvin9 commented 2 weeks ago

Alright thanks. Then the only problem to solve is to discover the root URL in browser and then we can pass to the function mentioned in the issue. I will look into this once I get time.

ptr1120 commented 2 weeks ago

thanks @Marvin9