search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
16.33k stars 4.93k forks source link

Add domain_hint option in oidc configuration #18066

Open bhargavn-github opened 2 weeks ago

bhargavn-github commented 2 weeks ago

Summary

We are using Azure Active Directory (AAD) for authentication and authorization. We have integrated Argo CD with Azure AD using oidc config (sample config below without values): oidc.config: name: Azure issuer: https://login.microsoftonline.com/ clientID: clientSecret: allowedAudiences: 
requestedScopes:
- openid

As we have multiple domains, each time when user tries to log in, user needs to select which domain and then the login process continues. This creates some confusion to users on which account to select for which application.

Motivation

As we have multiple domains, each time when user tries to log in to ArgoCD, user needs to select which domain and then the login process continues. This creates some confusion to users on which account to select for which application. The estimated impact of this issue is a loss of approximately 15 seconds each time a user opens different applications, which happens 15 to 20 times per day depending on profile. We would like to improve this user experience.

Proposal

To solve this issue, we have found an option from Azure - if we use domain_hint with the authentication request, login process becomes seamless as the right account is automatically picked. We request to support this domain_hint option from Argo CD.

oidc.config: | name: Azure issuer: https://login.microsoftonline.com/ domain_hint: abc..net requestedScopes:

References: This is already supported in dex - https://github.com/dexidp/dex/pull/2586

Documentation from Azure - https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#send-the-sign-in-request

domain_hint - The realm of the user in a federated directory. This skips the email-based discovery process that the user goes through on the sign-in page, for a slightly more streamlined user experience. For tenants that are federated through an on-premises directory like AD FS, this often results in a seamless sign-in because of the existing login session.

nikzayn commented 5 days ago

@bhargavn-github, I would like to take this up. Thanks!!

/assign

nikzayn commented 5 days ago

Can someone help me here, I have updated the OIDCConfig, then after that should I do the make protogen, and after that I need to update the changes in login.go, I need to add the domainhint check, right?