search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.76k stars 5.41k forks source link

dex server: Failed to authenticate: response did not contain a AttributeStatement #4460

Closed ofirshtrull closed 4 years ago

ofirshtrull commented 4 years ago

If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.

Checklist:

Describe the bug

I am trying to connect okta to my cluster via dex configurations

To Reproduce bellow is the rbac-cm and argocd-cm

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  statusbadge.enabled: 'true'
  admin.enabled: 'true'
  url: https://argocd.foo.com
  dex.config: |
    logger:
      level: debug
      format: json
    connectors:
    - type: saml
      id: okta
      name: Okta
      config:
        ssoURL: https://bar.okta.com/app/foo-compony_argocd_1/asdfgwsedf/sso/saml
        caData: |
          LS0tL--fake--fake
        usernameAttr: name
        emailAttr: email
        groupsAttr: groups
---

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  scopes: '[email, group]'
  policy.default: role:readonly
  policy.csv: |
    p, role:okta-admin, applications, *, */*, allow
    p, role:okta-admin, clusters, get, *, allow
    p, role:okta-admin, repositories, get, *, allow
    p, role:okta-admin, repositories, create, *, allow
    p, role:okta-admin, repositories, update, *, allow
    p, role:okta-admin, repositories, delete, *, allow

    g, foo-company:*, role:okta-admin

from okta, my IT guy configured by https://argoproj.github.io/argo-cd/operator-manual/user-management/okta/

the first problem from what is saw first there is a problem with documentation that redirectURI: https://ui.argocd.yourorganization.net/api/dex/callback should not be in the documantaions when it is configured i am getting errors such as │ {"level":"error","msg":"Failed to parse authorization request: Unregistered redirect_uri (\"https://argocd.foo-compony. │ │ com/auth/callback\").","time":"2020-09-30T14:54:57Z"} │

the second problem is that when I click login via okta I get Failed to authenticate: response did not contain a AttributeStatement

Expected behavior

I will login to my clusters UI

Screenshots Screen Shot 2020-09-30 at 18 24 09

If applicable, add screenshots to help explain your problem.

Version

argocd: v1.7.6+b04c25e

Logs argocd-dex-server:

│ {"level":"error","msg":"Failed to authenticate: response did not contain a AttributeStatement","time":"2020-09-30T15:17:12Z"}                                                                            │
│ {"level":"error","msg":"Failed to authenticate: response did not contain a AttributeStatement","time":"2020-09-30T15:17:15Z"}                                                                            │

argocd-server:

time="2020-09-30T15:38:47Z" level=info msg="Performing authorization_code flow login: https://argocd.foo-compney.com/api/dex/auth?client_id=argo-cd&redirect_uri=https%3A%2F%2Fargocd.foo-compney.com%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups&state=ObEWmFSAit"                                                                                                            
time="2020-09-30T15:38:50Z" level=info msg="received unary call /version.VersionService/Version" grpc.method=Version grpc.request.claims=null grpc.request.content= grpc.service=version.VersionService grpc.start_time="2020-09-30T15:38:50Z" span.kind=server system=grpc                                                                                                                                     
time="2020-09-30T15:38:50Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Version grpc.service=version.VersionService grpc.start_time="2020-09-30T15:38:50Z" grpc.time_ms=0.151 span.kind=server system=grpc                                                                                                                                                                       
time="2020-09-30T15:38:50Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.claims=null grpc.request.content= grpc.service=cluster.SettingsService grpc.s
tart_time="2020-09-30T15:38:50Z" span.kind=server system=grpc                                                                                                                                           
time="2020-09-30T15:38:50Z" level=info msg="Ignore status for CustomResourceDefinitions"                                                                                                                
time="2020-09-30T15:38:50Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2020-09-30T15:38:50Z" grpc.time_ms=0.768 span.kind=server system=grpc                                                                                                                                                                          
time="2020-09-30T15:38:50Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.claims=null grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2020-09-30T15:38:50Z" span.kind=server system=grpc                                                                                                                                           
time="2020-09-30T15:38:50Z" level=info msg="Ignore status for CustomResourceDefinitions"                                                                                                                
time="2020-09-30T15:38:50Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2020-09-30T15:38:50Z" grpc.time_ms=0.745 span.kind=server system=grpc                                                                                                                                                                          
time="2020-09-30T15:38:50Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.claims=null grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2020-09-30T15:38:50Z" span.kind=server system=grpc                                                                                                                                           
time="2020-09-30T15:38:50Z" level=info msg="Ignore status for CustomResourceDefinitions"                                                                                                                
time="2020-09-30T15:38:50Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2020-09-30T15:38:50Z" grpc.time_ms=0.763 span.kind=server system=grpc                                                                                                                                                                          
time="2020-09-30T15:38:50Z" level=info msg="received unary call /session.SessionService/GetUserInfo" grpc.method=GetUserInfo grpc.request.claims=null grpc.request.content= grpc.service=session.Session
Service grpc.start_time="2020-09-30T15:38:50Z" span.kind=server system=grpc                                                                                                                             
time="2020-09-30T15:38:50Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=GetUserInfo grpc.service=session.SessionService grpc.start_time="2020-09-30T15:38:50Z" grpc.time_ms=0.449 span.kind=server system=grpc
ofirshtrull commented 4 years ago

and i Frogot logger: level: debug format: json dosnet enter DEBUG mode

jessesuen commented 4 years ago

Hi @ofirshtrull i think you will need to get help from dex community on this since the error is coming from dex.

ofirshtrull commented 4 years ago

Issue is closed, the it guy who setup the Okta app missed some configurations

shashanklmurthy commented 4 years ago

Issue is closed, the it guy who setup the Okta app missed some configurations

Mind telling me what those configurations were?

I'm getting the exact same error 😭 !

ofirshtrull commented 4 years ago

@shashanklmurthy They didn't add groups to the application

mconigliaro commented 1 year ago

I got this error when using JumpCloud before I added any attributes under the SSO tab of my app. I guess JumpCloud doesn't send any attributes by default.