jannfis
commented
3 years ago Hi @larsrnielsen - is this a regression, i.e. has it worked with v1.8.1?
Open larsrnielsen opened 3 years ago
jannfis
commented
3 years ago Hi @larsrnielsen - is this a regression, i.e. has it worked with v1.8.1?
jannfis
commented
3 years ago Also, I see that your argocd CLI is custom-built. Does it happen with the release CLI as well?
jessesuen
commented
3 years ago If it regressed, could be related to jwt-go regression (alex is fixing one problem there already).
larsrnielsen
commented
3 years ago Hi @larsrnielsen - is this a regression, i.e. has it worked with v1.8.1?
It used to work with a 1.7 version, I cannot remember which 1.7 version. I am on a Mac (latest OS) so I use brew install argocd for installation. I am actually not aware of it builds the code during installation, I haven't had any intention of doing so at least. I did a brew uninstall argocd; brew install argocd; argocd version which gave me again:
argocd: v1.8.2+94017f2.dirty
BuildDate: 2021-01-10T06:49:46Z
GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d
GitTreeState: dirty
GoVersion: go1.15.6
Compiler: gc
Platform: darwin/amd64At least with GitHub SSO using Dex, I cannot reproduce this issue on a fresh install:
argocd: v1.8.2+94017f2
BuildDate: 2021-01-10T05:39:30Z
GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d
GitTreeState: clean
GoVersion: go1.14.12
Compiler: gc
Platform: linux/amd64
argocd-server: v1.8.2+94017f2
BuildDate: 2021-01-10T05:40:54Z
GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d
GitTreeState: clean
GoVersion: go1.14.12
Compiler: gc
Platform: linux/amd64
Ksonnet Version: v0.13.1
Kustomize Version: v3.8.1 2020-07-16T00:58:46Z
Helm Version: v3.4.1+gc4e7485
Kubectl Version: v1.17.8
Jsonnet Version: v0.17.0$ argocd login --port-forward --port-forward-namespace argocd --sso
Opening browser for authentication
Performing authorization_code flow login: <redacted>
Authentication successful
<redacted> logged in successfully
Context 'port-forward' updated
$ argocd --port-forward --port-forward-namespace argocd app list
NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH SYNCPOLICY CONDITIONS REPO PATH TARGET
$ argocd --port-forward --port-forward-namespace argocd account get-user-info
Logged In: true
Username: <redacted>
Issuer: https://192.168.254.100/api/dex
Groups: <redacted>But I would assume that AWS SSO uses direct OIDC, not Dex, correct?
larsrnielsen
commented
3 years ago At least with GitHub SSO using Dex, I cannot reproduce this issue on a fresh install:
argocd: v1.8.2+94017f2 BuildDate: 2021-01-10T05:39:30Z GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d GitTreeState: clean GoVersion: go1.14.12 Compiler: gc Platform: linux/amd64 argocd-server: v1.8.2+94017f2 BuildDate: 2021-01-10T05:40:54Z GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d GitTreeState: clean GoVersion: go1.14.12 Compiler: gc Platform: linux/amd64 Ksonnet Version: v0.13.1 Kustomize Version: v3.8.1 2020-07-16T00:58:46Z Helm Version: v3.4.1+gc4e7485 Kubectl Version: v1.17.8 Jsonnet Version: v0.17.0$ argocd login --port-forward --port-forward-namespace argocd --sso Opening browser for authentication Performing authorization_code flow login: <redacted> Authentication successful <redacted> logged in successfully Context 'port-forward' updated $ argocd --port-forward --port-forward-namespace argocd app list NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH SYNCPOLICY CONDITIONS REPO PATH TARGET $ argocd --port-forward --port-forward-namespace argocd account get-user-info Logged In: true Username: <redacted> Issuer: https://192.168.254.100/api/dex Groups: <redacted>But I would assume that AWS SSO uses direct OIDC, not Dex, correct?
Correct. I will try with a version of argocd that is not installed via Brew. Maybe Brew is installing a version that doesn't work
larsrnielsen
commented
3 years ago I uninstalled argocd that were installed via Brew and then installed https://github.com/argoproj/argo-cd/releases/download/v1.8.3/argocd-darwin-amd64. Same issue, as you can see below:
./argocd version
argocd: v1.8.3+0f9c684
BuildDate: 2021-01-21T22:21:47Z
GitCommit: 0f9c68427882bf4633d395cbfcd7c9271795fd9b
GitTreeState: clean
GoVersion: go1.14.12
Compiler: gc
Platform: darwin/amd64
argocd login localhost --port-forward --port-forward-namespace argo-cd --sso
Opening browser for authentication
INFO[0002] RequestedClaims: map[groups:essential:true ]
Performing authorization_code flow login: https://login.windows.net/<redacted>
Authentication successful
'Lars Nielsen' logged in successfully
Context 'port-forward' updated
❯ argocd app list --port-forward --port-forward-namespace argo-cd
FATA[0002] no id_token in token response
Testing with 1.7.9 client: (https://github.com/argoproj/argo-cd/releases/download/v1.7.9/argocd-darwin-amd64)
argocd-darwin-amd64 login localhost --port-forward --port-forward-namespace argo-cd --sso
Opening browser for authentication
INFO[0002] RequestedClaims: map[groups:essential:true ]
Performing authorization_code flow login: https://login.windows.net/<redacted>
Authentication successful
'Lars Nielsen' logged in successfully
Context 'port-forward' updated
❯ argocd-darwin-amd64 app list --port-forward --port-forward-namespace argo-cd
NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH SYNCPOLICY CONDITIONS REPO PATH
...So, it fails with 1.8. clients and works with 1.7. clients.
jannfis
commented
3 years ago Thank you very much for validating with a release CLI @larsrnielsen!
I will have to find a way to reproduce this by setting up an OIDC provider somewhere.
bh-tt
commented
2 years ago I just ran into this, have you tried adding the openid scope to the requestedScopes in oidc.config? That fixed it for me.
AWS environment, with AWS SSO provided authentication. I am no longer able to use the argocd cli for administration.
argo server: