Open Piroddi opened 3 years ago
Hi @Piroddi , did you ever find a work around for this issue ? I'm having the same issue.
Hi @duncan485, Currently running a fork of argoCD with a small code change to resolve the above. Hoping this issue can be acknowledged/triaged so that I can submit a PR.
@Piroddi Good to know, thanks ! fyi: as an alternative, I was able to work around this issue using the claimMapping option from Dex and setting the preferred_username as email claim.
dex.config: |
connectors:
- type: oidc
id: Azure
name: Azure
config:
issuer: "https://login.microsoftonline.com/<TENANT_ID>/v2.0"
clientID: <CLIENT_ID>
clientSecret: <CLIENT_SECRET>
redirectURI: https://<HOST>/api/dex/callback
insecureSkipEmailVerified: true
insecureEnableGroups: true
scopes:
- profile
- email
- openid
claimMapping:
email: preferred_username
@Piroddi Good to know, thanks ! fyi: as an alternative, I was able to work around this issue using the claimMapping option from Dex and setting the preferred_username as email claim.
dex.config: | connectors: - type: oidc id: Azure name: Azure config: issuer: "https://login.microsoftonline.com/<TENANT_ID>/v2.0" clientID: <CLIENT_ID> clientSecret: <CLIENT_SECRET> redirectURI: https://<HOST>/api/dex/callback insecureSkipEmailVerified: true insecureEnableGroups: true scopes: - profile - email - openid claimMapping: email: preferred_username
Thanks!!! This works for me!
Hello everyone, is there anyway of doing the same but not for dex? Already tried several different notations and it's not doing nothing. If we have this on the helm chart:
oidc.config: |
name: OIDC name
issuer: https://oidc.com url
clientID: $oidc-secret:oidc.clientID
clientSecret: $oidc-secret:oidc.clientSecret
requestedScopes: ["openid"]
The User Info
tab appears only with the issuer info with no username, but if the requestedScopes
are:
requestedScopes: ["openid","email","profile"]
The email appears on the username and the groups field
Even adding the following options to the configuration doesn't seem to be changing anything:
requestedScopes: ["profile","email","openid"]
userNameKey: sub
overrideClaimMapping: true
claimMapping:
email: sub
This was to use the userid
instead of the email in the User Name identification. Also tried with other fields returned by the jwt response but with no luck.
{
"grpc.method": "Watch",
"grpc.request.claims": '{"acr":"gas:strong","aud":"audience-id","auth_time":1678176969,"email":"email@domain","email_verified":true,"exp":1678206184,"family_name":"last name","given_name":"first name","iat":1678205284,"iss":"https://sso domain","jti":"audinzxxxxx","name":"Full name","pi.sri" :"random id","sub":"user id","updated_at":20220721}',
"grpc.request.content":
{ "resourceVersion": "247440034", "selector": "", "appNamespace": "" },
"grpc.service": "application.ApplicationService",
"grpc.start_time": "2023-03-07T16:08:06Z",
"level": "info",
"msg": "received streaming call /application.ApplicationService/Watch",
"span.kind": "server",
"system": "grpc",
"time": "2023-03-07T16:08:06Z",
}
As per the initial message the sub
field should have been used case it exists and revert to the email
only as a default.
Also cannot find anything regarding documentation for configuring this option, the examples that exist only have the scopes examples and nothing related to mappings of the claims. Also found some examples only for dex in the official pages.
Thanks for all the help
Just an update regarding the issue, If in the requested scopes the email field is there, it will be automatically be considered to be the Username field. I suppose that this is extracted from the OIDC response in this part of the code https://github.com/argoproj/argo-cd/blob/master/pkg/apiclient/session/session.pb.go#L229C1-L230C1
Everything matches except the username field does not exist, it exists the name field.
It's possible to show every field under the groups on ArgoCD by adding the following snippet on the argocd-rbac-cm
:
scopes: '[sub,name]'
This will show up like the following:
Also tried to map the claim like explained in the previous messages like the following with no success:
oidc.config: |
name: OIDC
issuer: https://xxxxx.com
clientID: $argocd-secret:oidc.clientID
clientSecret: $argocd-secret:oidc.clientSecret
requestedScopes: ["openid","profile"]
claimMapping:
username: name
This works in dex, but not when usingthe builtin ArgoCD oidc configuration, it should remap the name to the username used by ArgoCD on the UI (Also tried to invert the order with the same result).
Without this field every user interaction will appear empty on the applications (fyi we cannot use email field because not all users have one in the AD, that would prevent them from logging in but an ID everyone has one).
Thanks
- type: oidc id: Azure name: Azure config: issuer: "https://login.microsoftonline.com/
/v2.0" clientID: clientSecret: redirectURI: https:// /api/dex/callback insecureSkipEmailVerified: true insecureEnableGroups: true scopes:
- profile
- openid claimMapping: email: preferred_username
this indeed solves my Azure AD specific organization setup, when users don't have an email, but according to a colleague the DEX setup is not HA able.
I will love to see this PR accepted, looks to me pretty strait forward. and I can confirm it helps to fix the empty username issue.
Any news on this issue when configuring the OIDC? I want the username field to be a username instead of an email :(
Describe the bug
The default logic for setting up login through a 3rd party Identity provider maps the ArgoCD username from the email field of the JWT claim as seen in the code:
However with Microsoft active directory, not all accounts are associated with an email address and therefore even with an email requested scope, the email field is missing in the claim.
https://docs.microsoft.com/en-gb/azure/active-directory/develop/v2-permissions-and-consent#email
The following results in a successful login, however the username is unknown.
This is problematic since tracking and auditibility of activity on ArgoCD is not possible.
To Reproduce
Config oidc with Microsoft:
And login with user whose accounts have not been linked to an email address.
Expected behavior
The ability to configure the claim field that ArgoCD uses to map the username.
Screenshots
Version
v2.0.3