Auth0 sso integration makes `customGroupClaimName` and `userInfoPath` conflict

[ragnaros2046]

Pre-requisites

• [X] I have double-checked my configuration
• [X] I can confirm the issues exists when I tested with :latest
• [ ] I'd like to contribute the fix myself (see contributing guide)

What happened/what you expected to happen?

Auth0 forbid Groups claim. There is an extension can be used to add custom claims to the issued token.

https://auth0.com/docs/customize/extensions/authorization-extension/use-rules-with-the-authorization-extension#add-custom-claims-to-the-issued-token

And Auth0 also require to call /userinfo to get attributes like email, custom claims.

https://auth0.com/docs/api/authentication#get-user-info

These lead to customGroupClaimName and userInfoPath both need to be set in argo-workflow helm chart. func HandleCallback(from server/auth/sso/sso.go) will make groups always be nil.

Version

3.4.1 helm chart 0.20.1

    // Default to groups claim but if customClaimName is set
    // extract groups based on that claim key
    groups := c.Groups
    if s.customClaimName != "" {
        groups, err = c.GetCustomGroup(s.customClaimName)
        if err != nil {
            w.WriteHeader(401)
            return
        }
    }

    // Some SSO implementations (Okta) require a call to
    // the OIDC user info path to get attributes like groups
    if s.userInfoPath != "" {
        groups, err = c.GetUserInfoGroups(oauth2Token.AccessToken, s.issuer, s.userInfoPath)
        if err != nil {
            w.WriteHeader(401)
            return
        }
    }

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this is a mentoring request, please provide an update here. Thank you for your contributions.

[archae0pteryx]

I am running into this issue as well.

[tooptoop4]

@ragnaros2046 @archae0pteryx are you willing to submit PR ?