Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure AD App Registration Auth using Dex not working. #13641

Open
leelax22 opened this issue May 18, 2023 · 3 comments
Open

Azure AD App Registration Auth using Dex not working. #13641

leelax22 opened this issue May 18, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@leelax22
Copy link

Checklist:

  • [O] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • [O] I've included steps to reproduce the bug.
  • [O] I've pasted the output of argocd version.

Describe the bug

https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#azure-ad-app-registration-auth-using-dex

I followed this link to test integrating Azure AD with Argocd login.

For #3, Azure AD App Registration Auth using Dex, it says to follow the same steps as in step 2 with different configurations.

Authentication via OIDC and RBAC worked fine with step 2.

In step 2, the user info showed the group I specified as the SSO target.
However, when I follow step 3, it shows all the tenant groups that I belong to, not the group that I targeted for SSO.

The target group registered in the enterprise app is the same for both.

To Reproduce

Expected behavior

Sign in with a user account that belongs to the SSO target group, and assign RBAC according to the policy.
But it looks like worked as default reader role. RBAC is not working so I can't create app.

Screenshots

image

image

Version

v2.7.2+cbee7e6.dirty

Logs

I used helm chart.

OIDC values.yaml

configs:
  params:
    server.insecure: true

  secret:
    extra:
      oidc.azure.clientSecret: aaaaaaaaaaaaaaaaaaaaaaaaa

  cm:
    url: https://argocd.newjeans.life
    oidc.config: |
      name: Azure
      issuer: https://login.microsoftonline.com/785087ba-1e72-4e7d-b1d1-4a9639137a66/v2.0
      clientID: aaaaaaaaaaaaaaaaaaaaaaaaa
      clientSecret: $oidc.azure.clientSecret
      requestedIDTokenClaims:
        groups:
          essential: true
      requestedScopes:
        - openid
        - profile
        - email

  rbac:
    policy.default: 'role:readonly'
    policy.csv: |
      p, role:org-admin, applications, *, */*, allow
      p, role:org-admin, clusters, get, *, allow
      p, role:org-admin, repositories, get, *, allow
      p, role:org-admin, repositories, create, *, allow
      p, role:org-admin, repositories, update, *, allow
      p, role:org-admin, repositories, delete, *, allow
      p, role:org-admin, projects, *, *, allow
      g, "3decc637-662d-4e20-b6e4-b5df55b4a34d", role:org-admin

DEX values.yaml

configs:
  params:
    server.insecure: true

  cm:
    url: https://argocd.newjeans.life
    dex.config: |
      connectors:
      - type: microsoft
        id: microsoft
        name: myapp
        config:
          clientID: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
          clientSecret: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
          redirectURI: http://localhost:8080/api/dex/callback
          tenant: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
          groups:
            - bamidev

  rbac:
    policy.default: 'role:readonly'
    policy.csv: |
      p, role:org-admin, applications, *, */*, allow
      p, role:org-admin, clusters, get, *, allow
      p, role:org-admin, repositories, get, *, allow
      p, role:org-admin, repositories, create, *, allow
      p, role:org-admin, repositories, update, *, allow
      p, role:org-admin, repositories, delete, *, allow
      p, role:org-admin, projects, *, *, allow
      g, "3decc637-662d-4e20-b6e4-b5df55b4a34d", role:org-admin

OIDC app manifest

{
	"id": "2ac03445-58e3-41da-994e-eec5b02ff99a",
	"acceptMappedClaims": null,
	"accessTokenAcceptedVersion": null,
	"addIns": [],
	"allowPublicClient": null,
	"appId": "7c8a5031-cff5-4050-96e7-901e675306c4",
	"appRoles": [],
	"oauth2AllowUrlPathMatching": false,
	"createdDateTime": "2023-05-17T23:43:30Z",
	"description": null,
	"certification": null,
	"disabledByMicrosoftStatus": null,
	"groupMembershipClaims": "ApplicationGroup",
	"identifierUris": [],
	"informationalUrls": {
		"termsOfService": null,
		"support": null,
		"privacy": null,
		"marketing": null
	},
	"keyCredentials": [],
	"knownClientApplications": [],
	"logoUrl": null,
	"logoutUrl": null,
	"name": "argocdoidc",
	"notes": null,
	"oauth2AllowIdTokenImplicitFlow": false,
	"oauth2AllowImplicitFlow": false,
	"oauth2Permissions": [],
	"oauth2RequirePostResponse": false,
	"optionalClaims": {
		"idToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"accessToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"saml2Token": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		]
	},
	"orgRestrictions": [],
	"parentalControlSettings": {
		"countriesBlockedForMinors": [],
		"legalAgeGroupRule": "Allow"
	},
	"passwordCredentials": [
		{
			"customKeyIdentifier": null,
			"endDate": "2025-05-16T23:46:49.513Z",
			"keyId": "0e214400-930f-4188-8ca8-37d8902a447f",
			"startDate": "2023-05-17T23:46:49.513Z",
			"value": null,
			"createdOn": "2023-05-17T23:47:05.4399722Z",
			"hint": "MCU",
			"displayName": "sso"
		}
	],
	"preAuthorizedApplications": [],
	"publisherDomain": "zenithn.com",
	"replyUrlsWithType": [
		{
			"url": "http://localhost:8085/auth/callback",
			"type": "InstalledClient"
		},
		{
			"url": "https://argocd.newjeans.life/auth/callback",
			"type": "Web"
		}
	],
	"requiredResourceAccess": [
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
					"type": "Scope"
				}
			]
		}
	],
	"samlMetadataUrl": null,
	"signInUrl": null,
	"signInAudience": "AzureADMyOrg",
	"tags": [],
	"tokenEncryptionKeyId": null
}

DEX app manifest

{
	"id": "fbf461b1-28cc-4c97-8e8e-f9c27829b862",
	"acceptMappedClaims": null,
	"accessTokenAcceptedVersion": null,
	"addIns": [],
	"allowPublicClient": null,
	"appId": "002ca0a1-8ca8-43e4-a15c-b37455001f85",
	"appRoles": [],
	"oauth2AllowUrlPathMatching": false,
	"createdDateTime": "2023-05-18T04:12:42Z",
	"description": null,
	"certification": null,
	"disabledByMicrosoftStatus": null,
	"groupMembershipClaims": "ApplicationGroup",
	"identifierUris": [],
	"informationalUrls": {
		"termsOfService": null,
		"support": null,
		"privacy": null,
		"marketing": null
	},
	"keyCredentials": [],
	"knownClientApplications": [],
	"logoUrl": null,
	"logoutUrl": null,
	"name": "argodex01",
	"notes": null,
	"oauth2AllowIdTokenImplicitFlow": false,
	"oauth2AllowImplicitFlow": false,
	"oauth2Permissions": [],
	"oauth2RequirePostResponse": false,
	"optionalClaims": {
		"idToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"accessToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"saml2Token": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		]
	},
	"orgRestrictions": [],
	"parentalControlSettings": {
		"countriesBlockedForMinors": [],
		"legalAgeGroupRule": "Allow"
	},
	"passwordCredentials": [
		{
			"customKeyIdentifier": null,
			"endDate": "2024-11-13T04:13:28.161Z",
			"keyId": "6cccd7d0-bee2-40e4-b76a-03acf321c8da",
			"startDate": "2023-05-18T04:13:28.161Z",
			"value": null,
			"createdOn": "2023-05-18T04:13:32.8804903Z",
			"hint": "IJV",
			"displayName": "sec"
		}
	],
	"preAuthorizedApplications": [],
	"publisherDomain": "zenithn.com",
	"replyUrlsWithType": [
		{
			"url": "http://localhost:8000/api/dex/callback",
			"type": "InstalledClient"
		},
		{
			"url": "https://argocd.newjeans.life/api/dex/callback",
			"type": "Web"
		}
	],
	"requiredResourceAccess": [
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
					"type": "Scope"
				}
			]
		}
	],
	"samlMetadataUrl": null,
	"signInUrl": null,
	"signInAudience": "AzureADMyOrg",
	"tags": [],
	"tokenEncryptionKeyId": null
}

argocd pod log

time="2023-05-18T05:00:31Z" level=info msg="received unary call /project.ProjectService/Update" grpc.method=Update grpc.request.claims="{\"at_hash\":\"_jPPZr2zvM0BtRX2_4bXeA\",\"aud\":\"argo-cd\",\"c_hash\":\"pgcOfi1PGowF670GoJundA\",\"email\":\"[email protected]\",\"email_verified\":true,\"exp\":1684472416,\"iat\":1684386016,\"iss\":\"https://argocd.newjeans.life/api/dex\",\"name\":\"이창민\",\"sub\":\"CiRmYWVmMGIzMy1mZTg5LTQ1ZDktYmFmMi1mNDE5Yzk4ZTJiMjASCW1pY3Jvc29mdA\"}" grpc.request.content="project:<TypeMeta:<kind:\"\" apiVersion:\"\" > metadata:<name:\"asdfa\" generateName:\"\" namespace:\"argocd\" selfLink:\"\" uid:\"7c008e10-3c0d-4314-858e-3af4d3afde49\" resourceVersion:\"96298\" generation:1 creationTimestamp:<2023-05-18T04:59:14Z> clusterName:\"\" managedFields:<manager:\"argocd-server\" operation:\"Update\" apiVersion:\"argoproj.io/v1alpha1\" time:<2023-05-18T04:59:14Z> fieldsType:\"FieldsV1\" fieldsV1:<Raw:\"{\\\"f:spec\\\":{\\\".\\\":{},\\\"f:description\\\":{}},\\\"f:status\\\":{}}\" > subresource:\"\" > > spec:<description:\"sdfasfddd\" permitOnlyProjectScopedClusters:false > status:<> > " grpc.service=project.ProjectService grpc.start_time="2023-05-18T05:00:31Z" span.kind=server system=grpc
time="2023-05-18T05:00:31Z" level=warning msg="finished unary call with code PermissionDenied" error="rpc error: code = PermissionDenied desc = permission denied: projects, update, asdfa, sub: CiRmYWVmMGIzMy1mZTg5LTQ1ZDktYmFmMi1mNDE5Yzk4ZTJiMjASCW1pY3Jvc29mdA, iat: 2023-05-18T05:00:16Z" grpc.code=PermissionDenied grpc.method=Update grpc.service=project.ProjectService grpc.start_time="2023-05-18T05:00:31Z" grpc.time_ms=6.453 span.kind=server system=grpc
time="2023-05-18T05:00:31Z" level=info msg="received unary call /project.ProjectService/ListLinks" grpc.method=ListLinks grpc.request.claims="{\"at_hash\":\"_jPPZr2zvM0BtRX2_4bXeA\",\"aud\":\"argo-cd\",\"c_hash\":\"pgcOfi1PGowF670GoJundA\",\"email\":\"[email protected]\",\"email_verified\":true,\"exp\":1684472416,\"iat\":1684386016,\"iss\":\"https://argocd.newjeans.life/api/dex\",\"name\":\"이창민\",\"sub\":\"CiRmYWVmMGIzMy1mZTg5LTQ1ZDktYmFmMi1mNDE5Yzk4ZTJiMjASCW1pY3Jvc29mdA\"}" grpc.request.content="name:\"asdfa\" " grpc.service=project.ProjectService grpc.start_time="2023-05-18T05:00:31Z" span.kind=server system=grpc
time="2023-05-18T05:00:31Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=ListLinks grpc.service=project.ProjectService grpc.start_time="2023-05-18T05:00:31Z" grpc.time_ms=10.345 span.kind=server system=grpc
@leelax22 leelax22 added the bug Something isn't working label May 18, 2023
@cpoyatos1
Copy link

Have you already found a solution? I'm currently having the same problem.

@leelax22
Copy link
Author

Have you already found a solution? I'm currently having the same problem.

Unfortunately not yet

@dtzar
Copy link

dtzar commented Oct 2, 2024

Seems duplicate or at least related to #16314

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dtzar @leelax22 @cpoyatos1