Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for external dex implementation #702

Closed
jaxxstorm opened this issue Oct 18, 2018 · 14 comments
Closed

Support for external dex implementation #702

jaxxstorm opened this issue Oct 18, 2018 · 14 comments
Labels
duplicate This issue or pull request already exists

Comments

@jaxxstorm
Copy link

We already have a dex server installed. Is it possible to point to this, and not deploy an additional dex server?

@jessesuen
Copy link
Member

@jaxxstorm we will make sure this is possible as part of:
#671

@jessesuen jessesuen added the duplicate This issue or pull request already exists label Oct 18, 2018
@mbuccarello
Copy link

Hello @jessesuen and happy new year to you and argo-cd team, during the past week we digged into the documentation to understand how to configure an external dex but we didn't find any documentation that relates anything about this topic.
Please could share to us any evidence that there is a way to configure external dex?
We tried different configuration in the argocd-cm configmap but nothing worked as intended.
We tried to understand how to change the default /api/dex context root but again we failed to find a way to properly configure.
We tried to change the URL composed in the argocd UI but the /dex/api URL is relative and not absolute with the external dex server.

Thanks!

@mbuccarello
Copy link

after some digging we figured out the configuration, the point was to use oidc.config and configure external dex to use oauth2 to communicate with argo. Should be good to do a documentation about external dex scenario. Have a good day!

@ChaosInTheCRD
Copy link

Agreed that this would be useful documented 😄 Thanks for adding this as confirmation @mbuccarello

@awalford16
Copy link

Hi, we are also trying to solve this issue of implementing ArgoCD with an external Dex server. Did the documentation ever get created? If not could you share an example of how you managed to get this to work please?

@aleksmova
Copy link

@mbuccarello could you please share the configuration.

@awalford16
Copy link

Our dex server is running on the same cluster as ArgoCD with this config:

issuer: "https://dex.example.com/dex"
storage:
  type: kubernetes
  config:
    inCluster: true

oauth2:
  skipApprovalScreen: true

connectors:
- type: ldap
  id: ldap
  name: LDAP
  config:
    host: OUR_LDAP_SERVER_URL:636
    rootCA: /etc/ssl/certs/ca-certificates.crt
    bindDN: cn=admin,dc=example,dc=com
    bindPW: PASSWORD
    usernamePrompt: Username
    userSearch:
      baseDN: ou=Users,dc=example,dc=com
      filter: "(objectClass=person)"
      username: Username
      idAttr: uid
      emailAttr: email
      nameAttr: name
    groupSearch:
      baseDN: ou=Groups,dc=example,dc=com
      filter: "(objectClass=group)"
      userMatchers:
      - userAttr: uid
        groupAttr: memberUid
      nameAttr: name

Then based on the comments above we have tried to configure ArgoCD through the oidc.config but I cannot find much documentation on how to do this. So far, all we have is:

server:
  config:
    oidc.config: |-
      name: LDAP 
      issuer: https://dex.example.com/dex

This is the error we see when attempting to login with LDAP on ArgoCD:

Invalid redirect URL: the protocol and host (including port) must match and the path must be within allowed URLs if provided

I have tried passing in redirectURI: https://ARGOCD_URL/api/dex/callback to the dex config but still get the same error

@crenshaw-dev
Copy link
Member

@awalford16 can you open an issue and specify the version you're running?

My immediate instinct is that Argo CD is trying to compare the redirect URL with the configured url field (in argocd-cm), but I'm not sure.

@michaelajr
Copy link

So I was able fix this by adding configs.cm.url

@thiDucTran
Copy link

thiDucTran commented Dec 28, 2022

can posters post specific examples of your working configs? @michaelajr @mbuccarello ?

edit: for our use-case, we got things to work. see below

dex:
  enabled: false
configs:
  rbac:
    scopes:
      - groups
      - email
  cm:
    url: https://abc.com/argocd
    oidc.config: |
      name: AzureAD
      issuer: https://abc.com/dex
      clientID: argocd
      clientSecret: passBetweenDexAndArgo #needs to match what you defined in Dex. 
     # root CA of our abc.com 
      rootCA: |
        -----BEGIN CERTIFICATE-----
        MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
        -----END CERTIFICATE-----
      requestedIDTokenClaims:
        groups:
          essential: true
      requestedScopes:
        - openid
        - profile
        - email
        - groups
  params:
    server.insecure: true
    server.rootpath: "argocd"
  • in Dex, we have this
kind: ConfigMap
apiVersion: v1
metadata:
  name: dex
  namespace: dex
data:
  config.yaml: |
    issuer: https://abc.com/dex
    expiry:
      idTokens: "30m"
    storage:
      type: kubernetes
      config:
        inCluster: true
    web:
      https: 0.0.0.0:5556
      tlsCert: /etc/dex/tls/tls.crt
      tlsKey: /etc/dex/tls/tls.key
    connectors:
    - type: microsoft
      # Required field for connector id.
      id: microsoft
      # Required field for connector name.
      name: Microsoft
      config:
        # Credentials can be string literals or pulled from the environment.
        clientID: $MICROSOFT_APPLICATION_ID
        clientSecret: $MICROSOFT_CLIENT_SECRET
        redirectURI: https://abc.com/dex/callback
        tenant: someTenantId
        groupNameFormat: id
    oauth2:
      skipApprovalScreen: true

    staticClients:
    - id: argocd
      redirectURIs:
      - 'https://abc.com/argocd/auth/callback'
      name: 'argocd'
      secret: passBetweenDexAndArgo

we use K8s Nginx Ingress Controller as our reverse proxy for both Dex and ArgoCD

@jcogilvie
Copy link

If you'd like to extract the working config for your current dex in order to import it into an external dex, you can get a pod shell into argocd-server and run argocd-dex gendexcfg and it'll print argo's desired config to stdout.

@264nm
Copy link

264nm commented May 31, 2023

So in the case I've been trying to set up, I was asked to patch out the bundled Dex as well as leverage the existing Dex instance on the cluster managed by others.

Followed the directions above to a achieve a partial success. It uses the Github connector on the Dex side so just a case of sharing the clientID and secret between both ConfigMaps.

So by partial, I mean I managed to create a new static client in Dex for ArgoCD with the appropriate redirectURI and log in via the UI but when I try to use the --sso flag to the CLI I'm still getting redirected to:

Bad Request
Unregistered redirect_uri ("http://localhost:8085/auth/callback")

Any thoughts here @michaelajr @mbuccarello @thiDucTran?

Do I need seperate cliClientId configured specifically in Dex or can I re-use?.

What am I putting for redirectURI? Literally http://localhost:8085/auth/callback?

Dex Side - Added new static client:

    - id: 
       ...
       ...
    - id: argocd
      redirectURIs:
      - 'https://argocd.{{ .Cluster.Endpoint }}:8080/auth/callback'
      name: argocd
      secret: <redacted>

ArgoCD Side:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  url: https://argocd.{{ .Cluster.Endpoint }}:8080
  oidc.config: |
    name: Dex
    issuer: https://platform.{{ .Cluster.Endpoint }}/dex
    clientSecret: <redacted>
    skipAudienceCheckWhenTokenHasNoAudience: true
    cliClientId: argocd

@thiDucTran
Copy link

I dont think dex works with argo cd cli . try --core when using argocd cli instead? @264nm

@264nm
Copy link

264nm commented Aug 16, 2023

It does @thiDucTran!
Just got this working today. You need to create a separate cliClientId, and then a separate staticClient on the dex side for the localhost redirectURI, and rather than providing a clientSecret you set public: true

i.e.

    - id: argocdcli
      name: argocdcli
      # Use Public Client for browser based CLI auth flow
      # https://dexidp.io/docs/custom-scopes-claims-clients/#public-clients
      # https://github.com/argoproj/argo-cd/issues/2179
      public: true
      redirectURIs:
      - 'http://localhost:8085/auth/callback'
$ argocd login argocd.example.com:8080 --sso
 
 Opening browser for authentication
 Performing authorization_code flow login: https://platform.example.com/dex/auth?                                                                                                                                access_type=offline&client_id=argocdcli&code_challenge=blahblahblah&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&s cope=openid+profile+email+groups+offline_access&state=blahblahblah
 Authentication successful
 '[email protected]' logged in successfully
 Context 'argocd.example.com:8080' updated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate This issue or pull request already exists
Projects
None yet
Development

No branches or pull requests