You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi @calmzhu , I managed to get this working more manually today.
Still isolating the exact config needed, but I think this hinges on the argo app registration using the v2 token API, which you can set in the app registration manifest (without this, your token is issued by sts.windows.net, but argo is expecting login.microsoftonline.com).
Note: the AAD_SERVICE_PRINCIPAL_ vars are necessary for kubelogin
export AAD_SERVICE_PRINCIPAL_CLIENT_ID="<REDACTED>"export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET="<REDACTED>"export TENANT_ID="REDACTED"# From the argo app registrationexport ARGO_APP_ID=REDACTED
# # Inspect the jwt. (The `sed` thing is for a bug on my system, it shouldn't need to be there)#kubelogin get-token --login spn \# --tenant-id $TENANT_ID \# --server-id $ARGO_APP_ID \# | jq .status.token | awk -F '.' '{print $2}' | base64 -d \# | sed 's~}*$~}~' | jq
TOKEN=$(kubelogin get-token --login spn \ --tenant-id $TENANT_ID \ --server-id $ARGO_APP_ID \| jq -r .status.token)# This works
curl --insecure --silent \
-H "Authorization: Bearer $TOKEN" \
https://argocd.example.com/api/v1/session/userinfo
# This works
curl --insecure --silent \
-H "Authorization: Bearer $TOKEN" \
https://argocd.example.com/api/v1/applications
This might work for you as well.
For readers who are not using Azure, my theory is that if Dex adds support for the grant_type=token-exchange, then you should be able to use this approach with Dex, too, by trading the Azure/AWS/GCP cred with dex for a token that argocd will accept.
Checklist:
argocd version
.Describe the bug
Config from doc not work for argocd cli sso login. a new field
offline_access
is required in requestedScopesCan you check this and update this fields to doc's example
To Reproduce
following guide in doc Azure AD App Registration Auth using OIDC,
sso login in ui succeed
argocd cli sso failed
![image](https://user-images.githubusercontent.com/10286576/206659440-61273050-31ca-41a0-a3ec-9eb0f543d15c.png)
argocd login xxxxxxx --grpc-web-root-path / --sso
got error code 7000218Add new line
offline_access
to requestedScopes of oidc.config in argocd-cm![image](https://user-images.githubusercontent.com/10286576/206659752-ce4cb13c-4e4b-48d8-b405-a902caab56ea.png)
5. argocd cli sso login success `argocd login xxxxxxx --grpc-web-root-path / --sso`Version
The text was updated successfully, but these errors were encountered: