Argocd SSO login via Azure AD Auth using OIDC not work for cli sso login

[calmzhu]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug
Config from doc not work for argocd cli sso login. a new field offline_access is required in requestedScopes

Can you check this and update this fields to doc's example

To Reproduce

1. following guide in doc Azure AD App Registration Auth using OIDC,

2. sso login in ui succeed

3. argocd cli sso failed argocd login xxxxxxx --grpc-web-root-path / --sso got error code 7000218
   

4. Add new line offline_access to requestedScopes of oidc.config in argocd-cm

5. argocd cli sso login success `argocd login xxxxxxx --grpc-web-root-path / --sso`

Version

argocd: v2.3.3+07ac038
  BuildDate: 2022-03-30T01:44:08Z
  GitCommit: 07ac038a8f97a93b401e824550f0505400a8c84e
  GitTreeState: clean
  GoVersion: go1.17.6
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v2.5.2+148d8da
  BuildDate: 2022-11-07T16:42:47Z
  GitCommit: 148d8da7a996f6c9f4d102fdd8e688c2ff3fd8c7
  GitTreeState: clean
  GoVersion: go1.18.8
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v4.5.7 2022-08-02T16:35:54Z
  Helm Version: v3.10.1+g9f88ccb
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.18.0

[blairdrummond]

Hi @calmzhu , I managed to get this working more manually today.

Still isolating the exact config needed, but I think this hinges on the argo app registration using the v2 token API, which you can set in the app registration manifest (without this, your token is issued by sts.windows.net, but argo is expecting login.microsoftonline.com).

Note: the AAD_SERVICE_PRINCIPAL_ vars are necessary for kubelogin

export AAD_SERVICE_PRINCIPAL_CLIENT_ID="<REDACTED>"
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET="<REDACTED>"
export TENANT_ID="REDACTED"

# From the argo app registration
export ARGO_APP_ID=REDACTED


# # Inspect the jwt. (The `sed` thing is for a bug on my system, it shouldn't need to be there)
#kubelogin get-token --login spn \
#      --tenant-id $TENANT_ID \
#      --server-id $ARGO_APP_ID  \
#      | jq .status.token | awk -F '.' '{print $2}' | base64 -d \
#      | sed 's~}*$~}~' | jq

TOKEN=$(kubelogin get-token --login spn \
      --tenant-id $TENANT_ID \
      --server-id $ARGO_APP_ID \
      | jq -r .status.token)

# This works
curl --insecure --silent \
    -H "Authorization: Bearer $TOKEN" \
        https://argocd.example.com/api/v1/session/userinfo

# This works
curl --insecure --silent \
    -H "Authorization: Bearer $TOKEN" \
        https://argocd.example.com/api/v1/applications

This might work for you as well.

For readers who are not using Azure, my theory is that if Dex adds support for the grant_type=token-exchange, then you should be able to use this approach with Dex, too, by trading the Azure/AWS/GCP cred with dex for a token that argocd will accept.