Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArgoCD does not follow SSO Redirects #13089

Open
simonjcarr opened this issue Apr 3, 2023 · 3 comments
Open

ArgoCD does not follow SSO Redirects #13089

simonjcarr opened this issue Apr 3, 2023 · 3 comments
Labels
bug Something isn't working component:sso Issues related to Argo CD configurations

Comments

@simonjcarr
Copy link

Describe the bug

ArgoCD does not follow redirects when using SSO.

To Reproduce

  • Configure ArgoCD to use Keycloak for Authentication.
  • Serve Keycloak from behind a Cloudflare tunnel.
  • Cloudflare returns a 302 response
  • ArgoCD does not follow the redirect and instead gives the following error in the browser
Failed to query provider "https://authtr.soxprox.com/realms/task-repository-testing": oidc: failed to decode provider discovery object: expected Content-Type = application/json, got "text/html": invalid character '<' looking for beginning of value

Expected behavior

ArgoCD should follow the redirect

ArgoCD should either automatically follow the redirect or there should be an option in the Config Map where the user can allow redirects to be followed.

Screenshots

image

Version

v2.6.7+5bcd846

Logs

#ArgoServer Log
time="2023-04-03T12:26:31Z" level=info msg="Initializing OIDC provider (issuer: https://authtr.soxprox.com/realms/task-repository-testing)"

response from curl to the Keycloak endpont

*   Trying 104.21.21.210:443...
* Connected to authtr.soxprox.com (104.21.21.210) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.soxprox.com
*  start date: Feb 20 00:42:52 2023 GMT
*  expire date: May 21 00:42:51 2023 GMT
*  subjectAltName: host "authtr.soxprox.com" matched cert's "*.soxprox.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1P5
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x562b89db7e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /realms/task-repository-testing/.well-known/openid-configuration HTTP/2
> Host: authtr.soxprox.com
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 302 
< date: Mon, 03 Apr 2023 12:39:13 GMT
< location: https://soxprox-home.cloudflareaccess.com/cdn-cgi/access/login/authtr.soxprox.com?kid=1bbf6007390ad477257bf0b7194ab2db53f4b0b4a398677ab0167784e199ae5e&redirect_url=%2Frealms%2Ftask-repository-testing%2F.well-known%2Fopenid-configuration&meta=eyJraWQiOiJlZTkwYWNmMTQ4YWZiNjVkZjdlZTcwZjA0MTBiNmIyNWMwMDEyMGI5OTQ2M2Q0ZWRlYmQ0MzkzZjE1YWU2YjlkIiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJzZXJ2aWNlX3Rva2VuX3N0YXR1cyI6ZmFsc2UsImlhdCI6MTY4MDUyNTU1Mywic2VydmljZV90b2tlbl9pZCI6IiIsImF1ZCI6IjFiYmY2MDA3MzkwYWQ0NzcyNTdiZjBiNzE5NGFiMmRiNTNmNGIwYjRhMzk4Njc3YWIwMTY3Nzg0ZTE5OWFlNWUiLCJob3N0bmFtZSI6ImF1dGh0ci5zb3hwcm94LmNvbSIsImFwcF9zZXNzaW9uX2hhc2giOiJmMmU4ZTAzNTQzNGU4ZmNlNmI5ZDljMmUwNDk3NDYxMTE1ZjdmMjU5MDc2NzlmZTcyZjVhYWFiMWQ1YmE3OTAzIiwibmJmIjoxNjgwNTI1NTUzLCJpc193YXJwIjpmYWxzZSwiaXNfZ2F0ZXdheSI6ZmFsc2UsInR5cGUiOiJtZXRhIiwicmVkaXJlY3RfdXJsIjoiXC9yZWFsbXNcL3Rhc2stcmVwb3NpdG9yeS10ZXN0aW5nXC8ud2VsbC1rbm93blwvb3BlbmlkLWNvbmZpZ3VyYXRpb24iLCJtdGxzX2F1dGgiOnsiY2VydF9pc3N1ZXJfc2tpIjoiIiwiY2VydF9wcmVzZW50ZWQiOmZhbHNlLCJjZXJ0X3NlcmlhbCI6IiIsImNlcnRfaXNzdWVyX2RuIjoiIiwiYXV0aF9zdGF0dXMiOiJOT05FIn0sImF1dGhfc3RhdHVzIjoiTk9ORSJ9.C6_7HDFcokIWW0RZ-kM_w9_OTlvDWASqaUt10nLcXKGHBi9sTYHI92TgTGVSaUAWzOwslBWaqgDbnNYc5oECSu-CnrM4CHiKKQgp5MoQeFAAWU1aNrEgEyZDs3cFCapTijrgyt0j_HxvZeT0wNVcF7N6lD0yGrq-l2wcev8hsYqiUuqw4a-NsFJGJvS2rwjAFqBhbu2F-7EiYTVwYbXr5DvxmMhfbmRDQj3I6msgKsN6Rrnp5b9ue9HXV3Ml1dwo6Py7VlpeyfCjFGZESR01j1LReXdZqwh6ROWcpCiiKHzbKRlawFXBtkwA5FwPfv2chuJXGlnus-bgGlNYCrJOHA
< set-cookie: CF_AppSession=n2dcd28f487d47605; Expires=Tue, 04 Apr 2023 12:39:13 GMT; Path=/; Secure; HttpOnly
< access-control-allow-credentials: true
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NPU6RbzqQVFClvrwPIC790UdpNEvWfsRAgqhGmPGoIStELUpO7IKb2DLIUxVEOkahPMgL4SvZHVEw3RzIodlxwbG7fup3n19B0GNQa9VEHdlAboKEUMDSWMLR16mPhMz55nSces%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 7b215f867b2e35c5-MAN
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
< 
* Connection #0 to host authtr.soxprox.com left intact
@simonjcarr simonjcarr added the bug Something isn't working label Apr 3, 2023
@jaideepr97 jaideepr97 added the component:sso Issues related to Argo CD configurations label Apr 10, 2023
@Nello-Angelo
Copy link

i have the same problem

@crenshaw-dev
Copy link
Collaborator

Argo CD passes a go http client to go-oidc. As far as I can tell, we set no special redirect logic, and it looks like the default behavior of the go http client is to follow redirects. I'm not sure what's going wrong here.

@mkilchhofer
Copy link
Member

https://authtr.soxprox.com/realms/task-repository-testing

IMO older keycloak issuer endpoints looks like https://<issuer-fqnd>/auth/realms/<your-realm>/ so I suspect a missing /auth/ inside the URL.

What version of keycloak do you have @simonjcarr ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working component:sso Issues related to Argo CD configurations
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@crenshaw-dev @simonjcarr @mkilchhofer @jaideepr97 @Nello-Angelo