Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: PKCE Incorrectly Uses Base Redirect URL for ArgoCD Hosted Under Custom Path #18045

Open
ptr1120 opened this issue May 1, 2024 · 6 comments
Open

OIDC: PKCE Incorrectly Uses Base Redirect URL for ArgoCD Hosted Under Custom Path #18045

ptr1120 opened this issue May 1, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@ptr1120
Copy link

ptr1120 commented May 1, 2024

Checklist:

  • [ x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • [x ] I've included steps to reproduce the bug.
  • [x ] I've pasted the output of argocd version.

Describe the bug

I'm hosting ArgoCD at a custom base path (mycompany.org/infra/argocd) and using Keycloak as an external IdP. The configuration functions as expected until I enable PKCE (Proof Key for Code Exchange). Specifically, when enablePKCEAuthentication is set to true in the argocd-cm config map, the ArgoCD frontend incorrectly uses window.location.origin as the redirect URL, as demonstrated in the getPKCERedirectURI function located in utils.ts.

To Reproduce

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
data:
  url: https://mycompany.org/infra/argocd/
  enablePKCEAuthentication: true
  oidc.config: >-
    name: Keycloak
    issuer: https://<redacted>
    clientID: <redacted>
    clientSecret: $oidc.keycloak.clientSecret
    requestedScopes:
    - openid
    - profile
    - email
    - roles
    logoutURL: https://<redacted>/protocol/openid-connect/logout?redirect_uri={{logoutRedirectURL}}&id_token_hint={{token}}
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cmd-params-cm
data:
  - server.rootpath=/infra/argocd
  - server.basehref=/infra/argocd
  • Click on Login via Keycloak button

Expected behavior

ArgoCD should respect one of the configured parameters (server.rootpath, server.basehref, or url from the argocd-cm or argocd-cmd-params-cm config map) to determine the correct base URL for redirects.

Version

v2.11.0-rc3+20fd621
@ptr1120 ptr1120 added the bug Something isn't working label May 1, 2024
@Marvin9
Copy link
Contributor

Marvin9 commented May 1, 2024

So the expected redirect url should be https://mycompany.org/infra/argocd/pkce/verify instead of https://mycompany.org/pkce/verify?

@ptr1120
Copy link
Author

ptr1120 commented May 2, 2024

Exactly, it schould be https://mycompany.org/infra/argocd/pkce/verify

@Marvin9
Copy link
Contributor

Marvin9 commented May 2, 2024

Thanks @ptr1120 , normally if you navigate through pages does that prefix /infra/argocd is preserved in your browser URL?

@ptr1120
Copy link
Author

ptr1120 commented May 2, 2024

Yes @Marvin9 it is preserved in my browser Url but window.location.origin seems to be only about the host part of the Url. See also
image

@Marvin9
Copy link
Contributor

Marvin9 commented May 2, 2024

Alright thanks. Then the only problem to solve is to discover the root URL in browser and then we can pass to the function mentioned in the issue. I will look into this once I get time.

@ptr1120
Copy link
Author

ptr1120 commented May 2, 2024

thanks @Marvin9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ptr1120 @Marvin9