-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSO login via cli without WebBrowser #4424
Comments
I'm afraid the OAuth with ArgoCD is only possible using a browser. However, you can create a local (technical) user and use it for automation purposes. Be sure to configure appropriate RBAC rules in Argo CD for the user, so that the user will be authorized to do what you need it to do. |
Thanks @jannfis. |
Bumping this post to see if there are any plans of adding SSO login support via the REST API |
My team also is facing this issue and we are using this workaround We use
Once we have a token, we can use it in the cli
One caveat of this approach is that ACCESS_TOKEN has to be retrieved before running each command and both TOKEN and SERVER flags have to be passed to each and every command. |
Has anyone figured out a way to do this for google SSO? It seems like creating a user seems to require an admin user being enabled in the first place. we could script this via terraform, but would prefer a cleaner approach. |
I'd like to automate the argocd login with headless chrome via chromedp or puppeteer. Could you possibly add a flag like |
I had the same issue with using argocd with openshift oauth. Edit: realized i could just get the cookie from the session object def argocd_login(host, username, password):
# temporarily disable ssl verification warnings
with warnings.catch_warnings():
urllib3.disable_warnings()
# create session to keep cookies
session = requests.session()
# call initial login endpoint, will redirect to openshift oauth
response = session.get("https://" + host + "/auth/login", allow_redirects=True, verify=False)
# parse response to get openshift host
parsed = urlparse(response.url)
openshift_url = parsed.scheme + '://' + parsed.netloc
# setup oauth and idp urls
authorize_endpoint = '/oauth/authorize?' + parsed.query
idp_url = openshift_url + "/login/ldapidp"
# do an initial request to idp endpoint get to the idp endpoint to get the csrf cookie
session.get(idp_url, allow_redirects=False, verify=False, params={
'then': authorize_endpoint
})
# post csrf,username, and password to idp endpoint
session.post(idp_url, data={
'username': username,
'password': password,
'csrf': session.cookies['csrf'],
'then': authorize_endpoint
}, allow_redirects=True, verify=False)
# return arocd.token from cookies
return session.cookies['argocd.token'] |
@jannfis can this be reopened? for some users creating a local account is not acceptable for the company's auth policies. we need a way to login without a browser using . Dex supports the |
The PKCE flow should be possible to support as well. |
Commenting to indicate my support for:
|
I'm having this issue on WSL, but it's because of skratchdot/open-golang#29. |
Same here, it should be possible to disable the web-browser opening and just show the URL, or just display a warning instead. It would be great to not be blocking. On my hand, I'm using the cli on a remote session, and there is no desktop environment. |
For what it's worth, if you have kubectl access, if you ensure you're using the kube context where you have argocd installed, you can set your namespace to the argocd namespace (i.e.,
Here's the documentation on this. I realize this isn't SSO, but if you use SSO to handle cluster access, then it may meet the criteria. |
Can this be reopened? We are using devspaces which are like gitpods and the docker argocd container doesn't support opening a web browser. I'm happy to help implement something similar as suggested in #4424 (comment) where it just prints the link to generate a token. Similar to what the Openshift CLI does. |
FYI I have done this with AzureAD, and if you use Dex then this recent feature will allow you to solve this via federation. (That feature might not be cut into a release yet, but you can find the edge images published which work). This effectively makes this possible with any OIDC provider via Dex. The flow is, take your github-action/gitlab-ci job/kubernetes service account token, yada yada, configure the OIDC backend for that as a connector for Dex, and do a token exchange to get a dex token. You can then pass that token with the argocd cli. I even have the ArgoCD terraform provider working with OIDC. |
in the case of running argocd cli in a remote container (such as in devspaces / gitpods). if argocd cli expose a flag to override redirect_uri, this should work, since one can configure a redirect_uri to point to an ingress/route that points to server argocd cli spins up locally in the container |
just an update, this solution won't work. we cannot use arbitrary redirect url. the redirect url has to be registered in oauth. is there a proposed solution at this point that is ready to be implemented? I'd be happy to help implement it. |
Hi @blairdrummond, could you please elaborate on the token exchange you did with Terraform? Thanks |
@ArieLevs you can't exactly do this with just Okta, instead what you do is:
issuer: https://argocd.example.com/api/dex
expiry:
idTokens: 8h
signingKeys: 24h
staticClients:
# Note: I think I maybe had a second client running actually which was a public client.
# Take a look at the public client below
- id: argocd
name: ArgoCD
redirectURIs:
- https://argocd.example.com/api/dex/callback
# Kubelogin uses these
- http://localhost:8000
- http://localhost:18000
secretEnv: ARGOCD_CLIENT_SECRET
# Note: anyone can use this! Beware!
- id: public-client
name: GHA Client
public: true
connectors:
# This is my Github auth config, but switch this out for SAML or OIDC for Okta
- config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
loadAllGroups: true
orgs:
- name: liatrio
redirectURI: https://argocd.example.com/api/dex/callback
id: github
name: GitHub
type: github
- config:
issuer: https://token.actions.githubusercontent.com
scopes:
- openid
- groups
userNameKey: sub
id: github-actions
name: github-actions
type: oidc
oauth2:
skipApprovalScreen: true
storage:
config:
inCluster: true
type: kubernetes
telemetry:
http: 0.0.0.0:5558
web:
http: 0.0.0.0:5556 Users will see a screen like below, and your github actions will need a token to auth that doesn't involve Okta at all ![]() You can find sample code for the token exchange from a github action here. I am trying to get a PR going for Kubelogin so that kubelogin can do this instead of terraform {
required_providers {
argocd = {
source = "oboukili/argocd"
version = "6.0.3"
}
}
}
# I used this with interactive auth-code login locally,
# but switch it out with curl, OR just use a TF_VAR
data "external" "token" {
program = [
"sh", "-c", <<-HEREDOC
kubelogin \
get-token \
--oidc-issuer-url ${var.sso_issuer} \
--oidc-client-id ${var.client_id} \
--grant-type authcode \
--oidc-extra-scope openid | jq '{"token": .status.token}'
HEREDOC
]
}
provider "argocd" {
auth_token = data.external.token.result.token
server_addr = var.argocd_host
} Why Dex?Dex happens to now support token-exchange, last I checked Okta does not support that yet (PingFederate does. If you use Ping you can do all this natively there and skip Dex). Once/if Okta natively supports token exchange, basically you just register Github Actions to be able to auth to Okta to get an Okta token, then fire that to your service. IMPORTANT NOTE: Github-Actions securityThe github-actions OIDC issuer there is github.com wide. Literally anyone could use that. I have a personal fork of Dex were I added lua support to do some extra authz there, I think something like rego or CEL would be better. You might just need to vet the security there to make sure that this system doesn't open up unintended access. Keeping your dex/argocd service in a private network will obviously help here |
@blairdrummond : per this okta doc https://developer.okta.com/docs/guides/set-up-token-exchange/main/, does it mean that okta does support token-exchange? |
Oh snap @haiwu yes it does! Looks like you can use that for token-exchange. In that case, you can hook ArgoCD -> Okta, then Okta humans use sso as normal, and you use that flow to get machine identities to get an Okta ID token, then send that token to ArgoCD |
@blairdrummond : Would this work if ArgoCD using SAML from Okta? |
For sessions over ssh or codespaces, where you can forward your terminal's port to your local host, you can stub out xdg-open on the remote side to avoid the error. You can then open the link in your local browser to finish the flow. echo "#!/bin/sh" > ~/.local/bin/xdg-open
chmod +x ~/.local/bin/xdg-open
argocd login ... --sso |
Hello,
I would like to using argocd cli as a Tekton Task (running argocd inside a container).
ArgoCD is using OpenShift OAuth. When logging in I got the following error message
I could install xdg-open but inside my container, I do not have any browser
Is there a way to SSO login without webrowser redirection?
Thanks
The text was updated successfully, but these errors were encountered: