Unable to login to Argo UI embedded inside python flask application via iframe. How to fix?

[rakesh-vishwabrahmana]

Unable to login to ArgoCD UI which is embedded inside my python flask application. I have changed the configuration of argocd ConfigMap,

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-cmd-params-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cmd-params-cm
data:
  server.x.frame.options: allow-from "https://my-app.com/"
  server.content.security.policy: frame-ancestors *

So that, I'm able to access the page but unable sign in using admin credentials or using SSO with Microsoft.

But generally I'm able to sign in to the argocd UI using SSO and admin credentials from https://argocd.my-app.com/ without any issues. But I'm unable to sign in from my application which is embedded.

Error message: 400 (Bad Request), http: named cookie not present and data length is less than nonce size

Any advise?

Thanks

[agilgur5]

By "embedded" do you mean as an iframe? Since you have frame-ancestors, that's what it sounded like.

It's been some years since I've used iframes, but IIRC the Cookie is still on the same URL, as it is only being used within the iframe and not outside it.

How do I configure sameSite=None for this? is that works?

Configuring that would allow for CSRF. Even if that were an optional config, it would mean that your server would be susceptible to CSRF now.

You should also be able to workaround this if your Argo Server and Flask application are hosted on the same domain. (Cookies are usually sent in Strict mode)

---

Also back-linking the similar issue that was opened in CD: argoproj/argo-cd#15565

[rakesh-vishwabrahmana]

Also, I tried testing on localhost, src='https://localhost:8080/ but unable to login to argocd UI using admin credentials.
I see in browser cookies, argocd.token, authorization and session are on same domain localhost, but the login functionality not working.

[rakesh-vishwabrahmana]

Hi @agilgur5, Could you please update on this. Thank you in advance

[agilgur5]

I understood that, SameSite=None should work. Please update if there a spec doc to configure or update on hosting different domains to same domain, that would be helpful.

Yes, it would work, but that would make it insecure as your site would be susceptible to CSRF. So I don't think we should add such an option. iframes have a lot of issues, so I just generally wouldn't recommend using them if you can avoid them. Proxying correctly would be what we should recommend.
I don't think that would fit in the docs as it's not specific to Workflows, that's just an iframe issue in general. This is also the first time I've heard someone trying to use an iframe, so this isn't a common issue.

I see in browser cookies, argocd.token, authorization and session are on same domain localhost,

Yea port isn't used for SameSite, so if they're all localhost, they should work the same.

but the login functionality not working.

It might be breaking for a different reason, I'm not sure. It may be because you haven't specified --base-href / BASE_HREF, as I mentioned above. Would have to see some error logs from your browser and the server at least to try to diagnose that.

Not using iframes would definitely simplify things though.

[agilgur5]

because, I'm using Prod namespace for my application and using argo and argocd namespaces for these.

Oh. I can help you with this one. You can create a second Ingress (or second set of paths) in the argo and argocd namespaces that use the same host as your application.

If you can do that, you should no longer need any iframes, which simplifies things quite a bit (iframes are a bit of a hacky workaround)

[rakesh-vishwabrahmana]

Thank you for the information. Apologies for the late response. As advised I prefer to route using ingress.

[rakesh-vishwabrahmana]

Also, just wanted to check, I have installed nginx-ingress in prod namespace. If I install again nginx-ingress in prod2 namespace, is it will expose another LoadBalancerIP? because current ingress IP mapping with my application with DNS.

[agilgur5]

You don't need to install a second Ingress Controller (nginx-ingress in your case). You can create Ingress resources in a different namespaces, and the same Ingress Controller can watch them in any namespace (so long as it is specified in the ingressClassName field or is the default ingress class)

[rakesh-vishwabrahmana]

That's cool, it works with the ingressClassName. Thank you