Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic (direct) OIDC ID token JWT support #12049

Open
iainlane opened this issue Oct 20, 2023 · 1 comment
Open

Generic (direct) OIDC ID token JWT support #12049

iainlane opened this issue Oct 20, 2023 · 1 comment
Labels
area/sso-rbac type/feature Feature request

Comments

@iainlane
Copy link
Contributor

Summary

It's not possible to use any old OIDC token to authenticate with an Argo Workflows server to use RBAC. You're either in client mode, in which case you need a service account token. Or you're in SSO mode, in which case the ID token needs to have been issued by Argo Workflows itself: it needs to be signed by an internal private key.

I've set up Dex, I've got it issuing ID tokens exchanged from GitHub's ID tokens, but I've fallen at this hurdle - it doesn't seem possible to get Argo WF to accept those tokens at all.

Use Cases

I want to use GitHub Actions OIDC to submit Argo Workflows from GitHub Actions Workflows (GHA). (I imagine other OIDC providers would work similarly but this is the one I'm interested in right now.)

Design

Here's a high-level sketch of a design for how it could work:

  1. In the config, under sso, specify an issuer and an audience.
  2. When we see a JWT inside the Authorization header, we verify it as normal by checking the signature, expiry and all of the standard claims. Additionally, we would verify the issuer and the audience are what was supplied in the config.
  3. After this it looks mostly like SSO looks now. We look at the same annotations on the same service accounts and see if any rbac-rule annotations match against the JWT's claims.
    1. Ideally all claims from the JWT are provided to the expression's context.

That doesn't sound too intrusive to me. What do you think?

If agreed I'd be happy to work on this change.

Message from the maintainers:

Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.
@iainlane iainlane added the type/feature Feature request label Oct 20, 2023
@danielshiplett
Copy link

This sounds like a great use case to me. I'm also facing a similar need as I am building a product that is (trying to) integrate Argo Workflows into a larger system. We use Keycloak as our SSO. I am able to successfully use the Keycloak generated user JWT from my central OAuth2 resource server that coordinates the entire system with all of our other components. I cannot do this with Argo Workflows. This leaves us at a point where we need to use shared service accounts, which is less than ideal from a system management and security perspective.

@kvedes kvedes mentioned this issue Apr 29, 2024
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/sso-rbac type/feature Feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@iainlane @agilgur5 @danielshiplett