Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate using DEX locally with ARGO #39223

Closed
1 task
npeterson54 opened this issue Mar 28, 2022 · 1 comment
Closed
1 task

Investigate using DEX locally with ARGO #39223

npeterson54 opened this issue Mar 28, 2022 · 1 comment
Assignees
@RachalCassity
Labels
console-services Console Services Team (Platform Crew)
Milestone
Provide Deploymen...

Comments

@npeterson54
Copy link
Contributor

npeterson54 commented Mar 28, 2022
edited

Problem we are trying to solve:
Add Keycloak to Argo's Dex (add Keycloak to the dex sso config)

Currently we use Keycload as a provider,

We would like to see if Dex is possible. (Argo is being used in product with Argo), we need to determine if this will work for our needs.

Acceptance Criteria

Verify that Dex works

  • Verify bearer token from Keycloak still works with argo when using dex
@npeterson54 npeterson54 added the console-services Console Services Team (Platform Crew) label Mar 30, 2022
@npeterson54 npeterson54 added this to the Provide Deployment Status milestone Mar 30, 2022
@RachalCassity
Copy link
Member

RachalCassity commented Apr 12, 2022
edited

There are two issues with using Dex and Keycloak to make API calls.

  1. The OIDC issuer changes from Keycloak to Dex:

    Dex acts as a portal to other identity providers through "connectors." This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend.

    When Dex is used for authenticating users in Argo, users signs in through an external connector, like Keycloak or github. The external connecter is no longer the sso provider in Argo. The connector's issuer is removed and replaced with the Dex issuer which may look like http://localhost:8080/api/dex. The error below is reports when attempting to make an API call to Argo with keycloak token:

    "error": "invalid session: oidc: id token issued by a different provider, expected \"http://localhost:8080/api/dex\" got \"http://localhost:8180/auth/realms/Twilight\""

  2. The Keycloak Access token is not obtained.

    Access tokens are what the OAuth client uses to make requests to an API. The access token is meant to be read and validated by the API. An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client.

    Dex authenticates the user but does not obtain the Keycloak Access token, therefore Argo API calls cannot be made via Dex.

There has not been a solution to use the Keycloak token for ArgoCD API calls via Dex.

Here are some reported issues with Issuers/Dex/Connectors:

dexidp/dex#1635
argoproj/argo-cd#671
kubeflow/kfctl#433

Possible solutions:

Keycloak is a OIDC provider, just like Dex. Github users are able to go to the Argo login page. Click "Sign in via Keycloak". Then the user has the option to sign into Github or Keycloak. The user will redirected back to ArgoCD. This works the same way as Dex but the user will be able to make API calls to Argo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RachalCassity RachalCassity

Labels
console-services Console Services Team (Platform Crew)
Projects
Platform Console
Status: Done
Milestone
Provide Deployment Status
Development

No branches or pull requests
2 participants
@RachalCassity @npeterson54