ArgoCD ?has_sso_error

[vodanet]

Hi,

I set everything up according to the instructions, but unfortunately the LOGIN in Argocd doesn't work (see screenshots).

argocd-cm:
data:
dex.config: |
connectors:
-config:
issuer: https://authentik./application/o/argocd/
clientID: EdcMAp5fANCylnGmo0MhpVvnM8irkWZph6jynRmK
clientSecret: $dex.authentik.clientSecret
insecureEnableGroups: true
scopes:
- openid
- profiles
- email
- groups
name: Authenticity
type: oidc
id: authentic
url: https://argocd.

I tried the application settings with
and without a start URL (https://argocd.).

I tried Redirect URIs/Origins (RegEx) with https and http in the provider settings.

I restarted the argocd-dex-server.

Unfortunately all without success.

What does the message https://argocd./login?has_sso_error=true say?

Greetings,
Daniel

[BeryJu]

you should be able to find a more detailed error message in your argocd or dex container logs

[vodanet]

Argocd-Dex-Server LOG:

time="2024-03-25T09:59:25Z" level=info msg="ArgoCD Dex Server is starting" built="2024-03-01T21:24:51Z" commit=fcf5d8c2381b68ab1621b90be63913b12cca2eb7 namespace=argocd version=v2.10.2+fcf5d8c
time="2024-03-25T09:59:25Z" level=info msg="Generating self-signed TLS certificate for this session"
time="2024-03-25T09:59:25Z" level=info msg="Starting configmap/secret informers"
time="2024-03-25T09:59:25Z" level=info msg="Configmap/secret informer synced"
time="2024-03-25T09:59:25Z" level=info msg="0xc000de9ec0 subscribed to settings updates"
time="2024-03-25T09:59:25Z" level=info msg="Dex Version: v2.37.0-dirty, Go Version: go1.20.4, Go OS/ARCH: linux amd64"
time="2024-03-25T09:59:25Z" level=info msg="config issuer: https://argocd./api/dex"
time="2024-03-25T09:59:25Z" level=info msg="config storage: memory"
time="2024-03-25T09:59:25Z" level=info msg="config static client: Argo CD"
time="2024-03-25T09:59:25Z" level=info msg="config static client: Argo CD CLI"
time="2024-03-25T09:59:25Z" level=info msg="config static client: Argo CD PKCE"
time="2024-03-25T09:59:25Z" level=info msg="config connector: authentik"
time="2024-03-25T09:59:25Z" level=info msg="config skipping approval screen"
time="2024-03-25T09:59:25Z" level=info msg="config refresh tokens rotation enabled: true"
time="2024-03-25T09:59:25Z" level=info msg="keys expired, rotating"
time="2024-03-25T09:59:26Z" level=info msg="keys rotated, next rotation: 2024-03-25 15:59:26.286488383 +0000 UTC"
time="2024-03-25T09:59:26Z" level=info msg="listening (telemetry) on 0.0.0.0:5558"
time="2024-03-25T09:59:26Z" level=info msg="listening (https) on 0.0.0.0:5556"
time="2024-03-25T09:59:26Z" level=info msg="listening (grpc) on 0.0.0.0:5557"
time="2024-03-25T10:06:12Z" level=error msg="Failed to authenticate: missing "name" claim"
time="2024-03-25T13:20:03Z" level=error msg="Failed to authenticate: missing "name" claim"

[vodanet]

I set up argocd and authentik again and configured everything according to the instructions and get the same error with the following logs.

server log:
time="2024-03-28T06:39:31Z" level=info msg="ArgoCD API Server is starting" built="2024-03-18T08:09:23Z" commit=f5d63a5c77d2e804e51ef94bee3db441e0789d00 namespace=argocd port=8080 version=v2.10.4+f5d63a5
time="2024-03-28T06:39:31Z" level=info msg="Starting configmap/secret informers"
time="2024-03-28T06:39:31Z" level=info msg="Configmap/secret informer synced"
time="2024-03-28T06:39:31Z" level=info msg="invalidated cache for resource in namespace: argocd with the name: argocd-notifications-cm"
time="2024-03-28T06:39:31Z" level=info msg="invalidated cache for resource in namespace: argocd with the name: argocd-notifications-secret"
time="2024-03-28T06:39:31Z" level=info msg="Creating client app (argo-cd)"
time="2024-03-28T06:39:31Z" level=info msg="argocd v2.10.4+f5d63a5 serving on port 8080 (url: https://argocd.domain, tls: false, namespace: argocd, sso: true)"
time="2024-03-28T06:39:31Z" level=info msg="Enabled application namespace patterns: argocd"
time="2024-03-28T06:39:31Z" level=info msg="0xc0012fbb60 subscribed to settings updates"
time="2024-03-28T06:39:31Z" level=info msg="Starting rbac config informer"
time="2024-03-28T06:39:31Z" level=info msg="RBAC ConfigMap 'argocd-rbac-cm' added"
time="2024-03-28T06:40:15Z" level=info msg="received unary call /version.VersionService/Version" grpc.method=Version grpc.request.content= grpc.service=version.VersionService grpc.start_time="2024-03-28T06:40:15Z" span.kind=server system=grpc
time="2024-03-28T06:40:15Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Version grpc.service=version.VersionService grpc.start_time="2024-03-28T06:40:15Z" grpc.time_ms=0.784 span.kind=server system=grpc
time="2024-03-28T06:40:15Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2024-03-28T06:40:15Z" span.kind=server system=grpc
time="2024-03-28T06:40:15Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2024-03-28T06:40:15Z" grpc.time_ms=1.014 span.kind=server system=grpc
time="2024-03-28T06:40:15Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2024-03-28T06:40:15Z" span.kind=server system=grpc
time="2024-03-28T06:40:15Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2024-03-28T06:40:15Z" grpc.time_ms=1.915 span.kind=server system=grpc
time="2024-03-28T06:40:15Z" level=info msg="received unary call /session.SessionService/GetUserInfo" grpc.method=GetUserInfo grpc.request.content= grpc.service=session.SessionService grpc.start_time="2024-03-28T06:40:15Z" span.kind=server system=grpc
time="2024-03-28T06:40:15Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=GetUserInfo grpc.service=session.SessionService grpc.start_time="2024-03-28T06:40:15Z" grpc.time_ms=0.514 span.kind=server system=grpc
time="2024-03-28T06:40:23Z" level=info msg="Initializing OIDC provider (issuer: https://argocd.domain/api/dex)"
time="2024-03-28T06:40:23Z" level=info msg="OIDC supported scopes: [openid email groups profile offline_access]"
time="2024-03-28T06:40:23Z" level=info msg="Performing authorization_code flow login: https://argocd.domain/api/dex/auth?client_id=argo-cd&redirect_uri=https%3A%2F%2Fargocd.domain%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups&state=NfNjvPLcKfvgJFMUjdbIJflm"
time="2024-03-28T06:40:25Z" level=error msg="received error from dex: \n\n \n <meta charset="utf-8">\n <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">\n <title>dex</title>\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <link href="static/main.css" rel="stylesheet">\n <link href="theme/styles.css" rel="stylesheet">\n <link rel="icon" href="theme/favicon.png">\n \n\n <body class="theme-body">\n <div class="theme-navbar">\n <div class="theme-navbar__logo-wrap">\n <img class="theme-navbar__logo" src="theme/logo.png">\n \n \n\n <div class="dex-container">\n\n\n<div class="theme-panel">\n <h2 class="theme-heading">Internal Server Error\n

Failed to authenticate: oidc: failed to get token: oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"

\n\n\n \n \n\n\n" security=2
time="2024-03-28T06:40:25Z" level=info msg="received unary call /version.VersionService/Version" grpc.method=Version grpc.request.content= grpc.service=version.VersionService grpc.start_time="2024-03-28T06:40:25Z" span.kind=server system=grpc
time="2024-03-28T06:40:25Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Version grpc.service=version.VersionService grpc.start_time="2024-03-28T06:40:25Z" grpc.time_ms=1.278 span.kind=server system=grpc
time="2024-03-28T06:40:25Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2024-03-28T06:40:25Z" span.kind=server system=grpc
time="2024-03-28T06:40:25Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2024-03-28T06:40:25Z" grpc.time_ms=2.03 span.kind=server system=grpc
time="2024-03-28T06:40:25Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.method=Get grpc.request.content= grpc.service=cluster.SettingsService grpc.start_time="2024-03-28T06:40:25Z" span.kind=server system=grpc
time="2024-03-28T06:40:25Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.SettingsService grpc.start_time="2024-03-28T06:40:25Z" grpc.time_ms=1.399 span.kind=server system=grpc
time="2024-03-28T06:40:25Z" level=info msg="received unary call /session.SessionService/GetUserInfo" grpc.method=GetUserInfo grpc.request.content= grpc.service=session.SessionService grpc.start_time="2024-03-28T06:40:25Z" span.kind=server system=grpc
time="2024-03-28T06:40:25Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=GetUserInfo grpc.service=session.SessionService grpc.start_time="2024-03-28T06:40:25Z" grpc.time_ms=0.571 span.kind=server system=grpc

dex-server log:
time="2024-03-28T06:39:30Z" level=info msg="ArgoCD Dex Server is starting" built="2024-03-18T08:09:23Z" commit=f5d63a5c77d2e804e51ef94bee3db441e0789d00 namespace=argocd version=v2.10.4+f5d63a5
time="2024-03-28T06:39:30Z" level=info msg="Generating self-signed TLS certificate for this session"
time="2024-03-28T06:39:30Z" level=info msg="Starting configmap/secret informers"
time="2024-03-28T06:39:30Z" level=info msg="Configmap/secret informer synced"
time="2024-03-28T06:39:30Z" level=info msg="0xc000b62900 subscribed to settings updates"
time="2024-03-28T06:39:30Z" level=info msg="Dex Version: v2.38.0, Go Version: go1.21.6, Go OS/ARCH: linux amd64"
time="2024-03-28T06:39:30Z" level=info msg="config issuer: https://argocd.domain/api/dex"
time="2024-03-28T06:39:30Z" level=info msg="config storage: memory"
time="2024-03-28T06:39:30Z" level=info msg="config static client: Argo CD"
time="2024-03-28T06:39:30Z" level=info msg="config static client: Argo CD CLI"
time="2024-03-28T06:39:30Z" level=info msg="config static client: Argo CD PKCE"
time="2024-03-28T06:39:30Z" level=info msg="config connector: authentik"
time="2024-03-28T06:39:30Z" level=info msg="config skipping approval screen"
time="2024-03-28T06:39:30Z" level=info msg="config refresh tokens rotation enabled: true"
time="2024-03-28T06:39:30Z" level=info msg="keys expired, rotating"
time="2024-03-28T06:39:31Z" level=info msg="keys rotated, next rotation: 2024-03-28 12:39:31.164983009 +0000 UTC"
time="2024-03-28T06:39:31Z" level=info msg="listening (telemetry) on 0.0.0.0:5558"
time="2024-03-28T06:39:31Z" level=info msg="listening (https) on 0.0.0.0:5556"
time="2024-03-28T06:39:31Z" level=info msg="listening (grpc) on 0.0.0.0:5557"
time="2024-03-28T06:40:25Z" level=error msg="Failed to authenticate: oidc: failed to get token: oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)""

[tlsabara]

Hello!

I had the same problem and managed to solve it with the following changes

• changing the value of "dex.authentik.clientSecret" in secret "argocd-secret", changing the clientSecret to base64 (Ex: echo -n client_secret_string | base64).
• in the authentik in my redirect url, I applied a regex that validates the domain of the url only, which can be from any uri of the domain (Ex: ^https://argocd\.mydomain\.com\.br/.*$).

I hope it helps.

[vodanet]

@tlsabara Thank you!!!
That helped.
Now it works as desired.