-
Notifications
You must be signed in to change notification settings - Fork 786
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.spec.sso.dex.openShiftOAuth: true no longer seems to work #1012
Comments
#995 seems like mostly a duplicate of the bug I reported here but I think this bug can still have some merit in that it seems behavior of Since that can be worked around by explicitly setting I looked a bit at the code for openshift-oauth and it is using the basic Golang request.FormValue("client_id") (and previously used request.Form.Get("client_id")) both of which would do one level URI unescaping. So that suggests that what gets sent over the wire is double encoded. |
I figured out how to increase the log level on oauth-openshift so I can see the HTTP requests in its log file and there it looks like the ArgoCD Dex Server request is correct with one level of escaping. I created an issue in the openshift/oauth-server project to maybe get some feedback from there. This was the interesting log snippet from the oauth-openshift pod, as you can see the
|
oauth-openshift or the https://github.com/openshift/osin library looks like the main culprit here. I was able to verify that I got login to work in openshift/oauth-server#136 by reverting one of the commits done there which made some fixes and updated the openshift/osin library to a newer version. |
I'm not sure why but this seems to have magically solved itself last week, presumably due to some auto-update of the Openshift authentication operator or oauth-openshift. Since then I have not been able to reproduce this problem with the code exchange failing. The |
Thanks for reporting @bergner , sure we will take a look at it. |
Describe the bug
Setting
.spec.sso.dex.openShiftOAuth: true
in the ArgoCD CR causes the "Log in via Openshift" button to appear in ArgoCD's UI but clicking that button causes a 400 error onGET https://argocd-server-argocd.apps-crc.testing/auth/login?return_url=https://argocd-server-argocd.apps-crc.testing/applications
with the message:To Reproduce
I have been running ArgoCD on Openshift CRC successfully for a couple of months now but I recently redid my Openshift CRC setup from scratch to increase its dedicated disk size. After installing ArgoCD operator through OperatorHub interface in Openshift I created an "argocd" namespace with
oc create ns argocd
and then provisioned an ArgoCD CR withoc apply -f
on the yaml below.I have v0.7.0 of the operator installed (image: quay.io/argoprojlabs/argocd-operator@sha256:5541a1c2323016b767f53bcadf696ebd199903d2048f7bd2aee377a332ea5f2c)
I also tried adding
.spec.server.url: https://argocd-server-argocd.apps-crc.testing
in the ArgoCD CR but that did not help.Additional information
The
argocd-cm
ConfigMap contains this (plus some other properties that I don't think are related to this):The
argocd-argocd-dex-server
ServiceAccount has the following annotation:Unfortunately I don't have the exact contents of
argocd-cm
andargocd-argocd-dex-server
from before the reinstall of Openshift CRC but at least one theory is that it used to use the Route FQDN and not use "https://argocd-server".I tried setting
--loglevel debug
on both the argocd-server and argocd-dex-server Deployments. I can't see what is happening when I click "Log in via Openshift" but on startup of argocd-dex-server this entry in the log file is interesting (I replaced "\n" with line breaks here for readability). Why isconfig.redirectURI
andstaticClients[0].redirectURIs
completely different for example?Update 1: Setting .spec.server.host
Setting
.spec.server.host: argocd-server-argocd.apps-crc.testing
explicitly gets me further. I do get the Openshift login screen now but after entering credentials there I end up back on the ArgoCD login screen and it says "Login failed". This is the HTTP communication that takes place during the login process:Looking at the argocd-dex-server log file I have this:
In the logs for the oauth-openshift pod in the openshift-authentication namespace I see the following:
Could there be some double encoding going on perhaps where ":" gets encoded as %3A and then %253A, which after decoding once becomes %3A rather than ":"?
Expected behavior
Log in via Openshift works.
The text was updated successfully, but these errors were encountered: