Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebUI PKCE auth flow not working as expected in v2.9 #16592

Closed
Kerwood opened this issue Dec 11, 2023 · 10 comments
Closed

WebUI PKCE auth flow not working as expected in v2.9 #16592

Kerwood opened this issue Dec 11, 2023 · 10 comments
Labels
bug Something isn't working

Comments

@Kerwood
Copy link
Contributor

Kerwood commented Dec 11, 2023
edited
Loading

Describe the bug

tldr; The PKCE auth flow only works if you checkout the master branch and not on any of the v2.9.* tags.

In the v2.9.0 release, @Marvin9 added support for using authorization code flow with PKCE in the webUI ❤️ , which is lovely.

Unfortunately it does not seem to work in v2.9.* as expected.
If I clone the argo-cd repo and start a local instance from the master branch it works as expected. But if I check out any if the v2.9.* tags and run it locally again, the PKCE auth flow is not utilized.
I think the "if" statement here does not validate the enablePKCEAuthentication config correctly for some reason.

Below is the config I am using for my local instance.

Keep in mind that the PKCE flow does not actually work with Azure, because Azure is non-compliant with RFC8414 and the /.well-known/openid-configuration endpoint is missing the code_challenge_methods_supported property. But that is another issue.

data:
  admin.enabled: "false"
  oidc.config: |
    name: Azure
    enablePKCEAuthentication: true
    issuer: https://login.microsoftonline.com/<tenant-id>/v2.0
    clientID: <client-id>
    requestedIDTokenClaims:
      groups:
        essential: true
    requestedScopes:
      - openid
      - profile
      - email

With above config, running argocd locally with the make start command, on the master branch, the PKCE auth flow is triggered and you should see below error if using Azure as an IDP.

image

If I do a git checkout v2.9.3 and start up argocd again, it will use the auth code flow without PKCE and in my case Azure will provide the following error, because it was expecting the PKCE flow.

image
@Kerwood Kerwood added the bug Something isn't working label Dec 11, 2023
@Marvin9
Copy link
Contributor

Marvin9 commented Dec 13, 2023

If I understood correct, the error should be explanatory that PKCE is not supported by IDP?

@K4pper
Copy link

K4pper commented Dec 15, 2023

@Marvin9 The error of the IDP only happens when you checkout the master branch, but if you checkout the v2.9.3 you get the error shown at the end of the post, therefore it seems that argo isn't attempting using PKCE flow.

@Kerwood
Copy link
Contributor Author

Kerwood commented Dec 15, 2023
edited
Loading

If I understood correct, the error should be explanatory that PKCE is not supported by IDP?

No.. The error Authorization Server does not support S256 code challenge method is because Azure does not comply with RFC8414, which is not what this issue is about.

The issue here is that PKCE auth flow only works on the master branch, not if you checkout any if the v2.9.* tags.

@Marvin9 The error of the IDP only happens when you checkout the master branch, but if you checkout the v2.9.3 you get the error shown at the end of the post, therefore it seems that argo isn't attempting using PKCE flow.

Correct.

@crenshaw-dev
Copy link
Member

The issue here is that PKCE auth flow only works on the master branch, not if you checkout any if the v2.9.* tags.

Correct. This feature won't be released until Monday, with 2.10.0-rc1.

@Kerwood
Copy link
Contributor Author

Kerwood commented Dec 16, 2023

@crenshaw-dev
If you look at https://github.com/argoproj/argo-cd/releases/tag/v2.9.0 you will see the PKCE feature in the list.

image

@crenshaw-dev
Copy link
Member

@Kerwood the number of commits was so high that it broke GitHub's release not generation tool, so I used my own script. My script sucks, and I haven't had time to fix either it or the list it generated. 😛

@Kerwood
Copy link
Contributor Author

Kerwood commented Dec 18, 2023
edited
Loading

That explains it.
Is there any way for us to check if a given PR is in a specific release? I cant really seem to figure out where to look for it. @crenshaw-dev

@crenshaw-dev
Copy link
Member

Not a good way. I usually look at the merge date and compare it to the release date of rc-1 releases.

@michael-basil
Copy link

michael-basil commented Dec 18, 2023
edited
Loading

We have the PKCE flow working with Azure with other applications (like kubectl and various other mobile/Javascript applications) ... Is there a workaround for ...

Keep in mind that the PKCE flow does not actually work with Azure, because Azure is non-compliant with RFC8414 and the /.well-known/openid-configuration endpoint is missing the code_challenge_methods_supported property. But that is another issue.

I have hit the Authorization Server does not support S256 code challenge method blocker.

For reference:

@Kerwood
Copy link
Contributor Author

Kerwood commented Dec 19, 2023

@michael-basil
Currently with the feature provided, Azure is not supported because of this.
I will create another issue for the purpose.

@Kerwood Kerwood closed this as completed Dec 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@crenshaw-dev @Kerwood @michael-basil @Marvin9 @K4pper