OIDC: PKCE Incorrectly Uses Base Redirect URL for ArgoCD Hosted Under Custom Path

[ptr1120]

Checklist:

• [ x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x ] I've included steps to reproduce the bug.
• [x ] I've pasted the output of argocd version.

Describe the bug

I'm hosting ArgoCD at a custom base path (mycompany.org/infra/argocd) and using Keycloak as an external IdP. The configuration functions as expected until I enable PKCE (Proof Key for Code Exchange). Specifically, when enablePKCEAuthentication is set to true in the argocd-cm config map, the ArgoCD frontend incorrectly uses window.location.origin as the redirect URL, as demonstrated in the getPKCERedirectURI function located in utils.ts.

To Reproduce

• Host Argocd under a sub-path, e.g. https://mycompany.org/infra/argocd/
• Configure an Idp Provider

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
data:
  url: https://mycompany.org/infra/argocd/
  enablePKCEAuthentication: true
  oidc.config: >-
    name: Keycloak
    issuer: https://<redacted>
    clientID: <redacted>
    clientSecret: $oidc.keycloak.clientSecret
    requestedScopes:
    - openid
    - profile
    - email
    - roles
    logoutURL: https://<redacted>/protocol/openid-connect/logout?redirect_uri={{logoutRedirectURL}}&id_token_hint={{token}}

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cmd-params-cm
data:
  - server.rootpath=/infra/argocd
  - server.basehref=/infra/argocd

• Click on Login via Keycloak button

Expected behavior

ArgoCD should respect one of the configured parameters (server.rootpath, server.basehref, or url from the argocd-cm or argocd-cmd-params-cm config map) to determine the correct base URL for redirects.

Version

v2.11.0-rc3+20fd621

[Marvin9]

So the expected redirect url should be https://mycompany.org/infra/argocd/pkce/verify instead of https://mycompany.org/pkce/verify?

[ptr1120]

Exactly, it schould be https://mycompany.org/infra/argocd/pkce/verify

[Marvin9]

Thanks @ptr1120 , normally if you navigate through pages does that prefix /infra/argocd is preserved in your browser URL?

[ptr1120]

Yes @Marvin9 it is preserved in my browser Url but window.location.origin seems to be only about the host part of the Url. See also

[Marvin9]

Alright thanks. Then the only problem to solve is to discover the root URL in browser and then we can pass to the function mentioned in the issue. I will look into this once I get time.

[ptr1120]

thanks @Marvin9

[michaelajr]

Just found this - and it is blocking a big release for us. We're moving from the bundled dex to our company IdP. When NOT using PKCE the redir is constructed correctly - E.g., /argocd/auth/callback

Any chance a fix for this is in the works @Marvin9 ?

[michaelajr]

To clarify - we were using Dex previously and we added the redirectURI to the connectors config which is probabaly why the redirect contained the correct path. I actually do not know if the path is added when using the oidc.config PKCE or otherwise. Prob not. But this is a real issue for us as we are planning to use the oidc.config with PKCE.

[michaelajr]

One more thing - the path is not taken into account when redirecting to /applications after the flow succeeds. It should. For now I have worked around both these issues by adding redirects on the ALB:

• /pkce/verify -> /argocd/pkce/verify
• /applications -> /argocd/applications

Seems to work. But very much looking fwd to a fix for this soon.

[Marvin9]

Sorry for inactivity on this issue. The fix is pretty straightforward and I have tried once. But I wasn't able to properly test in my local environment as far as I remember (mostly due to the sub-path configuration). Happy to raise a PR if you would be able to verify its functioning.

[michaelajr]

Could probably just use the settings from the argocd server params to construct the URL. Example:

configs:
  params:
    server.rootpath: /argocd

[michaelajr]

I will also add that the session expiration flow seems to not take into account PKCE when enabled. Tries to re-auth using /auth/callback without "code" flow. And the PKCE error page does not link back to /login using the base path. So lots to fix in this. We'll try to make a contribution. If we can.

[michaelajr]

To recap all the issues here:

• Base path is not taken into account when constructing the /pkce/verify path.
• Base path is not taken into account when constructing the /applications path when the PKCE flow succeeds.
• When the oidc token expires....it does not seem to use the PKCE flow to reauth. Sends the callback as /auth/callback and the IdP responds with the error code challenge is required
  • ...then, the Argocd PKCE error page has a link to /login that does not take into account the base path.

[austin5219]

@Marvin9 your pr does not address when the token expires, the user is always sent to dex even if PKCE is set and configured.

[reggie-k]

@ptr1120 Could you share your Valid post logout redirect URIs in Keycloak? Also, was any other PKCE related config in ArgoCD/Keycloak changed?

[austin5219]

closed by #20202