feat: PKCE authentication flow for web logins #9890

[Marvin9]

Closes #9890

This PR implements browser only PKCE flow for sso authentication.

It adds new attribute to the oidc config to enable the feature

# argocd-cm
oidc.config: |
      name: dex
      issuer: http://localhost:4000/api/dex
      clientID: argo-cd-pkce
      requestedScopes: ["openid", "profile", "email", "groups"]
      enablePKCEAuthentication: true

Flow in UI if PKCE enabled

Login:

• gets oidc configuration - clientID, issuer, scopes
• generates random code verifier
• calculate code challenge with code verifier
• save code verifier in browser session
• redirects to Idp with code challenge and other required metadata

consent screen callback to - <argocd>/pkce/verify - again thats the UI page which then get authorization code and asks Idp for user token

• extract code from query parameters
• get code verifier from browser session
• asks authorization server for token - with authorization code + code verifier
• set id_token in cookie

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines. - not sure about this one
• I have added a brief description of why this PR is necessary and/or what this PR solves.

[codecov]

Codecov Report

All modified lines are covered by tests ✅

Comparison is base (d4fa84e) 49.69% compared to head (9e4d016) 49.70%.
Report is 3 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #15889   +/-   ##
=======================================
  Coverage   49.69%   49.70%           
=======================================
  Files         267      267           
  Lines       46351    46371   +20     
=======================================
+ Hits        23036    23048   +12     
- Misses      21054    21063    +9     
+ Partials     2261     2260    -1     

Files	Coverage Δ
util/dex/config.go	86.91% <100.00%> (+1.05%)	⬆️
util/settings/settings.go	50.14% <100.00%> (+0.03%)	⬆️

... and 3 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Marvin9]

@crenshaw-dev @jessesuen Can you please take a look or add relevant reviewers?

[jessesuen]

@Marvin9 I see that the example config adds the option to oidc.config:

# argocd-cm
oidc.config: |
      name: dex
      issuer: http://localhost:4000/api/dex
      clientID: argo-cd-pkce
      requestedScopes: ["openid", "profile", "email", "groups"]
      enablePKCEAuthentication: true

Does this imply we don't support PKCE for someone using dex.config?

[Marvin9]

@Marvin9 I see that the example config adds the option to oidc.config:

# argocd-cm
oidc.config: |
      name: dex
      issuer: http://localhost:4000/api/dex
      clientID: argo-cd-pkce
      requestedScopes: ["openid", "profile", "email", "groups"]
      enablePKCEAuthentication: true

Does this imply we don't support PKCE for someone using dex.config?

I forgot that case. Please confirm that I understood this correct, what you are saying is the configuration of only OIDC from dex.config right?

data:
  url: "https://argocd.example.com"
  dex.config: |
    connectors:
      # OIDC
      - type: oidc
        id: oidc
        name: OIDC
        config:
          issuer: https://example-OIDC-provider.com
          clientID: aaaabbbbccccddddeee
          clientSecret: $dex.oidc.clientSecret

[jessesuen]

What I meant was: when users use the bundled dex, today we generate a dex config for them with pre-defined staticClients like:

staticClients:
- id: argo-cd
  name: Argo CD
  redirectURIs:
  - https://cd.demo.akuity.io/auth/callback
  secret: xxxxxxxxxxxxxxxxxxxxx        # this is automatically generated for them
- id: argo-cd-cli
  name: Argo CD CLI
  public: true
  redirectURIs:
  - http://localhost
  - http://localhost:8085/auth/callback

In order to support pkce web login when used with Argo CD's bundled dex, we need to:

1. set public: true for the argo-cd entry (just like we do for the argo-cd-cli entry)
2. not set a secret for the argo-cd entry

However, this behavior needs to be controlled with a new knob. As discussed offline, I think for this PR, support for dex.config can be considered out of scope.

[Marvin9]

@jessesuen forgot to tell that I have added static client as well for PKCE

[rpelczar]

UI LGTM