Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google SSO Authentication Permissions Not Working in Argo CD #21668

Closed
artmimois opened this issue Jan 25, 2025 · 1 comment
Closed

Google SSO Authentication Permissions Not Working in Argo CD #21668

artmimois opened this issue Jan 25, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@artmimois
Copy link

artmimois commented Jan 25, 2025
edited
Loading

Describe the bug

When logging in via Google SSO, user permissions are not working correctly despite proper RBAC configuration. While authentication is successful, the user account appears to not exist in the system ("account does not exist" error) and has no admin permissions even though they are explicitly granted in the RBAC configuration.

To Reproduce

  1. Configure Argo CD with Google SSO authentication and RBAC as shown in the configurations below
  2. Log in via SSO:
argocd login argocd-staging.mycompany.com --sso --grpc-web
  1. Try to verify account and permissions:
argocd account get
argocd account can-i delete applications '*/*'

Current Configuration

argocd-cm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  admin.enabled: "true"
  url: https://argocd-staging.mycompany.com
  dex.config: |
    connectors:
      - type: google
        id: google
        name: Google
        config:
          clientID: 7857791-idn5ql0t7sl6mncvel0t7sl0t7sl6mnp5068e.apps.googleusercontent.com #client id is fake
          clientSecret: $dex.google.clientSecret
          redirectURI: https://argocd-staging.mycompany.com/api/dex/callback
          hostedDomains:
            - mycompany.com
          groups:
            - [email protected]

argocd-rbac-cm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly
  policy.csv: |
    p, role:admin, *, *, */*, allow
    g, [email protected], role:admin

Expected behavior

  1. After successful SSO login, the user account should exist in the system
  2. The user should have admin permissions as defined in the RBAC configuration
  3. The user should be able to perform admin operations (create/delete applications, terminate sync, etc.)

Actual behavior

  1. SSO authentication succeeds:
Authentication successful
'[email protected]' logged in successfully
  1. Account appears to not exist:
argocd account get
FATA[0000] rpc error: code = NotFound desc = account '[email protected]' does not exist
  1. No admin permissions despite RBAC configuration:
argocd account can-i delete applications '*/*'
no

Version Information

argocd: v2.11.4+e1284e1
  BuildDate: 2024-07-02T23:16:22Z
  GitCommit: e1284e19e03c9abab2ea55314b14b1e0381c4045
  GitTreeState: clean
  GoVersion: go1.22.4
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v2.10.9+c071af8
  BuildDate: 2024-04-30T15:53:28Z
  GitCommit: c071af808170bfc39cbdf6b9be4d0212dd66db0c
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v5.2.1 2023-10-19T20:13:51Z
  Helm Version: v3.14.3+gf03cc04
  Kubectl Version: v0.26.11
  Jsonnet Version: v0.20.0
@artmimois artmimois added the bug Something isn't working label Jan 25, 2025
@artmimois
Copy link
Author

The issue is that the initial configuration is missing explicit scope definitions for group and email claims. Without these scopes, Argo CD’s Dex connector does not request (or properly map) the required user information (such as groups) from Google. Consequently, the RBAC engine never sees the necessary claims to match the policy (for example, mapping “[email protected]” to an admin role)

The fix is to explicitly configure the scopes in both the Dex configuration and the RBAC ConfigMap. The working solution includes:

In the argocd-cm ConfigMap (Dex configuration):

Add the userInfoPath to explicitly fetch user details.
Specify the required OAuth scopes (openid, profile, and email) so that the token contains the necessary claims.
In the argocd-rbac-cm ConfigMap:

Add the scopes: '[groups, email]' field to ensure that Argo CD processes the group and email claims from the token.

# argocd-cm
data:
  dex.config: |
    connectors:
      - type: google
        id: google
        name: Google
        config:
          clientID: 786797547791-...apps.googleusercontent.com
          clientSecret: $dex.google.clientSecret
          redirectURI: https://argocd-staging.mycompany.com/api/dex/callback
          hostedDomains:
            - mycompany.com
          groups:
            - [email protected]
          userInfoPath: "https://www.googleapis.com/oauth2/v3/userinfo"  # Explicit endpoint
          scopes:                                                        # Explicit required scopes
            - openid
            - profile
            - email

# argocd-rbac-cm
data:
  scopes: '[groups, email]'
  policy.csv: |
    g, [email protected], role:admin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@artmimois