argo-cd icon indicating copy to clipboard operation
argo-cd copied to clipboard

Published 20 hours ago verified publisher icon argoproj

Add domain_hint option in oidc configuration

Open bhargavn-github opened this issue 9 months ago • 2 comments

Summary

We are using Azure Active Directory (AAD) for authentication and authorization. We have integrated Argo CD with Azure AD using oidc config (sample config below without values): oidc.config: | name: Azure issuer: https://login.microsoftonline.com/ clientID: clientSecret: allowedAudiences: - requestedScopes: - openid

As we have multiple domains, each time when user tries to log in, user needs to select which domain and then the login process continues. This creates some confusion to users on which account to select for which application.

Motivation

As we have multiple domains, each time when user tries to log in to ArgoCD, user needs to select which domain and then the login process continues. This creates some confusion to users on which account to select for which application. The estimated impact of this issue is a loss of approximately 15 seconds each time a user opens different applications, which happens 15 to 20 times per day depending on profile. We would like to improve this user experience.

Proposal

To solve this issue, we have found an option from Azure - if we use domain_hint with the authentication request, login process becomes seamless as the right account is automatically picked. We request to support this domain_hint option from Argo CD.

oidc.config: | name: Azure issuer: https://login.microsoftonline.com/ domain_hint: abc..net requestedScopes: - openid

References: This is already supported in dex - https://github.com/dexidp/dex/pull/2586

Documentation from Azure - https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#send-the-sign-in-request

domain_hint - The realm of the user in a federated directory. This skips the email-based discovery process that the user goes through on the sign-in page, for a slightly more streamlined user experience. For tenants that are federated through an on-premises directory like AD FS, this often results in a seamless sign-in because of the existing login session.

bhargavn-github avatar May 03 '24 10:05 bhargavn-github

@bhargavn-github, I would like to take this up. Thanks!!

/assign

nikzayn avatar May 13 '24 13:05 nikzayn

Can someone help me here, I have updated the OIDCConfig, then after that should I do the make protogen, and after that I need to update the changes in login.go, I need to add the domainhint check, right?

nikzayn avatar May 13 '24 15:05 nikzayn