authentik
authentik copied to clipboard
goauthentik
Request: Argo CD documentation
Describe your question/ I use Authentik for many different services and I'm very impressed with the software. However, I have not managed to get it working with Argo CD. If I could get some guidance on this I would happily update the documentation with a guide for Argo CD.
Relevant infos I deploy argo-cd with a helm chart and I use these OIDC credentials. I have created a provider and an application, similarly to how I've done it before with Grafana/Harbor... The redirect url I use in Authentik is https://argo-cd.mydomain.com/auth/callback.
server:
config:
oidc.config: |
name: Authentik
issuer: https://authentik.mydomain.com/application/o/argo-cd/
clientID: someclientid
clientSecret: someclientsecret
requestedIDTokenClaims:
groups:
essential: true
requestedScopes:
- openid
- profile
- email
Steps to reproduce:
- Go to your argo-cd web app url which in my case is https://argo-cd.mydomain.com/
- Press the "Login via Authentik" button.
- You get redirected to this domain https://argo-cd.mydomain.com/auth/login?return_url=https%3A%2F%2Fargo-cd.mydomain.com%2Fapplications
- You get this output:
Invalid redirect URL: the protocol and host (including port) must match and the path must be within allowed URLs if provided
I have also tried to add the supplied return_url as a redirect url in authentik, but it makes no difference.
Logs I cannot find any relevant logs.
Version and Deployment (please complete the following information):
- authentik helm chart version: 5.2.3
- authentik version: 2021.12.5
- Deployment: helm
Hello! Do you both still experience the issue ? I've just been able to configure ArgoCD to use my Authentik instance as OIDC provider, and am able to login without any issue, let me know if you want some help!
I've been able to get ArgoCD working, both using CLI and it's web interface, i'm writing the doc for it 👍
hello @Unyxos ,
Even if your documentation is not published, I have already followed it.
I have the problem, when I click login via authentik I land on
Failed to query provider "argocd.company/api/dex": 400 Bad Request: 400 Bad Request
Can you help me further? thanks a lot
hello @Unyxos ,
Even if your documentation is not published, I have already followed it.
I have the problem, when I click login via authentik I land on
Failed to query provider "argocd.company/api/dex": 400 Bad Request: 400 Bad Request
Can you help me further?
thanks a lot
Hey sure! I didn't have time to fix the PR yet but we can definitely check that out together! Are you on authentik's discord server by any chance?
hello @Unyxos , Even if your documentation is not published, I have already followed it. I have the problem, when I click login via authentik I land on Failed to query provider "argocd.company/api/dex": 400 Bad Request: 400 Bad Request Can you help me further? thanks a lot
Hey sure! I didn't have time to fix the PR yet but we can definitely check that out together! Are you on authentik's discord server by any chance?
uhh thanks for the offer and the quick reply. however, i'm on the road right now. i'm wondering especially about the redirect url http://localhost:8085/auth/callback
Oh no worries haha, let me know when you're free I'll try to dig on my end to find what could be happening 👍
hello
I am currently a little further along. argocd now forwards me to authtentik and back. However with the error "Login failed."
In the log of Dex I find the following entry:
level=error msg="Failed to authenticate: oidc: failed to get token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {"error": "invalid_client", "error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)\
Hi @iluwatar! Have you been able to try by following the steps in my MR (https://github.com/goauthentik/authentik/pull/3553) ? I'm able to login both through the web interface & CLI after doing that.
@fwmarcel Did you manage to fix the issue? If not, do you mind sharing some details on what configuration exactly you applied?
hi @Unyxos unfortunately I am not yet further with the error here. Dex says: Failed to authenticate: oidc: failed to get token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {"error": "Invalid_client", "error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)
I deploy ArgoCD using Helm Chart. Which I have extended with the following configuration. The domain is changed everything else, like https is the same.
configs:
secret:
extra:
dex.authentik.clientSecret: NGUxOTAzN2NiOWVjMDhkOGE4ZjhlNzRjNDhiZmQwNDNjMmE5YjQwMTEwYzgwNGQ1MmE3MjVhYTk2MjcxOTE5YTEyZmEwNDI3Yjk1NjQyZWQ0Y2JiMjY1MTRiYjc1NTAyN2ZlYmE4MTc3NjM1MjdkYTUzNGE2ZmY1ZmU0ODkzNjU=
config:
url: https://argocd.local.domain
dex.config: |
connectors:
- name: Authentik
type: oidc
id: authentik
config:
issuer: https://authentik.local.domain/application/o/argocd/
clientID: cab466c110c3f8f911d802e4b0cc1dcf385e94bc
clientSecret: $dex.authentik.clientSecret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
rbacConfig:
policy.csv: |
g, ArgoCD Admins, role:admin
In Authentik, I created an application and provider with the following configuration values:
Name: ArgoCD Signing Key: Any Redirect URIs: https://argocd.local.domain/api/dex/callback http://localhost:8085/auth/callback
I also created a group called "ArgoCD Admins" in Authentik.
Hey @fwmarcel just wondering are you using a self signed certificate to serve authentik ? If you happen to be able to have a look at the dex pods logs, or argocd server pod it might contain useful infos, I remember I had an issue because I use ZeroSSL to generate my TLS certs 🧐
Hey @Unyxos Yes Authentik and also ArgoCD are secured via Ingress with LetsEncrypt certificates. In Authentik itself I use one of the already existing certificates named "authentik Self-signed Certificate". In the log of ArgoCD Server and Dex nothing else can be seen except the error message from above. The log is unfortunately not very talkative and helpful.
Oh damn that's super strange I wish I ran into this myself.. I'll try to install a fresh new authentik + argocd and try to replicate the issue !
btw if that can help, here's my configuration :
argocd-secret
...
data:
dex.authentik.clientSecret: >-
dGhpcyBteSBzZWNyZXQgaGVoZQ==
...
argocd-cm
...
data:
dex.config: |
connectors:
- config:
issuer: https://sso.xxxxxxxx.xxx/application/o/argocd/
clientID: blablablablablablablabla
clientSecret: $dex.authentik.clientSecret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
name: Authentik
type: oidc
id: authentik
url: https://argocd.xxxxxxxx.xxx
...
argocd-rbac-cm
...
data:
policy.csv: |
g, ArgoCD Admins, role:admin
...
In authentik, here's my provider config:
I just realized in the "Advanced protocol settings, I have "email", "openid" and "profile" selected, but I believe this is a default value...
as for the ArgoCD Application in authentik, I have the following :
Also, might be a stupid question but sometimes when I modify the dex config I have to restart the argocd dex server pod for some reasons... did you try that ? :(
hi @Unyxos thanks for your config. I do not see any differences from my configuration. Neither in Authentik nor in ArgoCD. i have already restarted the server. but without success :|
For me, this only worked when dex.authentik.clientSecret was not base64 encoded. If not I was seeing the same errors as @fwmarcel, and digging into the authentik logs I could see it was complaining about an invalid client secret
ArgoCD version 2.5.9, Authentik 2023.1.2
@neilmfrench
How did you end up getting the secret to not be base64 encoded? I found the same thing, the only way I could get this to work was by manually setting the value of clientSecret to the real value, not referencing a kubernetes secret, however this isn't at all ideal as I would need to push the secret to a repository.
@neilmfrench
How did you end up getting the secret to not be base64 encoded? I found the same thing, the only way I could get this to work was by manually setting the value of clientSecret to the real value, not referencing a kubernetes secret, however this isn't at all ideal as I would need to push the secret to a repository.
I use Flux to manage my secrets so I can push encrypted strings to repositories.