An authentication error occurs when use v1.8.2

[ktarow]

Problem

Today, I updated argocd in brew (v1.8.1 to v1.8.2).

When using argocd after updating to v1.8.2, an authentication error occurs even though the user has just logged in.

[~] (⎈ |argocd:argocd)
$ argocd login --grpc-web --sso ***
Opening browser for authentication
Performing authorization_code flow login: ***
Authentication successful
'ktarow' logged in successfully
Context '***' updated

[~] (⎈ |argocd:argocd)
$ argocd version
argocd: v1.8.2+94017f2.dirty
  BuildDate: 2021-01-10T06:49:46Z
  GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d
  GitTreeState: dirty
  GoVersion: go1.15.6
  Compiler: gc
  Platform: darwin/amd64
FATA[0000] oauth2: cannot fetch token: 400 Bad Request
Response: {"error_description":"unsupported_grant_type","error":"invalid_grant"}

After downgrading the argocd binary to v1.8.1, this problem no longer occurs.

[~] (⎈ |argocd:argocd)
$ argocd login --grpc-web --sso ***
Opening browser for authentication
Performing authorization_code flow login: ***
Authentication successful
'ktarow' logged in successfully
Context '***' updated

[~] (⎈ |argocd:argocd)
$ argocd version
argocd: v1.8.1+c2547dc.dirty
  BuildDate: 2020-12-10T04:44:20Z
  GitCommit: c2547dca95437fdbb4d1e984b0592e6b9110d37f
  GitTreeState: dirty
  GoVersion: go1.15.5
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v1.8.2+94017f2
  BuildDate: 2021-01-10T05:40:54Z
  GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: v3.8.1 2020-07-16T00:58:46Z
  Helm Version: v3.4.1+gc4e7485
  Kubectl Version: v1.17.8
  Jsonnet Version: v0.17.0

Do you know anything about the cause of this problem？

[alexmt]

hello @ktarow ,

It might be related to Dex upgrade. Dex was upgraded from v2.22.0 to v2.27.0 (To fix SAML connector vulnerability) . Do you use dex to connect to OAuth2 ?

[jessesuen]

@ktarow was the backend updated along with CLI?

[ktarow]

Hello @alexmt

Thanks for the reply.

hello @ktarow ,

It might be related to Dex upgrade. Dex was upgraded from v2.22.0 to v2.27.0 (To fix SAML connector vulnerability) . Do you use dex to connect to OAuth2 ?

In our environment, we do not use Dex, but use the "Existing OIDC Provider".

[ktarow]

Hello @jessesuen

@ktarow was the backend updated along with CLI?

Yes. In our environment, the backend has already been updated to v1.8.2.
After the update, the problem was reported by a team member who also updated the CLI.

I updated the CLI in my laptop environment, and the problem was reproduced, so I reported to this discussion.

[jessesuen]

So, v1.8.2 server works but requires an older CLI? Could you identify which version broke it? (i.e. does v1.8.1 work?)

Possibly related: 64e1c38

[ktarow]

An error occurs when argocd-server is v1.8.2 and argocd is v1.8.2.

On the other hand, no error occurs when argocd-server is v1.8.2 and argocd is v1.8.1.

I just downloaded the binary from Git again and execute it.
The result is as follows.

argocd-server: v1.8.2, argocd: v1.8.2

[~/Downloads] (⎈ |argocd-beta:argocd)
$ ./argocd-darwin-amd64-v1.8.2 login --grpc-web --sso ***
Opening browser for authentication
Performing authorization_code flow login: https://***
Authentication successful
'ktarow' logged in successfully
Context '***' updated

[~/Downloads] (⎈ |argocd-beta:argocd)
$ ./argocd-darwin-amd64-v1.8.2 version
argocd: v1.8.2+94017f2
  BuildDate: 2021-01-10T05:42:03Z
  GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: darwin/amd64
FATA[0000] oauth2: cannot fetch token: 400 Bad Request
Response: {"error_description":"unsupported_grant_type","error":"invalid_grant"}j

argocd-server: v1.8.2, argocd: v1.8.1

[~/Downloads] (⎈ |argocd-beta:argocd)
$ ./argocd-darwin-amd64-v1.8.1 login --grpc-web --sso ***
Opening browser for authentication
Performing authorization_code flow login: ***
Authentication successful
'ktarow' logged in successfully
Context '***' updated

[~/Downloads] (⎈ |argocd-beta:argocd)
$ ./argocd-darwin-amd64-v1.8.1 version
argocd: v1.8.1+c2547dc
  BuildDate: 2020-12-10T03:00:31Z
  GitCommit: c2547dca95437fdbb4d1e984b0592e6b9110d37f
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v1.8.2+94017f2
  BuildDate: 2021-01-10T05:40:54Z
  GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: v3.8.1 2020-07-16T00:58:46Z
  Helm Version: v3.4.1+gc4e7485
  Kubectl Version: v1.17.8
  Jsonnet Version: v0.17.0

[kshamajain99]

@ktarow Could you try using latest release version v1.8.3 and see if it fixed the problem.
As mentioned above, the problem might possibly be related to 64e1c38

[kshamajain99]

@ktarow Could you let us know if it works for you?

[ktarow]

I have checked after updating to v1.8.3, and the same error is occurring.

I am in the process of reviewing the idp settings now.

[~/Downloads] (⎈ |argocd-beta:argocd)
$ ./argocd-darwin-amd64-v1.8.1 version
argocd: v1.8.1+c2547dc
  BuildDate: 2020-12-10T03:00:31Z
  GitCommit: c2547dca95437fdbb4d1e984b0592e6b9110d37f
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v1.8.3+0f9c684
  BuildDate: 2021-01-21T22:20:39Z
  GitCommit: 0f9c68427882bf4633d395cbfcd7c9271795fd9b
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: v3.8.1 2020-07-16T00:58:46Z
  Helm Version: v3.4.1+gc4e7485
  Kubectl Version: v1.17.8
  Jsonnet Version: v0.17.0

[~/Downloads] (⎈ |argocd-beta:argocd)
$ ./argocd-darwin-amd64-v1.8.2 version
argocd: v1.8.2+94017f2
  BuildDate: 2021-01-10T05:42:03Z
  GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: darwin/amd64
FATA[0000] oauth2: cannot fetch token: 400 Bad Request
Response: {"error_description":"unsupported_grant_type","error":"invalid_grant"}

[~/Downloads] (⎈ |argocd-beta:argocd)
$ ./argocd-darwin-amd64-v1.8.3 version
argocd: v1.8.3+0f9c684
  BuildDate: 2021-01-21T22:21:47Z
  GitCommit: 0f9c68427882bf4633d395cbfcd7c9271795fd9b
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: darwin/amd64
FATA[0000] oauth2: cannot fetch token: 400 Bad Request
Response: {"error_description":"unsupported_grant_type","error":"invalid_grant"}

[ktarow]

I reviewed the idp settings and now I get another error

[~/Downloads] (⎈ |argocd-beta:argocd)
$ ./argocd-darwin-amd64-v1.8.2 login --grpc-web --sso ***
Opening browser for authentication
Performing authorization_code flow login: ***
Authentication successful
'ktarow' logged in successfully

[~/Downloads] (⎈ |argocd-beta:argocd)
$ ./argocd-darwin-amd64-v1.8.1 version
argocd: v1.8.1+c2547dc
  BuildDate: 2020-12-10T03:00:31Z
  GitCommit: c2547dca95437fdbb4d1e984b0592e6b9110d37f
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v1.8.3+0f9c684
  BuildDate: 2021-01-21T22:20:39Z
  GitCommit: 0f9c68427882bf4633d395cbfcd7c9271795fd9b
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: v3.8.1 2020-07-16T00:58:46Z
  Helm Version: v3.4.1+gc4e7485
  Kubectl Version: v1.17.8
  Jsonnet Version: v0.17.0

[~/Downloads] (⎈ |argocd-beta:argocd)
$ ./argocd-darwin-amd64-v1.8.2 version
argocd: v1.8.2+94017f2
  BuildDate: 2021-01-10T05:42:03Z
  GitCommit: 94017f2c8d97588d4aa2213713a71d51005ed62d
  GitTreeState: clean
  GoVersion: go1.14.12
  Compiler: gc
  Platform: darwin/amd64
FATA[0000] no id_token in token response

As before, no error occurs in v1.8.1 of the CLI.
#5184 is an upgrade of jwt-go, is this related?

[kshamajain99]

@ktarow Would you be open to share your jwt token payload. We can continue discussion over slack. You can join argoproj slack https://join.slack.com/t/argoproj/shared_invite/zt-ghijuarm-9GdgmKOI9_5n1P2sA2sbJw.

[ktarow]

Thank you for the information about Slack.
Currently, our team are checking the idp logs and summarizing the situation.
After the information is finalized, I join argoproj slack and report on the situation.

[ktarow]

@alexmt @kshamajain99 @jessesuen

Hi. It's been a while.
I am pleased to report that the situation has temporarily improved regarding this problem.
The workaround is as follows

WorkAround

• Remove the "refresh_token " in the response body from the using IDP

Why this workaround?

When we checked the idp logs, the following log was output.

2021-01-25 15:46:32,270 tid:CmJg17dAnAUpzO-EvMoX-1SFXrI DEBUG [***] ---REQUEST (POST)/path/to/authorization_endpoint from ***:
---PARAMETERS---
refresh_token:
   ********
grant_type:
   refresh_token
client_id:
   ***

For some reason, refresh_token is being posted to the authorization endpoint.

This log was output when using argocd v1.8.2 or higher and attempting to operate from the CLI immediately after login.

And this log will not be output by CLI versions lower than v1.8.1.

Immediately after checking this log, I tried to exclude refresh_token from the response body and was able to use Argo CD without any problem with the CLI of v1.8.2 or higher.

[kshamajain99]

@ktarow Could you try using latest release version v1.8.4 and see if your are able to use cli correctly?
The problem might possibly be related to #5413