Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't 'argocd login' with KeyCloak #10029

Open
Drugoy opened this issue Jul 18, 2022 · 11 comments
Open

Can't 'argocd login' with KeyCloak #10029

Drugoy opened this issue Jul 18, 2022 · 11 comments
Labels
bug Something isn't working component:cli Affects the Argo CD CLI type:bug

Comments

@Drugoy
Copy link

Drugoy commented Jul 18, 2022

We are using KeyCloak and I can login via web just fine.
But running argocd login --insecure ${argocd_host} -sso from console produces this log:

WARN[0000] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc.web.
Opening browser for authentication
Performing authorization_code flow login: https://${our_sso_host}/auth/realms/${realm_for_argo}/protocol/openid-connect/auth?access_type=offline&client_id=argocd&code_challenge=${some_hash}&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2fcallback&response_type=code&scope=openid+profile+email+groups+offline_access&state=${some_short_hash}
FATA[0002] oauth2: cannot fetch token: 401 Unauthorized

The browser opens KeyCloak page prompting login + password, I enter them once and then get redirected to http://localhost:8085/auth/callback?state=${some_short_hash}&session_state=${some_uid}&code=${two_uids_concatenated_with_dot}
which says:

oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"unauthorized_client","error_description":"Client secret not provided in request"}
@Drugoy Drugoy added the bug Something isn't working label Jul 18, 2022
@crenshaw-dev
Copy link
Member

I'm a bit of an OIDC noob, but I believe the problem is that Keycloak expects the CLI to send a "client secret," which the client does not hold. I think that the CLI is a "public client" in the language of the Keycloak docs. Perhaps "public client" needs to be enabled on the Keycloak side.

@crenshaw-dev
Copy link
Member

The fact that you can log in via the UI makes me second-guess myself though...

@anthony-zawacki
Copy link

We use keycloak + argocd and could never get the -sso to work because it requires launching a browser. In the end, we use keycloak to log into the argocd web UI, but in a pod at the command line we use the argocd admin user and password and not the keycloak-based login, like this:

./argocd login argo-cd-argocd-server --grpc-web --plaintext --username=admin --password=****

where the password is the admin.password configured in the argocd-secret.

The same secret typically has a key called oidc.keycloak.clientSecret configured, it's just that the argocd command line utility doesn't make use of the oidc configuration when using -sso even though you'd expect it to do so.

@Drugoy
Copy link
Author

Drugoy commented Aug 18, 2022

@anthony-zawacki basically confirmed the ticket, we are experiencing the same.

@RossComputerGuy
Copy link

I'm also having the same problem, trying to get Keycloak to work with my setup but it dumps me back on the login screen. This is the configuration of how I deploy ArgoCD.

@Blackclaws
Copy link

Argocd CLI login currently requires a public client, because contrary to expectations the login is not proxied via the webinterface which would be able to hold a client secret.

@Blackclaws
Copy link

Related: #11025

@862902354
Copy link

相关:#11025

Hi!
The keycloak 20 version has no access type: public option. How do you solve it?

Argocd CLI 登录当前需要公共客户端,因为与预期相反,登录不是通过能够保存客户端机密的 Web 界面代理的。

@Blackclaws
Copy link

相关:#11025

Hi! The keycloak 20 version has no access type: public option. How do you solve it?

Argocd CLI 登录当前需要公共客户端,因为与预期相反,登录不是通过能够保存客户端机密的 Web 界面代理的。

From the keycloak docs:

Capability Config

Client authentication

    The type of OIDC client.

        ON

        For server-side clients that perform browser logins and require client secrets when making an Access Token Request. This setting should be used for server-side applications.

        OFF

        For client-side clients that perform browser logins. As it is not possible to ensure that secrets can be kept safe with client-side clients, it is important to restrict access by configuring correct redirect URIs.

Set it to OFF

@nlucansk
Copy link

相关:#11025

Hi! The keycloak 20 version has no access type: public option. How do you solve it?

Argocd CLI 登录当前需要公共客户端,因为与预期相反,登录不是通过能够保存客户端机密的 Web 界面代理的。

From the keycloak docs:

Capability Config

Client authentication

    The type of OIDC client.

        ON

        For server-side clients that perform browser logins and require client secrets when making an Access Token Request. This setting should be used for server-side applications.

        OFF

        For client-side clients that perform browser logins. As it is not possible to ensure that secrets can be kept safe with client-side clients, it is important to restrict access by configuring correct redirect URIs.

Set it to OFF

Not working for me
I am currently getting
image

UI SSO access works just fine, only CLI is ❌

@zentavr zentavr mentioned this issue Jul 3, 2024
Open
@zentavr
Copy link

zentavr commented Jul 3, 2024

@nlucansk the URLs inside Keykloak client config shoud be adjusted. like this: #12124 (comment)

@alexmt alexmt added component:cli Affects the Argo CD CLI type:bug labels Jul 3, 2024
@albundy83 albundy83 mentioned this issue Nov 8, 2024
Merged
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working component:cli Affects the Argo CD CLI type:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@Drugoy @crenshaw-dev @alexmt @zentavr @Blackclaws @RossComputerGuy @nlucansk @862902354 @anthony-zawacki