argocd login --sso oauth2: cannot fetch token: 401 Unauthorized

[skan-splunk]

Describe the bug

Attempting to use argocd CLI and authenticating with argocd login <server> --sso and Okta SSO, and receiving the following output and error in the CLI:

WARN[0005] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web.
Opening browser for authentication
INFO[0007] RequestedClaims: map[groups:essential:true ]
Performing authorization_code flow login: https://{blahhost}&code_challenge_method={blahhash}&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups+offline_access&state={blah}
FATA[0027] oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"Client authentication failed. Either the client or the client credentials are invalid."}

After Okta authentication, I get an accepted callback to the URL:http://localhost:8085/auth/callback?code={blah}&state={blah} which has the error:

oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"Client authentication failed. Either the client or the client credentials are invalid."}

Authenticating directly into ArgoCD UI works fine, additionally able to authenticate using --auth-token flag.
Expected behavior

Run argocd login <server> --sso, authenticate via okta SSO login, success

Version
ArgoCD v2.5.3

[ziouf]

It is still an issue on my side with v2.6.0

[icecoffee531]

When I set the oidc provider config to public:true it works perfectly (in my case using keycloak)

[jfdoube]

Still an issue here as well

[eranreshef-starkware]

Ran into this also.
@icecoffee531 I tried your suggestion and it didn't work for me. Did you do anything else I might have missed?

[billabongrob]

We've attempted to do the same with Okta and were running into the same issues even with public: true

Setting the cliClientID helped us, FWIW.

    # Some OIDC providers require a separate clientID for different callback URLs.
    # For example, if configuring Argo CD with self-hosted Dex, you will need a separate client ID
    # for the 'localhost' (CLI) client to Dex. This field is optional. If omitted, the CLI will
    # use the same clientID as the Argo CD server
    cliClientID: vvvvwwwwxxxxyyyyzzzz

ref

[stefanandres]

@billabongrob

Setting the cliClientID helped us, FWIW.

What did you do on Okta for this? Did you create another Okta app with localhost as callback url or something?
It would be great if you could elaborate on what exactly you needed to do to get it working.

[billabongrob]

Absolutely, sorry for being vague - end of the day response! 😃
Yes, we created a Native type OIDC Okta app for the CLI and set it to use Authorization Code + PKCE. The sign in redirect URI was http://localhost:8085/auth/callback and the sign out redirect URI was http://localhost:8085

[eranreshef-starkware]

Thanks @billabongrob your solution worked for me too 🎉

[zentavr]

@billabongrob I have Keykloak at my side and adding Valid redirect URIs.

• https://argocd-k8s-production.example.io/auth/callback (it was at the beginning)
• http://localhost/auth/callback (added)
• http://localhost:8085/auth/callback (added)

Also I'd adjusted Web origins:

• https://argocd-k8s-production.example.io (it was at the beginning)
• http://localhost (added)
• http://localhost:8085 (added)

Other settings are the next:

There is still the issue:

$ argocd login argocd-k8s-production.example.io --sso --name argocd-k8s-production
WARN[0003] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web.
Opening browser for authentication
Performing authorization_code flow login: https://sso.example.io/realms/Example/protocol/openid-connect/auth?access_type=offline&client_id=argocd-production-k8s-shared&code_challenge=iI8mfDBZNByRXPnZUruwZhJ5oLHnZouqrumI1KWSjYs&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups+offline_access&state=vHlgeXwhAfriUvkGtFrWCPVK
FATA[0013] oauth2: "unauthorized_client" "Invalid client or Invalid client credentials"

Have that after entering login+password in the pop up browser window.

Maybe this might be an issue: #10029 (comment)

[zentavr]

So the reply to my question above:
#10029 (comment)

For keykloak this needs to be done:

Client authentication: OFF

[albundy83]

I have tried and I can login successfully.
I have an issue and I see the error invalid_request: Missing parameter: code_challenge_method after 5 minutes.