Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to verify token: failed to verify token: oidc: expected audience "argo-cd" got "argo-cd-cli" #12170

Closed
2 of 3 tasks
WojtekTomaszewski opened this issue Jan 27, 2023 · 3 comments · Fixed by #12179
Closed
2 of 3 tasks

Failed to verify token: failed to verify token: oidc: expected audience "argo-cd" got "argo-cd-cli" #12170

WojtekTomaszewski opened this issue Jan 27, 2023 · 3 comments · Fixed by #12179
Labels
bug Something isn't working

Comments

@WojtekTomaszewski
Copy link

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

With Dex connector configured to use our GHE instance, I am able to login into GUI and SSO login to CLI also looks to be successful but all commands end up with invalid session and failed token validation error.

Version

argocd version
argocd: v2.5.7+e0ee345.dirty
  BuildDate: 2023-01-18T04:28:20Z
  GitCommit: e0ee3458d0921ad636c5977d96873d18590ecf1a
  GitTreeState: dirty
  GoVersion: go1.19.5
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v2.5.8+bbe870f

Logs

argocd-dex-server-75d9555bc9-bfbmh dex time="2023-01-27T06:38:05Z" level=info msg="login successful: connector \"github\", username=\"xxxxxx\", preferred_username=\"xxxxxx\", email=\"xxxxxx\", groups=[\"xxxxxx:xxxxxx\"]"

argocd-server-58f7f86d74-8bbqs argocd-server time="2023-01-27T07:15:21Z" level=warning msg="Failed to verify token: failed to verify token: oidc: expected audience \"argo-cd\" got [\"argo-cd-cli\"]"
@WojtekTomaszewski WojtekTomaszewski added the bug Something isn't working label Jan 27, 2023
@flecno
Copy link

flecno commented Jan 27, 2023

I have the same problem with argocd v2.5.8. Downgrading to v2.5.7 works, but security patch from the latest version is then missing.

@yann-soubeyrand yann-soubeyrand mentioned this issue Jan 27, 2023
Closed
10 tasks
@crenshaw-dev
Copy link
Member

6 hours from "identified" to "patch PR." Great work, y'all! 😄 We'll get this patch out ASAP.

crenshaw-dev added a commit to crenshaw-dev/argo-cd that referenced this issue Jan 27, 2023
@crenshaw-dev
fix: add CLI client IDs to default OIDC allowed audiences (argoproj#1…
ffd58bb 
…2170)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
crenshaw-dev added a commit that referenced this issue Jan 27, 2023
@crenshaw-dev @yann-soubeyrand
fix: add CLI client IDs to default OIDC allowed audiences (#12170) (#…
a825aad 
…12179)

* fix(settings): add CLI client ID in default OAuth2 allowed audiences

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>

* fix: add CLI client IDs to default OIDC allowed audiences (#12170)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* docs

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* test

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle expired token properly

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

---------

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
@crenshaw-dev crenshaw-dev mentioned this issue Jan 27, 2023
Merged
@crenshaw-dev
Copy link
Member

I plan to have the fix released in the next 3 hours.

crenshaw-dev added a commit that referenced this issue Jan 27, 2023
@crenshaw-dev @yann-soubeyrand
fix: add CLI client IDs to default OIDC allowed audiences (#12170) (#…
5094ee9 
…12179)

* fix(settings): add CLI client ID in default OAuth2 allowed audiences

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>

* fix: add CLI client IDs to default OIDC allowed audiences (#12170)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* docs

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* test

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle expired token properly

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

---------

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
crenshaw-dev added a commit that referenced this issue Jan 27, 2023
@crenshaw-dev @yann-soubeyrand
fix: add CLI client IDs to default OIDC allowed audiences (#12170) (#…
86f75b0 
…12179)

* fix(settings): add CLI client ID in default OAuth2 allowed audiences

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>

* fix: add CLI client IDs to default OIDC allowed audiences (#12170)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* docs

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* test

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle expired token properly

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

---------

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
crenshaw-dev added a commit that referenced this issue Jan 27, 2023
@crenshaw-dev @yann-soubeyrand
fix: add CLI client IDs to default OIDC allowed audiences (#12170) (#…
11ba483 
…12179)

* fix(settings): add CLI client ID in default OAuth2 allowed audiences

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>

* fix: add CLI client IDs to default OIDC allowed audiences (#12170)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* docs

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* test

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle expired token properly

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

---------

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
crenshaw-dev added a commit that referenced this issue Jan 27, 2023
@crenshaw-dev @yann-soubeyrand
fix: add CLI client IDs to default OIDC allowed audiences (#12170) (#…
d143571 
…12179)

* fix(settings): add CLI client ID in default OAuth2 allowed audiences

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>

* fix: add CLI client IDs to default OIDC allowed audiences (#12170)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* docs

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* test

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle expired token properly

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

---------

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
emirot pushed a commit to emirot/argo-cd that referenced this issue Jan 27, 2023
@crenshaw-dev @yann-soubeyrand @emirot
fix: add CLI client IDs to default OIDC allowed audiences (argoproj#1…
21f75a8 
…2170) (argoproj#12179)

* fix(settings): add CLI client ID in default OAuth2 allowed audiences

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>

* fix: add CLI client IDs to default OIDC allowed audiences (argoproj#12170)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* docs

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* test

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle expired token properly

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

---------

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: emirot <emirot.nolan@gmail.com>
@jmeridth jmeridth mentioned this issue Jan 28, 2023
Merged
6 tasks
todaywasawesome pushed a commit to codefresh-io/argo-cd that referenced this issue Feb 6, 2023
@crenshaw-dev @yann-soubeyrand @todaywasawesome
fix: add CLI client IDs to default OIDC allowed audiences (argoproj#1…
061c048 
…2170) (argoproj#12179)

* fix(settings): add CLI client ID in default OAuth2 allowed audiences

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>

* fix: add CLI client IDs to default OIDC allowed audiences (argoproj#12170)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* docs

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* test

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle expired token properly

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

---------

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
pasha-codefresh added a commit to codefresh-io/argo-cd that referenced this issue Feb 7, 2023
@todaywasawesome @crenshaw-dev
@farcaller @pasha-codefresh @yann-soubeyrand
Verify aud claim cf (#202)
107ab62 
* fix: verify audience claim

Co-Authored-By: Vladimir Pouzanov <farcaller@gmail.com>
Signed-off-by: CI <350466+crenshaw-dev@users.noreply.github.com>

* fix unit tests

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle single aud claim marshaled as a string

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* fix dependencies

* fix: add CLI client IDs to default OIDC allowed audiences (argoproj#12170) (argoproj#12179)

* fix(settings): add CLI client ID in default OAuth2 allowed audiences

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>

* fix: add CLI client IDs to default OIDC allowed audiences (argoproj#12170)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* docs

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* test

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle expired token properly

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

---------

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>

* fix dependencies

* update version

* update version

* update version

* fix linter

* fix linter

---------

Signed-off-by: CI <350466+crenshaw-dev@users.noreply.github.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Co-authored-by: CI <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Vladimir Pouzanov <farcaller@gmail.com>
Co-authored-by: pashakostohrys <pavel@codefresh.io>
Co-authored-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
schakrad pushed a commit to schakrad/argo-cd that referenced this issue Mar 14, 2023
@crenshaw-dev @yann-soubeyrand @schakrad
fix: add CLI client IDs to default OIDC allowed audiences (argoproj#1…
96ec8ea 
…2170) (argoproj#12179)

* fix(settings): add CLI client ID in default OAuth2 allowed audiences

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>

* fix: add CLI client IDs to default OIDC allowed audiences (argoproj#12170)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* docs

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* test

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle expired token properly

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

---------

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Signed-off-by: schakrad <chakradari.sindhu@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
3 participants
@flecno @crenshaw-dev @WojtekTomaszewski