Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(pkce): 18045 PKCE respect base href and Reauth to PKCE on token expire #20110

Closed
wants to merge 12 commits into from

Conversation

austin5219
Copy link
Contributor

@austin5219 austin5219 commented Sep 25, 2024

Fixes #18045

This prepends the server base href to the PKCE login auth flow and paths rather than hardcoding pkce paths off of '/'
This also fixes on token expiry and re-auth that the user is redirected to PKCE if configured rather than always sending the user to the dex login path.

This fix should be cherry-picked to 2.12

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • [n/a] Does this PR require documentation updates?
  • [n/a] I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • [n/a] I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • [n/a] My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • [n/a] Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@austin5219 austin5219 requested a review from a team as a code owner September 25, 2024 21:48
Copy link

bunnyshell bot commented Sep 25, 2024

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

Copy link

bunnyshell bot commented Sep 25, 2024

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

@austin5219 austin5219 force-pushed the pkce-basepath-fix branch 2 times, most recently from d582ec5 to ade4b32 Compare September 25, 2024 22:03
@austin5219 austin5219 changed the title fix(pkce): PKCE respect base href and Reauth to PKCE on token expire fix PKCE respect base href and Reauth to PKCE on token expire Sep 25, 2024
@austin5219 austin5219 changed the title fix PKCE respect base href and Reauth to PKCE on token expire fix: PKCE respect base href and Reauth to PKCE on token expire Sep 25, 2024
@austin5219 austin5219 changed the title fix: PKCE respect base href and Reauth to PKCE on token expire fix: PKCE respect base href and Reauth to PKCE on token expire for issue 18045 Sep 25, 2024
@austin5219 austin5219 changed the title fix: PKCE respect base href and Reauth to PKCE on token expire for issue 18045 fix: 18045 PKCE respect base href and Reauth to PKCE on token expire Sep 25, 2024
@austin5219 austin5219 changed the title fix: 18045 PKCE respect base href and Reauth to PKCE on token expire fix(pkce): 18045 PKCE respect base href and Reauth to PKCE on token expire Sep 26, 2024
@austin5219
Copy link
Contributor Author

Here are screenshots showing the original issue and the fixes this pr has. Certain sections have been redacted to not leak confidential or sensitive information.

Login screen to show base href is '/argocd'
login_screen

This is a deployment of argocd v2.12.4 configured to use pkce oidc auth. This shows the error where the redirect uri sent to the oidc provider does not include the base href
no_basehref_callback

This PR now respects the base href when generating the callback uri, shown below
basehref_callback

On the pkce callback, the user is now directed to applications with respect to the base href
basehref_applications

On ID Token expiry, the re-auth will now respect if PKCE has been configured and attempt a pkce login rather than sending the user to the dex endpoint
reauth_pkce

@austin5219
Copy link
Contributor Author

@crenshaw-dev could I get a re-review with the evidence attached above?

ui/src/app/app.tsx Outdated Show resolved Hide resolved
ui/src/app/app.tsx Outdated Show resolved Hide resolved
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
…xt for error handling within 401 error

Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
Signed-off-by: austin5219 <3936059+austin5219@users.noreply.github.com>
@austin5219
Copy link
Contributor Author

Closed by #20202

@austin5219 austin5219 closed this Oct 30, 2024
@austin5219 austin5219 deleted the pkce-basepath-fix branch October 30, 2024 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

OIDC: PKCE Incorrectly Uses Base Redirect URL for ArgoCD Hosted Under Custom Path
5 participants