Azure not supported for WebUI PKCE Auth Code Flow #16649
Comments
|
I have verified the same issue and agree with the suggestion of a flag to mindfully force the flow. 🙏 |
|
What if we know in the frontend itself if IdP is Azure then we by default skip the error assuming that PKCE still works even if |
|
It would seem this was debated a fair amount with the kubelogin project (dropping the link again): That project chose to go with: "--oidc-use-pkce" To follow this convention that others in the industry may be conditioned for the following flag (or similar) would seem to follow suit:
|
Personally I think that creating a snowflake solution for a specific provider is a bad idea. This could end up with all sorts of snowflake code for different IDP's. I think it would be better to create a generic setting. @michael-basil are you proposing that the setting shoud be |
|
I am suggesting the same and with the name to skip verification or would be simpler in configuration management over time. For example, we test before we introduce new Argo versions, but the typical engineer wouldn't know the details of PKCE. They would know that it doesn't work though and then we really are in the weeds at that point anyway. So I am partial to the basic approach of kubelogin though not fixed on the name, just what came naturally. |
|
Implementation of both flags as optional. One flag to skip verification and one flag to force a method ... This is the most robust and durable after thinking it through further. |
|
"Skip code challenge verification" sounds good to me. |
|
Wouldn't the proof of key code exchange be the challenge? This is skipping the method verification. Perhaps I am understanding this differently? |
|
tl;dr
|
|
@michael-basil can you enable auth in api server and then run? You can either use |
|
The flag is set to false in the Makefile:
Are you suggesting to set the value to true. Seems counterintuitive on first glance. I figure when I can see the debug messages I will be able to trace through the code to see where it's going haywire. |
|
What I meant is set DISABLE_AUTH to false. I usually don't run that way so I might be wrong. But what I see in Makefile is If you already tried and issue persist then let me know if I can help. |
|
@michael-basil The main issue/discussion here is: PKCE auth flow in not working with Azure because the Here's a few proposals.
|
|
@Kerwood in response to your suggestion I deleted a couple of my posts (as GitHub comments can be refactored): TL/DR:
In alignment with the code contribution sentiment of sometimes it's helpful to have some PoC code along with a proposal I am working towards a draft pull request to support the described proposal(s) to help bolster the case. If anyone would like to collaborate to pair on this coding effort please reach out in CNCF Slack by DM or #argo-contributors. |
|
I tested this fix off of the master branch. It worked well! Would someone be able to point me to determine when this would go into a release? |
Describe the bug
In the upcoming
v2.10.0-rc1release, @Marvin9 added support for using authorization code flow with PKCE in the webUI, which is lovely. ❤️Unfortunately Azure is non-compliant with RFC8414 standard because the
/.well-known/openid-configurationendpoint is missing thecode_challenge_methods_supportedproperty.The ArgoCD login flow is stopped checking for that specific property here.
argo-cd/ui/src/app/login/components/utils.ts
Lines 76 to 80 in 3224102
Other projects seem to have the same issue, like kubelogin.
This was brought to the attention of Microsoft in January 2021 and I do not think that they intend to do anything about it.
Proposal
Maybe have a setting something like,
forcePKCECodeChallengeMethod: S256that would skip thecode_challenge_methods_supportedproperty check, or justskipPKCECodeChallengeMethod: true?The text was updated successfully, but these errors were encountered: