Support for external dex implementation

[jaxxstorm]

We already have a dex server installed. Is it possible to point to this, and not deploy an additional dex server?

[jessesuen]

@jaxxstorm we will make sure this is possible as part of:
#671

[mbuccarello]

Hello @jessesuen and happy new year to you and argo-cd team, during the past week we digged into the documentation to understand how to configure an external dex but we didn't find any documentation that relates anything about this topic.
Please could share to us any evidence that there is a way to configure external dex?
We tried different configuration in the argocd-cm configmap but nothing worked as intended.
We tried to understand how to change the default /api/dex context root but again we failed to find a way to properly configure.
We tried to change the URL composed in the argocd UI but the /dex/api URL is relative and not absolute with the external dex server.

Thanks!

[mbuccarello]

after some digging we figured out the configuration, the point was to use oidc.config and configure external dex to use oauth2 to communicate with argo. Should be good to do a documentation about external dex scenario. Have a good day!

[ChaosInTheCRD]

Agreed that this would be useful documented 😄 Thanks for adding this as confirmation @mbuccarello

[awalford16]

Hi, we are also trying to solve this issue of implementing ArgoCD with an external Dex server. Did the documentation ever get created? If not could you share an example of how you managed to get this to work please?

[aleksmova]

@mbuccarello could you please share the configuration.

[awalford16]

Our dex server is running on the same cluster as ArgoCD with this config:

issuer: "https://dex.example.com/dex"
storage:
  type: kubernetes
  config:
    inCluster: true

oauth2:
  skipApprovalScreen: true

connectors:
- type: ldap
  id: ldap
  name: LDAP
  config:
    host: OUR_LDAP_SERVER_URL:636
    rootCA: /etc/ssl/certs/ca-certificates.crt
    bindDN: cn=admin,dc=example,dc=com
    bindPW: PASSWORD
    usernamePrompt: Username
    userSearch:
      baseDN: ou=Users,dc=example,dc=com
      filter: "(objectClass=person)"
      username: Username
      idAttr: uid
      emailAttr: email
      nameAttr: name
    groupSearch:
      baseDN: ou=Groups,dc=example,dc=com
      filter: "(objectClass=group)"
      userMatchers:
      - userAttr: uid
        groupAttr: memberUid
      nameAttr: name

Then based on the comments above we have tried to configure ArgoCD through the oidc.config but I cannot find much documentation on how to do this. So far, all we have is:

server:
  config:
    oidc.config: |-
      name: LDAP 
      issuer: https://dex.example.com/dex

This is the error we see when attempting to login with LDAP on ArgoCD:

Invalid redirect URL: the protocol and host (including port) must match and the path must be within allowed URLs if provided

I have tried passing in redirectURI: https://ARGOCD_URL/api/dex/callback to the dex config but still get the same error

[crenshaw-dev]

@awalford16 can you open an issue and specify the version you're running?

My immediate instinct is that Argo CD is trying to compare the redirect URL with the configured url field (in argocd-cm), but I'm not sure.

[michaelajr]

So I was able fix this by adding configs.cm.url

[thiDucTran]

can posters post specific examples of your working configs? @michaelajr @mbuccarello ?

edit: for our use-case, we got things to work. see below

• for argocd, we have deployed it via these helm values. See https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd

dex:
  enabled: false
configs:
  rbac:
    scopes:
      - groups
      - email
  cm:
    url: https://abc.com/argocd
    oidc.config: |
      name: AzureAD
      issuer: https://abc.com/dex
      clientID: argocd
      clientSecret: passBetweenDexAndArgo #needs to match what you defined in Dex. 
     # root CA of our abc.com 
      rootCA: |
        -----BEGIN CERTIFICATE-----
        MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
        -----END CERTIFICATE-----
      requestedIDTokenClaims:
        groups:
          essential: true
      requestedScopes:
        - openid
        - profile
        - email
        - groups
  params:
    server.insecure: true
    server.rootpath: "argocd"

• in Dex, we have this

kind: ConfigMap
apiVersion: v1
metadata:
  name: dex
  namespace: dex
data:
  config.yaml: |
    issuer: https://abc.com/dex
    expiry:
      idTokens: "30m"
    storage:
      type: kubernetes
      config:
        inCluster: true
    web:
      https: 0.0.0.0:5556
      tlsCert: /etc/dex/tls/tls.crt
      tlsKey: /etc/dex/tls/tls.key
    connectors:
    - type: microsoft
      # Required field for connector id.
      id: microsoft
      # Required field for connector name.
      name: Microsoft
      config:
        # Credentials can be string literals or pulled from the environment.
        clientID: $MICROSOFT_APPLICATION_ID
        clientSecret: $MICROSOFT_CLIENT_SECRET
        redirectURI: https://abc.com/dex/callback
        tenant: someTenantId
        groupNameFormat: id
    oauth2:
      skipApprovalScreen: true

    staticClients:
    - id: argocd
      redirectURIs:
      - 'https://abc.com/argocd/auth/callback'
      name: 'argocd'
      secret: passBetweenDexAndArgo

we use K8s Nginx Ingress Controller as our reverse proxy for both Dex and ArgoCD

[jcogilvie]

If you'd like to extract the working config for your current dex in order to import it into an external dex, you can get a pod shell into argocd-server and run argocd-dex gendexcfg and it'll print argo's desired config to stdout.

[264nm]

So in the case I've been trying to set up, I was asked to patch out the bundled Dex as well as leverage the existing Dex instance on the cluster managed by others.

Followed the directions above to a achieve a partial success. It uses the Github connector on the Dex side so just a case of sharing the clientID and secret between both ConfigMaps.

So by partial, I mean I managed to create a new static client in Dex for ArgoCD with the appropriate redirectURI and log in via the UI but when I try to use the --sso flag to the CLI I'm still getting redirected to:

Bad Request
Unregistered redirect_uri ("http://localhost:8085/auth/callback")

Any thoughts here @michaelajr @mbuccarello @thiDucTran?

Do I need seperate cliClientId configured specifically in Dex or can I re-use?.

What am I putting for redirectURI? Literally http://localhost:8085/auth/callback?

Dex Side - Added new static client:

    - id: 
       ...
       ...
    - id: argocd
      redirectURIs:
      - 'https://argocd.{{ .Cluster.Endpoint }}:8080/auth/callback'
      name: argocd
      secret: <redacted>

ArgoCD Side:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  url: https://argocd.{{ .Cluster.Endpoint }}:8080
  oidc.config: |
    name: Dex
    issuer: https://platform.{{ .Cluster.Endpoint }}/dex
    clientSecret: <redacted>
    skipAudienceCheckWhenTokenHasNoAudience: true
    cliClientId: argocd

[thiDucTran]

I dont think dex works with argo cd cli . try --core when using argocd cli instead? @264nm

[264nm]

It does @thiDucTran!
Just got this working today. You need to create a separate cliClientId, and then a separate staticClient on the dex side for the localhost redirectURI, and rather than providing a clientSecret you set public: true

i.e.

    - id: argocdcli
      name: argocdcli
      # Use Public Client for browser based CLI auth flow
      # https://dexidp.io/docs/custom-scopes-claims-clients/#public-clients
      # https://github.com/argoproj/argo-cd/issues/2179
      public: true
      redirectURIs:
      - 'http://localhost:8085/auth/callback'

$ argocd login argocd.example.com:8080 --sso
 
 Opening browser for authentication
 Performing authorization_code flow login: https://platform.example.com/dex/auth?                                                                                                                                access_type=offline&client_id=argocdcli&code_challenge=blahblahblah&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code&s cope=openid+profile+email+groups+offline_access&state=blahblahblah
 Authentication successful
 'user.name@example.com' logged in successfully
 Context 'argocd.example.com:8080' updated