redirectUrl for SSO login with Dex?

[atticus-rippling]

Hi all,

I've setup SSO login for argo-workflows UI using an existing argocd Dex instance (which is configured with a SAML connector to AWS IAM Identity Center) for authentication, following these docs: https://argo-workflows.readthedocs.io/en/latest/argo-server-sso-argocd/

I'm running into the following issue:

• The docs say:

  the redirect URL supplied to the provider [...] must be in the form /oauth2/callback

  • However, when I use that format on my staticClient config in argocd-cm, I get a 400 from https://<argocd-domain>/api/dex/auth/aws?client_id=argo-workflows-sso&redirect_uri=... with response Unregistered redirect_uri ("https://<argocd-domain>/api/dex/callback").
  • If I update the redirectUrl on the staticClient config to https://<argocd-domain>.com/api/dex/callback, I instead get a 400 from the dex callback request https://<argocd-domain>/api/dex/callback?code=... with response Requested resource does not exist.

Issues I've ruled out

• The SAML connector is working (these failed requests are always preceded with an approval request from https://<argocd-domain>/api/dex/approval?req=...)

Has anyone been able to successfully set up argo-workflows UI SSO with a Dex instance / has background on what's going on behind the scenes here, and able to share what the expected redirectUrl is/what else may be missing from my configuration?

---

Here's my setup for context:

Dex/CD ConfigMap:

kind: ConfigMap
metadata:
  namespace: argocd
  name: argocd-cm
data:
  dex.config: |
    logger:
      level: debug
      format: json
    connectors:
    - type: saml
      id: aws
      name: "AWS IAM Identity Center"
      config:
        ssoURL: <ssoURL>
        caData: <caData>
        entityIssuer: https://<argocd-domain>/api/dex/callback
        usernameAttr: email
        emailAttr: email
        groupsAttr: groups
    # allows argo-workflows to use argocd Dex installation for authentication
    staticClients:
      - id: argo-workflows-sso
        name: argo-workflows
        redirectURIs:
        - https://<argocd-domain>/api/dex/callback
        secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET

SSO Secrets:

kind: Secret
metadata:
  namespace: argocd
  name: argo-workflows-sso
data:
  client-id: 
  client-secret: 
---
kind: Secret
metadata:
  namespace: argo-workflows
  name: argo-workflows-sso
data:
  client-id:  <same>
  client-secret:  <same>

Workflows ConfigMap:

metadata:
  namespace: argo-workflows
  name: argo-workflows-workflow-controller-configmap
data:
  config: |
    sso:
      issuer: https://<argocd-domain>/api/dex
      clientId:
        name: argo-workflows-sso
        key: client-id
      clientSecret:
        name: argo-workflows-sso
        key: client-secret
      redirectUrl: "https://<argocd-domain>/api/dex/callback" # it doesn't seem to matter what I put here. I get the same errors regardless
      rbac:
        enabled: false
      scopes:
        - groups
        - email

[atticus-rippling]

Possibly @agilgur5, as I see you've answered a number of SSO related questions?

[agilgur5]

The redirectUrl is Argo Workflow's own URL, not Dex's. It's where Dex will send the user after they complete SSO. The issuer is Dex's URL, which you have correctly.

The example in the docs is: https://argo-workflows.mydomain.com/oauth2/callback.
It depends on what your Ingress uses for the host/domain etc, so Workflows can't determine that for you and so it must be configured. /oauth2/callback is required because that's Workflows's Server's route, so we know that part for sure.