Using custom groups claim for Argocd SSO login via OIDC

[dani3lsf]

I'm trying to integrate Zitadel as OIDC provider for SSO login based on the documentation provided at "https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#existing-oidc-provider". The login itself works but I'm not able to map users to roles using the policy feature, reason being that Zitadel does not provide a groups claim using the standard structure. On the other end, it provides a claim named "urn:zitadel:iam:org:project:roles" with the following example structure:

"urn:zitadel:iam:org:project:roles":{"argocd-admin":{"<id1>":"accounts.zitadel.ch"},"argocd-editor":{"<id2>":"accounts.zitadel.ch"}}}

It's basically a map whose keys are the roles of a user. I would like to be able to map those keys, for example argocd-admin to a specific argocd admin role. Any ideas how can I make this possible?

OIDC configuration

  oidc.config: |
    name: Zitadel
    issuer: https://login.organization.ch
    clientID: 192847013254004993@organization
    clientSecret: $oidc.zitadel.clientSecret
    requestedScopes: ["openid", "profile", "email", "urn:zitadel:iam:org:project:roles"]

Target Argocd-rbac-cm

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-rbac-cm
  namespace: monitoring
data:
  # also tried to overwrite the groups claim to the one provided by zitadel but obviously did
  # not work as it does not follow the required groups structure
  # scopes: '[urn:zitadel:iam:org:project:roles]' 
  policy.csv: |
    p, role:org-admin, applications, *, */*, allow
    p, role:org-admin, clusters, get, *, allow
    p, role:org-admin, repositories, get, *, allow
    p, role:org-admin, repositories, create, *, allow
    p, role:org-admin, repositories, update, *, allow
    p, role:org-admin, repositories, delete, *, allow

    g, argocd-admin, role:org-admin #
  policy.default: role:readonly

[alxivanov]

After logging in you can check your group definitions in User info (should work with read-only permissions too):

Try defining your group policy with the group that shows up under Groups section.

[stephanrenggli]

Hi there,

Took me a while to figure out, hopefully this helps you and others trying to get ArgoCD OIDC login to work with Zitadel.

Zitadel has a feature called Actions (see https://zitadel.com/blog/custom-claims) which allows you to write JavaScript code to modify the content of tokens. Using this and some example code on their GitHub (https://github.com/zitadel/actions/tree/main/examples) I made the following script which adds the groups claim to the token.

function groupsClaim(ctx, api) {
  if (ctx.v1.user.grants === undefined || ctx.v1.user.grants.count == 0) {
    return;
  }

  let grants = [];
  ctx.v1.user.grants.grants.forEach(claim => {
    claim.roles.forEach(role => {
        grants.push(role)  
    })
  })

  api.v1.claims.setClaim('groups', grants)
}

Add this function in Zitadel under actions and then add it to the Complement Token flow. It should look like this:

If we inspect the cookie value/token (get cookie value of the argocd.token from browser dev tools and paste to https://token.dev/) we'll see that the groups claim was added and contains the correct Zitadel role:

Configure both required ArgoCD configmaps as follows:

argocd-cm.yaml (see https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml)

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/part-of: argocd
data:
  admin.enabled: "false"
  url: https://argo.example.com
  oidc.config: |
    name: Zitadel
    issuer: https://auth.example.com
    clientID: <clientid>
    clientSecret: <clientsecret>
    requestedScopes:
      - openid
      - profile
      - email
      - groups
    logoutURL: https://auth.example.com/oidc/v1/end_session

argocd-rbac-cm.yaml (see https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml)

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
  labels:
    app.kubernetes.io/part-of: argocd
data:
  scopes: '[groups]'
  policy.csv: |
    g, argocd_administrators, role:admin
    g, argocd_users, role:readonly
  policy.default: ''

In argocd-rbac-cm.yaml two groups are defined argocd_administrators and argocd_users. These represent the roles in Zitadel, where it looks like this:

Also make sure to check the following boxes:

In the end we have two users in the test setup, both can login to ArgoCD using Zitadel OIDC. One user (administrator) has admin permissions in ArgoCD, the other one (user) has read-only permissions.

To verify everything works as intended, log in to ArgoCD and go to User Info. You should now see your username, issuer and most importantly your groups:

[fforootd]

@stephanrenggli Thank you for this superb PR!

I made only some really small comment.

[stephanrenggli]

Thank you for the review!

[jessebot]

Thank you both! :) It's wonderful to see the greater open source community helping each other across projects 💙

[jessebot]

I finally got around to trying this out, using the same settings, but I keep getting an error.

My settings argocd-cm configmap keys where example.com is my actual domain:

oidc.config: |
  name: zitadel
  issuer: https://iam.example.com
  clientID: 229387654327387676@core
  clientSecret: $argocd-oidc-credentials:oidc.clientSecret
  requestedScopes:
    - openid
    - profile
    - email
    - groups
  logoutURL: https://iam.example.com/oidc/v1/end_session
# this is temporary during testing because I don't want to get rate limited by letsencrypt while I rebuild the cluster over and over again which uses TLS certs
# ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#skipping-certificate-verification-on-oidc-provider-connections
oidc.tls.insecure.skip.verify: true

For zitadel I used "Web" application type and "Code" auth method. My redirect uri in zitadel app is:
https://argocd.example.com/auth/callback

My logout uri in zitadel app is:
https://argocd.example.com

Additional origins in zitadel app is:
scheme://localhost:8080

I think I have the same auth token options in the zitadel app (user roles/info inside the token):

And the only difference I see in my groups claim is mine is not syntax highlighted? Did I maybe do something wrong here? Did I accidentally delete a semicolon somewhere or something and my dyslexia is just missing it?

Argo CD gives me the zitadel button here:

But when I click it, I get:
Invalid redirect URL: the protocol and host (including port) must match and the path must be within allowed URLs if provided

I'm using the Argo CD helm chart (5.45.0) for this which I think is docker tag argocd:v2.8.2. @stephanrenggli and @fforootd, you've both already done a ton to help get me in the right direction, but do you think you could let me know if there's anything else I could try to troubleshoot this?

My global.logging.level param is set to debug in my Argo CD values.yaml, but when I tail the logs for the server pod while reproducing my error, I get nothing.

[jessebot]

nevermind! I solved it 🤦 I forgot to set the url in the helm chart values. I fixed this by setting:

configs:
  cm:
    url: https://argocd.example.com

[steled]

Hi,

we are also using Zitadel and I configured everything as described above.
My problem is that I'm not admin when I log in.

See below my argocd-cm:

apiVersion: v1
data:
  admin.enabled: "true"
  application.instanceLabelKey: argocd.argoproj.io/instance
  exec.enabled: "false"
  oidc.config: |
    clientID: <REDACTED>
    clientSecret: <REDACTED>
    issuer: https://<REDACTED>.zitadel.cloud
    logoutURL: https://<REDACTED>.zitadel.cloud/oidc/v1/end_session?id_token_hint={{token}}&post_logout_redirect_uri=https%3A%2F%2F<REDACTED>
    name: Zitadel
    requestedScopes:
    - openid
    - profile
    - email
    - groups
    skipAudienceCheckWhenTokenHasNoAudience: true
  server.rbac.log.enforce.enable: "false"
  timeout.hard.reconciliation: 0s
  timeout.reconciliation: 180s
  url: https://<REDACTED>/
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: argocd
    meta.helm.sh/release-namespace: argocd
  creationTimestamp: "2024-07-19T13:28:36Z"
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: argocd
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
    argocd.argoproj.io/instance: argocd
  name: argocd-cm
  namespace: argocd
  resourceVersion: "1021735"
  uid: 2fd831e9-9cc8-4b1c-8103-771fc0af7229

my argocd-rbac-cm:

apiVersion: v1
data:
  policy.csv: |
    g, PG_AZ_A_KKP_Global_Project-Owner, role:admin
  policy.default: ""
  scopes: '[groups]'
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: argocd
    meta.helm.sh/release-namespace: argocd
  creationTimestamp: "2024-07-19T13:28:36Z"
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: argocd
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: v2.9.3
    helm.sh/chart: argo-cd-5.52.1
  name: argocd-rbac-cm
  namespace: argocd
  resourceVersion: "1022471"
  uid: 80ec699f-691d-4e02-909f-af6272b8fd63

and a picture from my User Info:

and a picture after login:

Somebody have an idea whats going on here?

[jessebot]

Can you show us your Zitadel config for custom actions and the app itself as well? You need to have the groups claim custom Action as described here:
https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/zitadel/#setting-up-an-action-in-zitadel

[steled]

Good morning @jessebot,

I checked the logs of argo server and found something interesting:

$ k logs -n argocd argocd-server-5fff897474-m9w9k
time="2024-07-22T07:01:40Z" level=info msg="ArgoCD API Server is starting" built="2023-12-01T23:05:50Z" commit=6eba5be864b7e031871ed7698f5233336dfe75c7 namespace=argocd port=8080 version=v2.9.3+6eba5be
time="2024-07-22T07:01:40Z" level=info msg="Starting configmap/secret informers"
time="2024-07-22T07:01:40Z" level=info msg="Configmap/secret informer synced"
time="2024-07-22T07:01:40Z" level=info msg="invalidated cache for resource in namespace: argocd with the name: argocd-notifications-secret"
time="2024-07-22T07:01:40Z" level=info msg="invalidated cache for resource in namespace: argocd with the name: argocd-notifications-cm"
time="2024-07-22T07:01:40Z" level=info msg="Creating client app (276475928698256994@argo_cd_(dev))"
time="2024-07-22T07:01:40Z" level=info msg="argocd v2.9.3+6eba5be serving on port 8080 (url: https://<REDACTED>:8080/, tls: true, namespace: argocd, sso: true)"
time="2024-07-22T07:01:40Z" level=info msg="Enabled application namespace patterns: argocd"
time="2024-07-22T07:01:40Z" level=info msg="0xc0013b2000 subscribed to settings updates"
time="2024-07-22T07:01:40Z" level=info msg="Starting rbac config informer"
time="2024-07-22T07:01:40Z" level=info msg="RBAC ConfigMap 'argocd-rbac-cm' added"
time="2024-07-22T07:04:40Z" level=info msg="invalidated cache for resource in namespace: argocd with the name: argocd-notifications-secret"
time="2024-07-22T07:04:40Z" level=info msg="invalidated cache for resource in namespace: argocd with the name: argocd-notifications-cm"
time="2024-07-22T07:06:37Z" level=info msg="Initializing OIDC provider (issuer: https://dgops-login-43kbpi.zitadel.cloud)"
time="2024-07-22T07:06:37Z" level=info msg="OIDC supported scopes: [openid profile email phone address offline_access]"

Especially the last line is the important one. It seems that the scope groups is missing even if it is configured in the argocd-cm configMap as you can see in my first picture.

See below my Zitadel action:

/**
 * - retrieve organisation metadata
 * - retrieve user metadata
 * - sets the additional groups claim in the token with the roles from user metadata appended by the orgId from org metadata
 *
 * Requires: ZITADEL >=v2.45.0
 *
 * Flow: Complement token, Triggers: Pre Userinfo creation, Pre access token creation
 *
 * @param ctx
 * @param api
 */

let logger = require('zitadel/log');

function set_groups(ctx, api) {
  let groups = [];
  let userMetadata = ctx.v1.user.getMetadata();

  let roles = userMetadata.metadata.find(md => md.key == 'roles');
  if (roles !== undefined && roles.value !== '') {
    groups = roles.value;
  }

  if (groups.length === 0) {
    if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
      logger.log('❌ No user grants available');
      return;
    }

    ctx.v1.user.grants.grants.forEach(grant => {
      grant.roles.forEach(role => {
        groups.push(role);
      })
    })
  }

  api.v1.claims.setClaim('groups', groups);
}

The flows:

The configured project:

The configured roles:

And the authoriztions:

[steled]

Ok, I don't know what happened during the weekend but it is working now.
I'm only wondering a bit that it is working with the groups scope even in logs is shown:

time="2024-07-22T07:06:40Z" level=info msg="OIDC supported scopes: [openid profile email phone address offline_access]"

[jessebot]

Interesting, I think that looks correct to me, but others are free to chime in if I've missed something. 🤔 I noticed you included let logger = require('zitadel/log'); which is a cool trick! :) Are you able to also check that log to learn any more useful info?

[steled]

@jessebot unfortunately the logger is currently only more interesting for onprem installation cause for online usage it is currently not possible to see it online.