fix(dex): always request federated:id scope

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

Author: agaudreault

common/common.go

@@ -158,6 +158,8 @@ const (
 	ArgoCDCLIClientAppName = "Argo CD CLI"
 	// ArgoCDCLIClientAppID is the Oauth client ID we will use when registering our CLI to dex
 	ArgoCDCLIClientAppID = "argo-cd-cli"
+	// DexFederatedScope allows to receive the federated_claims from Dex. https://dexidp.io/docs/configuration/custom-scopes-claims-clients/
+	DexFederatedScope = "federated:id"
 )
 
 // Resource metadata labels and annotations (keys and values) used by Argo CD components

pkg/apiclient/apiclient.go

@@ -327,9 +327,10 @@ func (c *client) OIDCConfig(ctx context.Context, set *settingspkg.Settings) (*oa
 			clientID = set.OIDCConfig.ClientID
 		}
 		issuerURL = set.OIDCConfig.Issuer
-		scopes = set.OIDCConfig.Scopes
+		scopes = oidcutil.GetScopesOrDefault(set.OIDCConfig.Scopes)
 	case set.DexConfig != nil && len(set.DexConfig.Connectors) > 0:
 		clientID = common.ArgoCDCLIClientAppID
+		scopes = append(oidcutil.GetScopesOrDefault(scopes), common.DexFederatedScope)
 		issuerURL = fmt.Sprintf("%s%s", set.URL, common.DexAPIEndpoint)
 	default:
 		return nil, nil, fmt.Errorf("%s is not configured with SSO", c.ServerAddr)
@@ -342,7 +343,6 @@ func (c *client) OIDCConfig(ctx context.Context, set *settingspkg.Settings) (*oa
 	if err != nil {
 		return nil, nil, fmt.Errorf("Failed to parse provider config: %w", err)
 	}
-	scopes = oidcutil.GetScopesOrDefault(scopes)
 	if oidcutil.OfflineAccess(oidcConf.ScopesSupported) {
 		scopes = append(scopes, oidc.ScopeOfflineAccess)
 	}

util/oidc/oidc.go

@@ -314,10 +314,13 @@ func (a *ClientApp) HandleLogin(w http.ResponseWriter, r *http.Request) {
 	scopes := make([]string, 0)
 	var opts []oauth2.AuthCodeOption
 	if config := a.settings.OIDCConfig(); config != nil {
-		scopes = config.RequestedScopes
+		scopes = GetScopesOrDefault(config.RequestedScopes)
 		opts = AppendClaimsAuthenticationRequestParameter(opts, config.RequestedIDTokenClaims)
+	} else if a.settings.IsDexConfigured() {
+		scopes = append(GetScopesOrDefault(scopes), common.DexFederatedScope)
 	}
-	oauth2Config, err := a.oauth2Config(r, GetScopesOrDefault(scopes))
+
+	oauth2Config, err := a.oauth2Config(r, scopes)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return

util/oidc/oidc_test.go

@@ -21,6 +21,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"
+	"sigs.k8s.io/yaml"
 
 	"github.com/argoproj/argo-cd/v3/common"
 	"github.com/argoproj/argo-cd/v3/server/settings/oidc"
@@ -204,6 +205,108 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 		assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority")
 	})
 
+	t.Run("OIDC auth", func(t *testing.T) {
+		cdSettings := &settings.ArgoCDSettings{
+			URL:                       "https://argocd.example.com",
+			OIDCTLSInsecureSkipVerify: true,
+		}
+		oidcConfig := settings.OIDCConfig{
+			Name:         "Test",
+			Issuer:       oidcTestServer.URL,
+			ClientID:     "xxx",
+			ClientSecret: "yyy",
+		}
+		oidcConfigRaw, err := yaml.Marshal(oidcConfig)
+		require.NoError(t, err)
+		cdSettings.OIDCConfigRAW = string(oidcConfigRaw)
+
+		app, err := NewClientApp(cdSettings, dexTestServer.URL, &dex.DexTLSConfig{StrictValidation: false}, "https://argocd.example.com", cache.NewInMemoryCache(24*time.Hour))
+		require.NoError(t, err)
+
+		req := httptest.NewRequest(http.MethodGet, "https://argocd.example.com/auth/login", nil)
+		w := httptest.NewRecorder()
+		app.HandleLogin(w, req)
+
+		assert.Equal(t, http.StatusSeeOther, w.Code)
+		location, err := url.Parse(w.Header().Get("Location"))
+		require.NoError(t, err)
+		values, err := url.ParseQuery(location.RawQuery)
+		require.NoError(t, err)
+		assert.Equal(t, []string{"openid", "profile", "email", "groups"}, strings.Split(values.Get("scope"), " "))
+		assert.Equal(t, "xxx", values.Get("client_id"))
+		assert.Equal(t, "code", values.Get("response_type"))
+	})
+
+	t.Run("OIDC auth with custom scopes", func(t *testing.T) {
+		cdSettings := &settings.ArgoCDSettings{
+			URL:                       "https://argocd.example.com",
+			OIDCTLSInsecureSkipVerify: true,
+		}
+		oidcConfig := settings.OIDCConfig{
+			Name:            "Test",
+			Issuer:          oidcTestServer.URL,
+			ClientID:        "xxx",
+			ClientSecret:    "yyy",
+			RequestedScopes: []string{"oidc"},
+		}
+		oidcConfigRaw, err := yaml.Marshal(oidcConfig)
+		require.NoError(t, err)
+		cdSettings.OIDCConfigRAW = string(oidcConfigRaw)
+
+		app, err := NewClientApp(cdSettings, dexTestServer.URL, &dex.DexTLSConfig{StrictValidation: false}, "https://argocd.example.com", cache.NewInMemoryCache(24*time.Hour))
+		require.NoError(t, err)
+
+		req := httptest.NewRequest(http.MethodGet, "https://argocd.example.com/auth/login", nil)
+		w := httptest.NewRecorder()
+		app.HandleLogin(w, req)
+
+		assert.Equal(t, http.StatusSeeOther, w.Code)
+		location, err := url.Parse(w.Header().Get("Location"))
+		require.NoError(t, err)
+		values, err := url.ParseQuery(location.RawQuery)
+		require.NoError(t, err)
+		assert.Equal(t, []string{"oidc"}, strings.Split(values.Get("scope"), " "))
+		assert.Equal(t, "xxx", values.Get("client_id"))
+		assert.Equal(t, "code", values.Get("response_type"))
+	})
+
+	t.Run("Dex auth", func(t *testing.T) {
+		cdSettings := &settings.ArgoCDSettings{
+			URL: dexTestServer.URL,
+		}
+		dexConfig := map[string]any{
+			"connectors": []map[string]any{
+				{
+					"type": "github",
+					"name": "GitHub",
+					"config": map[string]any{
+						"clientId":     "aabbccddeeff00112233",
+						"clientSecret": "aabbccddeeff00112233",
+					},
+				},
+			},
+		}
+		dexConfigRaw, err := yaml.Marshal(dexConfig)
+		require.NoError(t, err)
+		cdSettings.DexConfig = string(dexConfigRaw)
+
+		app, err := NewClientApp(cdSettings, dexTestServer.URL, &dex.DexTLSConfig{StrictValidation: false}, "https://argocd.example.com", cache.NewInMemoryCache(24*time.Hour))
+		require.NoError(t, err)
+
+		req := httptest.NewRequest(http.MethodGet, "https://argocd.example.com/auth/login", nil)
+		w := httptest.NewRecorder()
+		app.HandleLogin(w, req)
+
+		assert.Equal(t, http.StatusSeeOther, w.Code)
+		location, err := url.Parse(w.Header().Get("Location"))
+		require.NoError(t, err)
+		values, err := url.ParseQuery(location.RawQuery)
+		require.NoError(t, err)
+		assert.Equal(t, []string{"openid", "profile", "email", "groups", common.DexFederatedScope}, strings.Split(values.Get("scope"), " "))
+		assert.Equal(t, common.ArgoCDClientAppID, values.Get("client_id"))
+		assert.Equal(t, "code", values.Get("response_type"))
+	})
+
 	t.Run("with additional base URL", func(t *testing.T) {
 		cdSettings := &settings.ArgoCDSettings{
 			URL:                       "https://argocd.example.com",