Description
I am currently facing an issue while attempting to set up Single Sign-On (SSO) with GitLab on my ArgoCD deployment. I have deployed ArgoCD with HELM and I have configured Dex with the values.yaml file. I have set a sealed secret for the GitLab clientSecret. However, I am encountering a "The requested scope is invalid, unknown, or malformed." on GitLab when trying to authenticate to ArgoCD with GitLab. When I trying to reach the dex server from UI (http://argocd-server/api/dex/callback) I faced Bad Request User session error.
Details
Setup
- ArgoCD Helm Chart version: 5.47.0
- GitLab version: v16.3.4-ee
Problem Description
After configuring ArgoCD Dex server attempting to Bad Request User session error..
Configuration Snippet
argocd-chart/values.yaml:
argo-cd:
server:
config:
url: 'http://ip:30080'
dex.config: |
connectors:
- type: 'gitlab'
id: 'gitlab'
name: 'GitLab'
config:
baseURL: 'https://my.gitlab.com/'
clientID: 'your-gitlab-client-id'
clientSecret: $argocd-sso-gitlab:oidc.auth0.clientSecret
redirectURI: 'http://ip:30080/api/dex/callback'
groups:
- Archi
useLoginAsID: false
The ip is a IngressController Traefik exposed with a node port. Here is the ingress:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: argocd-server
namespace: argo-cd
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`argocd.example.com`)
priority: 10
services:
- name: argo-cd-argocd-server
port: 80
- kind: Rule
match: Host(`argocd.example.com`) && Headers(`Content-Type`, `application/grpc`)
priority: 11
services:
- name: argo-cd-argocd-server
port: 80
scheme: h2c
- kind: Rule
match: ClientIP(`ip/32`)
priority: 13
services:
- name: argo-cd-argocd-server
port: 80
The two first rule are for access to ArgoCD app from my laptop (I add a line on /etc/host to resolve argocd.example.com as the node IP) and the third rule is for GitLab to be able to reach the ArgoCD app from the node IP.
Error Message
The Error Message from GitLab are:
The Dex error are (http://argocd.example.com:30080/api/dex/callback):
Additional Context
- The GitLab clientSecret is stored as a sealed secret.
- Dex configurations are injected using ArgoCD Helm Chart values (As shown above)
Request for Assistance
I am seeking guidance on resolving the "User session error" and ensuring the correct integration of Dex with GitLab for SSO. Any insights, suggestions, or troubleshooting steps would be greatly appreciated.
The error that says "The request scope is invalid" generally means the token you generated doesn't have the appropriate scopes associated with it.
I'm using SaaS gitlab, but creating an application on my personal account w/ the 'read_user' and 'openid' scopes was enough to get SSO login working.
Just for reference, my config:
The only issue I'm having otherwise is that the
useLoginAsIDvalue doesn't seem to make a difference for me, I'm having to specify the user's login email in Argo's RBAC CSV for applying groups to a specific user. I can apply a role to a group entirely, but also not a user in a group even with the email.Eg:
g, gitlabgroup, role:admin- worksg, [email protected], role:admin- worksg, gitlabgroup:[email protected], role:admin- no worksg, gitlabgroup:mygitlabusername, role:admin- no works (regardless ofuseLoginAsIDsetting)g, mygitlabusername, role:admin- no works (regardless ofuseLoginAsIDsetting)Also, just for clarification, your Argo instance does not need to be exposed for GitLab to access; for example, I access Argo on an internal network through a VPN, so the ingress controller configuration is only needed if you need it yourself to access Argo.