Implementation of #8272

[the-technat]

Hello there!

As we @swisspost are affected by issue #8272 I'd like to contribute this enhancement to Argo CD. I'm not new to Go but new to OIDC/JWTs so I used this here as reference and started doing the same in argo-cd when I realized that this could require more than just an API call to the userinfo endpoint.

The problem: To add the groups back into the token, I need to create and sign a new JWT token. Spying on how the cli generates JWT tokens for the Argo CD API I used this key to sign my new JWT token. This works as a new valid JWT token is saved on the client side. However once the client tries to authenticate using this token the elephant appears:

time="2022-09-02T11:33:23+02:00" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = invalid session: oidc: id token signed with unsupported algorithm, expected [\"RS256\"] got \"HS256\"" grpc.code=Unauthenticated grpc.method=List grpc.service=application.ApplicationService grpc.start_time="2022-09-02T11:33:23+02:00" grpc.time_ms=5.322 span.kind=server system=grpc

Of course I can't resign a token coming from an upstream IDP with a symmetric algorithm and hope that it's valid... Taking a look at how argo-workflows solved this problem I guess to implement #8272 we would need to completely switch Argo CD to issue JWE tokens itself (and also validating them itself rather than using the IDP to validate the JWTs) without passing the oauth2 token from the IDP to the user. But that would be a drastic change in how Argo CD does SSO...

So what does the community think about this? Should I try to implement the same approach argo-workflows did or is this considered unacceptable and #8272 can't be implemented?

[the-technat]

Can be closed, is irrelevant and discussion was done in Slack / Issue