Enable AAD OIDC Signin with Federated Credential

[manish222agr]

I want to implement the argocd portal signin using OIDC. I created an AAD App as er guidelines in https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#entra-id-app-registration-auth-using-oidc.

I want to use the federated credentials, but cannot see any guidelines on it.

I tried to not create secret, but I am getting this error when I try to signin.

failed to get token: oauth2: "invalid_client" "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

Please suggest steps on how an I use federated credentials.

[demolitionmode]

Has anyone been able to solve this? I'm facing the same error. What information is needed to understand the issue?

[kristeroksnes]

Same issue here

[tomtreffke]

Hi @manish222agr, hope you figured it out by now, but for anyone else looking for this:

• make sure you set annotations, not labels on the service account
• on the App-Registration (not Enterprise App) under API Permissions, make sure the Permissions-Name is "User.Read", not "User.ReadAll"

my OIDC Config on the helm Chart looks like this:

oidc.config: |
        name: Azure # MANUALLY CHANGED FROM 'AzureAD'
        issuer: https://login.microsoftonline.com/<tenant-id>/v2.0
        clientID: <application (client) id>
        azure: 
          useWorkloadIdentity: true
        requestedIDTokenClaims:
          groups:
            essential: true
            value: "SecurityGroup"
        requestedScopes:
        - openid
        - profile
        - email

server:

serviceAccount:
    # -- Create server service account
    create: true
    # -- Server service account name
    name: argocd-server
    # -- Annotations applied to created service account
    annotations: 
      azure.workload.identity/client-id: "a123-b123-c123"

BUT

podLabels: 
    azure.workload.identity/use: "true"

credit @rooftop90

[adam230594]

I had this issue and it was due to me setting the redirect_uri for the "Web" platform. I moved it under the "Mobile and desktop applications" which then allowed me to authenticate successfully.