Bad Gateway at the end of OIDC flow with Microsoft Entra and no Dex

[NiklasRosenstein]

I'm trying to enable Microsoft Entra as SSO for our ArgoCD instance installed from the Helm chart (v7.7.6) using OIDC (not SAML). I've followed the guide here: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#entra-id-app-registration-auth-using-oidc

The relevant Helm values I use are:

    dex:
      enabled: false
    configs:
      cm:
        url: https://{{ .Values.ingress.host }}/
        oidc.config: |
          name: AzureAD
          issuer: '{{ required ".oidc.issuer missing" .Values.oidc.issuer }}'
          clientID: '{{ required ".oidc.clientID missing" .Values.oidc.clientID }}'
          clientSecret: $oidc.azure.clientSecret
          requestedIDTokenClaims:
            groups:
              essential: true
              value: "SecurityGroup"
          requestedScopes:
          - openid
          - profile
          - email
      secret:
        extra:
          oidc.azure.clientSecret: '{{ required ".oidc.clientSecret missing" .Values.oidc.clientSecret }}'

When I log in via SSO in ArgoCD, I get directed through Entra and back to ArgoCD, but then the Ingress returns a 502 😕 We're using ingress-nginx

From the argocd-server logs, it seems the login succeeds:

The ingress-nginx logs are not much more helpful:

Any idea what's going on? Thank you!

Edit: I get the same behavior on ArgoCD 2.12.4 (Helm Chart 7.6.10).

[performation]

Same behavious with 2.14.10
This seems to only happen when there are (many) groups in the goups claim.

[puffitos]

We resolved that problem by configuring groups in the dex configuration, by adding only the relevant OIDC groups that a user should have when trying to log in.

For your reference, a snippet from our gitlab dex config:

apiVersion: v1
data:
  dex.config: |
    connectors:
      - name: Gitlab
        type: gitlab
        id: gitlab
        config:
          clientID: your-ID
          baseURL: my-gitlab-nstance.com
          clientSecret: $gitlab-oidc:secret # ref to a secret
          redirectURI: my-gitlab-instance.com/api/dex/callback
          url: https://cool-argo.mydomain.com
          groups:
          - admins
          - non-admins
          - trainees
kind: ConfigMap
  name: argocd-cm
  namespace: argocd

[sugibuchi]

We encountered exactly the same problem. In our case, we found the following log in the Nginx ingress controller's log:

2025/09/12 19:06:32 [error] 13824#13824: *78309681 upstream sent too big header while reading response header from upstream,  ...

After searching in the internet, adding the following annotations to the Argo CD ingress setting solved the problem.

  ingress:
    enabled: true
    ...
    annotations:
      nginx.ingress.kubernetes.io/proxy-buffers: "4"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"