SSO login failure: invalid key encryption algorithm: RSA-OAEP-256

[johnnywalker]

Pre-requisites

• I have double-checked my configuration
• I have tested with the :latest image tag (i.e. quay.io/argoproj/workflow-controller:latest) and can confirm the issue still exists on :latest. If not, I have explained why, in detail, in my description below.
• I have searched existing issues and could not find a match for this bug
• I'd like to contribute the fix myself (see contributing guide)

What happened? What did you expect to happen?

While deploying a new instance, I encountered an error trying to login via SSO. argo-server completes the authorization code flow successfully and responds with a set-cookie header containing an authorization cookie as expected. The callback response redirects to /, but subsequent requests to /api/v1/userinfo and /api/v1/info return 401 with this response:

{"code":16,"message":"failed to parse encrypted token: asymmetric encryption algorithms not supported for JWT: invalid key encryption algorithm: RSA-OAEP-256"}

The application then navigates to /login where you can start the process over again.

I first tried deleting the sso secret and restarting argo-server, but I investigated further after this didn't change the behavior. I noticed that the error message is emitted by go-jose/v4 , and that PR #16213 was merged yesterday. A quick check at quay.io confirmed that latest was rebuilt yesterday, which introduced the bug.

I pinned images to v4.0.5, deleted the sso secret again, restarted argo-server, cleared cookies, and login succeeded.

Version(s)

f7b79b64650002f9982677670fde2e87788741d642354cd9ce850dcb5f1cb975

Paste a minimal workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflow that uses private images.

New installation with SSO (OAuth 2.0 - not Dex)

Logs from the workflow controller

No longer available

Logs from in your workflow's wait container

No longer available