argo-cd: Azure not supported for WebUI PKCE Auth Code Flow

Describe the bug

In the upcoming v2.10.0-rc1 release, @Marvin9 added support for using authorization code flow with PKCE in the webUI, which is lovely. ❤️

Unfortunately Azure is non-compliant with RFC8414 standard because the /.well-known/openid-configuration endpoint is missing the code_challenge_methods_supported property. The ArgoCD login flow is stopped checking for that specific property here. https://github.com/argoproj/argo-cd/blob/3224102664b747e88e7330e59b3b44bc9c28cd66/ui/src/app/login/components/utils.ts#L76-L80

Other projects seem to have the same issue, like kubelogin.

This was brought to the attention of Microsoft in January 2021 and I do not think that they intend to do anything about it.

Proposal

Maybe have a setting something like, forcePKCECodeChallengeMethod: S256 that would skip the code_challenge_methods_supported property check, or just skipPKCECodeChallengeMethod: true ?

About this issue

  • Original URL
  • State: open
  • Created 6 months ago
  • Comments: 15 (8 by maintainers)

Most upvoted comments

tl;dr I think either

  • there should not be a frontend check for code_challenge_methods_supported property
  • or there should be a setting to skip the check
  • or there should be a setting to set the challenge method manually and therefore the check is skipped.