argo-cd: "invalid session token: failed to verify signature: failed to verify id token signature" with argocd v2.5.2 and dex v2.35.x

Checklist:

  • I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I’ve included steps to reproduce the bug.
  • I’ve pasted the output of argocd version.

Describe the bug

I found https://github.com/argoproj/argo-cd/pull/11219, which supposedly fixes https://github.com/argoproj/argo-cd/issues/11071 by using ghcr.io/dexidp/dex:v2.35.3 instead of ghcr.io/dexidp/dex:v2.35.3-distroless. When I try using any of these v2.35.x images, I get the following error in the webui when attempting to log in via SSO:

invalid session token: failed to verify signature: failed to verify id token signature

The latest version of dex that works for me is v2.31.2, so I’m working around this in my helm chart (but this leaves us exposed to: https://github.com/argoproj/argo-cd/pull/10939):

dex:
  image:
    tag: v2.31.2

Possible regression of https://github.com/argoproj/argo-cd/issues/1113?

To Reproduce

Use dex v2.35.x (e.g. v2.35.3) with argo-cd v2.5.2. Here’s my dex.config:

configs:
  cm:
    url: ${var.okta_argocd_url}
    dex.config: |
      logger:
        level: debug
      connectors:
        - type: saml
          id: okta
          name: Okta
          config:
            ssoURL: ${var.okta_sso_url}
            caData: |
                ${var.okta_ca_data}
            redirectURI: ${var.okta_sso_redirect}
            usernameAttr: email
            emailAttr: email
            groupsAttr: group

Expected behavior

SSO should work.

Version

argocd: v2.5.2+148d8da
  BuildDate: 2022-11-07T16:42:47Z
  GitCommit: 148d8da7a996f6c9f4d102fdd8e688c2ff3fd8c7
  GitTreeState: clean
  GoVersion: go1.18.8
  Compiler: gc
  Platform: linux/amd64

Logs

Interestingly, auth seems to be working if I look at the dex server logs:

time="2022-11-21T20:35:12Z" level=info msg="parsed and verified saml response attributes <REDACTED>"
time="2022-11-21T20:35:12Z" level=info msg="login successful: connector \"okta\" <REDACTED>"

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 3
  • Comments: 16

Most upvoted comments

@michaelfedell I was experiencing the same issue, fixed by deleting the argocd-server pod. After a new pod was ready I was able to log in.

I have also encountered this using the Dex GitHub Connector. The Dex server logs appear to have logged in successfully and I can see my GH user information however the argocd server then cannot validate the token.

same issue with Github connector after upgrading ArgoCD from v2.4 to v2.5.10. argocd-dex-server log:

time="2023-02-06T10:41:48Z" level=info msg="login successful: connector \"github\", [...]

argocd-server log:

time="2023-02-06T10:42:07Z" level=info msg="Initializing OIDC provider (issuer: https://[argocdDomain]/api/dex)"
time="2023-02-06T10:42:07Z" level=warning msg="Failed to verify token: failed to verify token: Failed to query provider \"https://[argocdDomain]/api/dex\": 404 Not Found: Not Found\n"

client log:

{"error":"invalid session: failed to verify the token","code":16,"message":"invalid session: failed to verify the token"}

Issue occured when trying to add target cluster using argocd-cli

{"level":"fatal","msg":"rpc error: code = Unauthenticated desc = invalid session: failed to verify the token","time":"2023-12-18T16:18:59-06:00"}

Resolved by resetting the argocd context i.e. re-login to argocd cluster via SSO. This issue happens when the ArgoCD server is restarted and argocd context gets invalidated.