argo-cd: "invalid session token: failed to verify signature: failed to verify id token signature" with argocd v2.5.2 and dex v2.35.x
Checklist:
- I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I’ve included steps to reproduce the bug.
- I’ve pasted the output of
argocd version
.
Describe the bug
I found https://github.com/argoproj/argo-cd/pull/11219, which supposedly fixes https://github.com/argoproj/argo-cd/issues/11071 by using ghcr.io/dexidp/dex:v2.35.3
instead of ghcr.io/dexidp/dex:v2.35.3-distroless
. When I try using any of these v2.35.x
images, I get the following error in the webui when attempting to log in via SSO:
invalid session token: failed to verify signature: failed to verify id token signature
The latest version of dex that works for me is v2.31.2
, so I’m working around this in my helm chart (but this leaves us exposed to: https://github.com/argoproj/argo-cd/pull/10939):
dex:
image:
tag: v2.31.2
Possible regression of https://github.com/argoproj/argo-cd/issues/1113?
To Reproduce
Use dex v2.35.x
(e.g. v2.35.3
) with argo-cd v2.5.2
. Here’s my dex.config
:
configs:
cm:
url: ${var.okta_argocd_url}
dex.config: |
logger:
level: debug
connectors:
- type: saml
id: okta
name: Okta
config:
ssoURL: ${var.okta_sso_url}
caData: |
${var.okta_ca_data}
redirectURI: ${var.okta_sso_redirect}
usernameAttr: email
emailAttr: email
groupsAttr: group
Expected behavior
SSO should work.
Version
argocd: v2.5.2+148d8da
BuildDate: 2022-11-07T16:42:47Z
GitCommit: 148d8da7a996f6c9f4d102fdd8e688c2ff3fd8c7
GitTreeState: clean
GoVersion: go1.18.8
Compiler: gc
Platform: linux/amd64
Logs
Interestingly, auth seems to be working if I look at the dex server logs:
time="2022-11-21T20:35:12Z" level=info msg="parsed and verified saml response attributes <REDACTED>"
time="2022-11-21T20:35:12Z" level=info msg="login successful: connector \"okta\" <REDACTED>"
About this issue
- Original URL
- State: open
- Created 2 years ago
- Reactions: 3
- Comments: 16
@michaelfedell I was experiencing the same issue, fixed by deleting the argocd-server pod. After a new pod was ready I was able to log in.
I have also encountered this using the Dex GitHub Connector. The Dex server logs appear to have logged in successfully and I can see my GH user information however the argocd server then cannot validate the token.
same issue with Github connector after upgrading ArgoCD from
v2.4
tov2.5.10
. argocd-dex-server log:argocd-server log:
client log:
Issue occured when trying to add target cluster using argocd-cli
Resolved by resetting the argocd context i.e. re-login to argocd cluster via SSO. This issue happens when the ArgoCD server is restarted and argocd context gets invalidated.