github.com/argoproj/argo-cd/v2@v2.10.9/docs/operator-manual/user-management/auth0.md

github.com/argoproj/argo-cd/v2@v2.10.9/docs/operator-manual/user-management/auth0.md (about)

     1  # Auth0
     2  
     3  ## User-definitions
     4  
     5  User-definitions in Auth0 is out of scope for this guide. Add them directly in Auth0 database, use an enterprise registry, or "social login".
     6  *Note*: all users have access to all Auth0 defined apps unless you restrict access via configuration - keep this in mind if argo is exposed on the internet or else anyone can login.
     7  
     8  ## Registering the app with Auth0
     9  
    10  Follow the [register app](https://auth0.com/docs/dashboard/guides/applications/register-app-spa) instructions to create the argocd app in Auth0. In the app definition:
    11  
    12  * Take note of the _clientId_ and _clientSecret_ values.
    13  * Register login url as https://your.argoingress.address/login
    14  * Set allowed callback url to https://your.argoingress.address/auth/callback
    15  * Under connections, select the user-registries you want to use with argo.
    16  
    17  Any other settings are non-essential for the authentication to work.
    18  
    19  
    20  ## Adding authorization rules to Auth0
    21  
    22  Follow Auth0 [authorization guide](https://auth0.com/docs/authorization) to setup authorization.
    23  The important part to note here is that group-membership is a non-standard claim, and hence is required to be put under a FQDN claim name, for instance `http://your.domain/groups`.
    24  
    25  ## Configuring argo
    26  
    27  
    28  ### Configure OIDC for ArgoCD
    29  
    30  `kubectl edit configmap argocd-cm`
    31  
    32  ```
    33  ...
    34  data:
    35    application.instanceLabelKey: argocd.argoproj.io/instance
    36    url: https://your.argoingress.address
    37    oidc.config: |
    38      name: Auth0
    39      issuer: https://<yourtenant>.<eu|us>.auth0.com/
    40      clientID: <theClientId>
    41      clientSecret: <theClientSecret>
    42      requestedScopes:
    43      - openid
    44      - profile
    45      - email
    46      # not strictly necessary - but good practice:
    47      - 'http://your.domain/groups'
    48  ...
    49  ```
    50  
    51  
    52  ### Configure RBAC for ArgoCD
    53  
    54  `kubectl edit configmap argocd-rbac-cm` (or use helm values).
    55  ```
    56  ...
    57  data:
    58    policy.csv: |
    59      # let members with group someProjectGroup handle apps in someProject
    60      # this can also be defined in the UI in the group-definition to avoid doing it there in the configmap
    61      p, someProjectGroup, applications, *, someProject/*, allow
    62      # let the group membership argocd-admins from OIDC become role:admin - needs to go into the configmap
    63      g, argocd-global-admins, role:admin
    64    policy.default: role:readonly
    65    # essential to get argo to use groups for RBAC:
    66    scopes: '[http://your.domain/groups, email]' 
    67  ...
    68  ```
    69  
    70  <br>
    71  
    72  !!! note "Storing Client Secrets"
    73      Details on storing your clientSecret securely and correctly can be found on the [User Management Overview page](index.md#sensitive-data-and-sso-client-secrets).