github.com/argoproj/argo-cd/v3@v3.2.1/docs/operator-manual/user-management/auth0.md

github.com/argoproj/argo-cd/v3@v3.2.1/docs/operator-manual/user-management/auth0.md (about)

     1  # Auth0
     2  
     3  ## User-definitions
     4  
     5  User-definitions in Auth0 is out of scope for this guide. Add them directly in Auth0 database, use an enterprise registry, or "social login".
     6  *Note*: all users have access to all Auth0 defined apps unless you restrict access via configuration - keep this in mind if argo is exposed on the internet or else anyone can login.
     7  
     8  ## Registering the app with Auth0
     9  
    10  Follow the [register app](https://auth0.com/docs/dashboard/guides/applications/register-app-spa) instructions to create the argocd app in Auth0. In the app definition:
    11  
    12  * Take note of the _clientId_ and _clientSecret_ values.
    13  * Register login url as https://your.argoingress.address/login
    14  * Set allowed callback url to https://your.argoingress.address/auth/callback
    15  * Under connections, select the user-registries you want to use with argo.
    16  
    17  Any other settings are non-essential for the authentication to work.
    18  
    19  
    20  ## Adding authorization rules to Auth0
    21  
    22  Follow Auth0 [authorization guide](https://auth0.com/docs/authorization) to setup authorization.
    23  The important part to note here is that group-membership is a non-standard claim, and hence is required to be put under a FQDN claim name, for instance `http://your.domain/groups`.
    24  
    25  ## Configuring argo
    26  
    27  
    28  ### Configure OIDC for ArgoCD
    29  
    30  `kubectl edit configmap argocd-cm`
    31  
    32  ```
    33  ...
    34  data:
    35    application.instanceLabelKey: argocd.argoproj.io/instance
    36    url: https://your.argoingress.address
    37    oidc.config: |
    38      name: Auth0
    39      issuer: https://<yourtenant>.<eu|us>.auth0.com/
    40      clientID: <theClientId>
    41      clientSecret: <theClientSecret>
    42      domain_hint: <theDomainHint>
    43      requestedScopes:
    44      - openid
    45      - profile
    46      - email
    47      # not strictly necessary - but good practice:
    48      - 'http://your.domain/groups'
    49  ...
    50  ```
    51  
    52  
    53  ### Configure RBAC for ArgoCD
    54  
    55  `kubectl edit configmap argocd-rbac-cm` (or use helm values).
    56  ```
    57  ...
    58  data:
    59    policy.csv: |
    60      # let members with group someProjectGroup handle apps in someProject
    61      # this can also be defined in the UI in the group-definition to avoid doing it there in the configmap
    62      p, someProjectGroup, applications, *, someProject/*, allow
    63      # let the group membership argocd-admins from OIDC become role:admin - needs to go into the configmap
    64      g, argocd-global-admins, role:admin
    65    policy.default: role:readonly
    66    # essential to get argo to use groups for RBAC:
    67    scopes: '[http://your.domain/groups, email]' 
    68  ...
    69  ```
    70  
    71  <br>
    72  
    73  !!! note "Storing Client Secrets"
    74      Details on storing your clientSecret securely and correctly can be found on the [User Management Overview page](index.md#sensitive-data-and-sso-client-secrets).