github.com/argoproj/argo-cd@v1.8.7/docs/operator-manual/user-management/auth0.md

github.com/argoproj/argo-cd@v1.8.7/docs/operator-manual/user-management/auth0.md (about)

     1  # Auth0
     2  
     3  ## User-definitions
     4  
     5  User-definitions in Auth0 is out of scope for this guide. Add them directly in Auth0 database, use an enterprise registry, or "social login".
     6  *Note*: all users have access to all Auth0 defined apps unless you restrict access via configuration - keep this in mind if argo is exposed on the internet or else anyone can login.
     7  
     8  ## Registering the app with Auth0
     9  
    10  Follow the [register app](https://auth0.com/docs/dashboard/guides/applications/register-app-spa) instructions to create the argocd app in Auth0. In the app definition:
    11  
    12  * Take note of the _clientId_ and _clientSecret_ values.
    13  * Register login url as https://your.argoingress.address/login
    14  * Set allowed callback url to https://your.argoingress.address/auth/callback
    15  * Under connections, select the user-registries you want to use with argo
    16  
    17  Any other settings are non-essential for the authentication to work.
    18  
    19  
    20  ## Adding authorization rules to Auth0
    21  
    22  Follow Auth0 [authorization guide](https://auth0.com/docs/authorization) to setup authorization.
    23  The important part to note here is that group-membership is a non-standard claim, and hence is required to be put under a FQDN claim name, for instance `http://your.domain/groups`.
    24  
    25  ## Configuring argo
    26  
    27  
    28  ### Configure OIDC for ArgoCD
    29  
    30  `kubectl edit configmap argocd-cm`
    31  
    32  ```
    33  ...
    34  data:
    35    application.instanceLabelKey: argocd.argoproj.io/instance
    36    oidc.config: |
    37      name: Auth0
    38      issuer: https://<yourtenant>.<eu|us>.auth0.com/
    39      clientID: <theClientId>
    40      clientSecret: <theClientSecret>
    41      requestedScopes:
    42      - openid
    43      - profile
    44      - email
    45      # not strictly necessary - but good practice:
    46      - 'http://your.domain/groups'
    47  ...
    48  ```
    49  
    50  
    51  ### Configure RBAC for ArgoCD
    52  
    53  `kubectl edit configmap argocd-rbac-cm` (or use helm values).
    54  ```
    55  ...
    56  data:
    57    policy.csv: |
    58      # let members with group someProjectGroup handle apps in someProject
    59      # this can also be defined in the UI in the group-definition to avoid doing it there in the configmap
    60      p, someProjectGroup, applications, *, someProject/*, allow
    61      # let the group membership argocd-admins from OIDC become role:admin - needs to go into the configmap
    62      g, argocd-global-admins, role:admin
    63    policy.default: role:readonly
    64    # essential to get argo to use groups for RBAC:
    65    scopes: '[http://your.domain/groups, email]' 
    66  ...
    67  ```