Skip to content

OIDC "invalid argo claims" on v3.0.0 #22973

New issue
New issue
Closed
Closed
OIDC "invalid argo claims" on v3.0.0#22973
Labels
bugSomething isn't workingcomponent:oidcmore-information-neededFurther information is requestedregressionBug is a regression, should be handled with high priority
@Tawmu

Description

@Tawmu
Tawmu
opened on May 14, 2025

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

Using OIDC authentication with Jumpcloud as our provider on earlier versions, we are able to login to ArgoCD successfully. After upgrading to ArgoCD 3.0 we're greeted with an "invalid argo claims" error.

To Reproduce

Jumpcloud Groups scope:

Image

OIDC config on Argo pre-3.0:

oidc.config: |
        name: Jumpcloud
        issuer: https://oauth.id.jumpcloud.com/
        clientID: $argocd-staging-jumpcloud:username
        clientSecret: $argocd-staging-jumpcloud:password
        requestedScopes: ["openid", "profile", "email", "groups"]
        cliClientID: $argocd-staging-jumpcloud:jumpcloud_cli_clientid
  rbac:
    scopes: "[groups]"
    policy.default: role:readonly
    policy.csv: |
        p, role:org-admin, applications, *, */*, allow
        p, role:org-admin, clusters, get, *, allow
        p, role:org-admin, repositories, get, *, allow
        p, role:org-admin, repositories, create, *, allow
        p, role:org-admin, repositories, update, *, allow
        p, role:org-admin, repositories, delete, *, allow
        p, role:org-admin, projects, get, *, allow
        p, role:org-admin, projects, create, *, allow
        p, role:org-admin, projects, update, *, allow
        p, role:org-admin, projects, delete, *, allow
        p, role:org-admin, logs, get, *, allow
        p, role:org-admin, exec, create, */*, allow
        g, devops, role:org-admin

Expected behavior

I can login successfully with administrative roles.

Version

argocd-server: v3.0.0+e98f483

Logs

time="2025-05-14T16:17:58Z" level=info msg="Initializing OIDC provider (issuer: https://oauth.id.jumpcloud.com/)"
time="2025-05-14T16:17:59Z" level=info msg="OIDC supported scopes: [offline_access offline openid email profile]"
time="2025-05-14T16:17:59Z" level=info msg="Performing authorization_code flow login: https://oauth.id.jumpcloud.com/oauth2/auth?client_id=<REDACTED>&redirect_uri=<REDACTED>&response_type=code&scope=openid+profile+email+groups&state=<REDACTED>"
time="2025-05-14T16:18:33Z" level=info msg="finished call" grpc.code=OK grpc.component=server grpc.method=WatchResourceTree grpc.method_type=server_stream grpc.service=application.ApplicationService grpc.start_time="2025-05-14T16:17:13Z" grpc.time_ms=79285.44 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:33Z" level=info msg="finished call" grpc.code=OK grpc.component=server grpc.method=Watch grpc.method_type=server_stream grpc.service=application.ApplicationService grpc.start_time="2025-05-14T16:17:13Z" grpc.time_ms=79266.69 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:36Z" level=info msg="Callback: /auth/callback?code=<REDACTED>&scope=openid+profile+email+groups&state=<REDACTED>"
time="2025-05-14T16:18:36Z" level=info msg="Web login successful. Claims: {\"at_hash\":\"<REDACTED>\",\"aud\":[\"<REDACTED>\"],\"auth_time\":1747239515,\"email\":\"<REDACTED>\",\"email_verified\":true,\"exp\":1747243116,\"family_name\":\"<REDACTED>\",\"given_name\":\"Tom\",\"groups\":\"devops\",\"iat\":1747239516,\"iss\":\"https://oauth.id.jumpcloud.com/\",\"jc_org\":\"<REDACTED>\",\"jti\":\"<REDACTED>\",\"middle_name\":\"\",\"name\":\"Tom <REDACTED>\",\"preferred_username\":\"<REDACTED>\",\"rat\":1747239479,\"sid\":\"<REDACTED>\",\"sub\":\"<REDACTED>\"}"
time="2025-05-14T16:18:37Z" level=info msg="started call" grpc.component=server grpc.method=Version grpc.method_type=unary grpc.service=version.VersionService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=0.011 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="started call" grpc.component=server grpc.method=Get grpc.method_type=unary grpc.service=cluster.SettingsService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=0.022 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="Initializing OIDC provider (issuer: https://oauth.id.jumpcloud.com/)"
time="2025-05-14T16:18:37Z" level=info msg="Initializing OIDC provider (issuer: https://oauth.id.jumpcloud.com/)"
time="2025-05-14T16:18:37Z" level=info msg="OIDC supported scopes: [offline_access offline openid email profile]"
time="2025-05-14T16:18:37Z" level=info msg="OIDC supported scopes: [offline_access offline openid email profile]"
time="2025-05-14T16:18:37Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.request.claims="{\"at_hash\":\"<REDACTED>\",\"aud\":[\"<REDACTED>\"],\"auth_time\":1747239515,\"email\":\"<REDACTED>\",\"email_verified\":true,\"exp\":1747243116,\"family_name\":\"<REDACTED>\",\"given_name\":\"Tom\",\"iat\":1747239516,\"iss\":\"https://oauth.id.jumpcloud.com/\",\"jc_org\":\"<REDACTED>\",\"jti\":\"<REDACTED>\",\"middle_name\":\"\",\"name\":\"Tom <REDACTED>\",\"preferred_username\":\"<REDACTED>\",\"rat\":1747239479,\"sid\":\"<REDACTED>\",\"sub\":\"<REDACTED>\"}" grpc.request.content=
time="2025-05-14T16:18:37Z" level=info msg="Ignore status for all objects"
time="2025-05-14T16:18:37Z" level=info msg="finished call" grpc.code=OK grpc.component=server grpc.method=Get grpc.method_type=unary grpc.service=cluster.SettingsService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=465.597 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="received unary call /version.VersionService/Version" grpc.request.claims="{\"at_hash\":\"<REDACTED>\",\"aud\":[\"<REDACTED>\"],\"auth_time\":1747239515,\"email\":\"<REDACTED>\",\"email_verified\":true,\"exp\":1747243116,\"family_name\":\"<REDACTED>\",\"given_name\":\"Tom\",\"iat\":1747239516,\"iss\":\"https://oauth.id.jumpcloud.com/\",\"jc_org\":\"<REDACTED>\",\"jti\":\"<REDACTED>\",\"middle_name\":\"\",\"name\":\"Tom <REDACTED>\",\"preferred_username\":\"<REDACTED>\",\"rat\":1747239479,\"sid\":\"<REDACTED>\",\"sub\":\"<REDACTED>\"}" grpc.request.content=
time="2025-05-14T16:18:37Z" level=info msg="finished call" grpc.code=OK grpc.component=server grpc.method=Version grpc.method_type=unary grpc.service=version.VersionService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=481.614 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="started call" grpc.component=server grpc.method=Get grpc.method_type=unary grpc.service=cluster.SettingsService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=0.011 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="started call" grpc.component=server grpc.method=GetUserInfo grpc.method_type=unary grpc.service=session.SessionService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=0.065 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="received unary call /cluster.SettingsService/Get" grpc.request.claims="{\"at_hash\":\"<REDACTED>\",\"aud\":[\"<REDACTED>\"],\"auth_time\":1747239515,\"email\":\"<REDACTED>\",\"email_verified\":true,\"exp\":1747243116,\"family_name\":\"<REDACTED>\",\"given_name\":\"Tom\",\"iat\":1747239516,\"iss\":\"https://oauth.id.jumpcloud.com/\",\"jc_org\":\"<REDACTED>\",\"jti\":\"<REDACTED>\",\"middle_name\":\"\",\"name\":\"Tom <REDACTED>\",\"preferred_username\":\"<REDACTED>\",\"rat\":1747239479,\"sid\":\"<REDACTED>\",\"sub\":\"<REDACTED>\"}" grpc.request.content=
time="2025-05-14T16:18:37Z" level=info msg="Ignore status for all objects"
time="2025-05-14T16:18:37Z" level=info msg="finished call" grpc.code=OK grpc.component=server grpc.method=Get grpc.method_type=unary grpc.service=cluster.SettingsService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=7.708 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="started call" grpc.component=server grpc.method=Version grpc.method_type=unary grpc.service=version.VersionService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=0.026 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="received unary call /session.SessionService/GetUserInfo" grpc.request.claims="{\"at_hash\":\"<REDACTED>\",\"aud\":[\"<REDACTED>\"],\"auth_time\":1747239515,\"email\":\"<REDACTED>\",\"email_verified\":true,\"exp\":1747243116,\"family_name\":\"<REDACTED>\",\"given_name\":\"Tom\",\"iat\":1747239516,\"iss\":\"https://oauth.id.jumpcloud.com/\",\"jc_org\":\"<REDACTED>\",\"jti\":\"<REDACTED>\",\"middle_name\":\"\",\"name\":\"Tom <REDACTED>\",\"preferred_username\":\"<REDACTED>\",\"rat\":1747239479,\"sid\":\"<REDACTED>\",\"sub\":\"<REDACTED>\"}" grpc.request.content=
time="2025-05-14T16:18:37Z" level=info msg="finished call" grpc.code=OK grpc.component=server grpc.method=GetUserInfo grpc.method_type=unary grpc.service=session.SessionService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=19.257 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="received unary call /version.VersionService/Version" grpc.request.claims="{\"at_hash\":\"<REDACTED>\",\"aud\":[\"<REDACTED>\"],\"auth_time\":1747239515,\"email\":\"<REDACTED>\",\"email_verified\":true,\"exp\":1747243116,\"family_name\":\"<REDACTED>\",\"given_name\":\"Tom\",\"iat\":1747239516,\"iss\":\"https://oauth.id.jumpcloud.com/\",\"jc_org\":\"<REDACTED>\",\"jti\":\"<REDACTED>\",\"middle_name\":\"\",\"name\":\"Tom <REDACTED>\",\"preferred_username\":\"<REDACTED>\",\"rat\":1747239479,\"sid\":\"<REDACTED>\",\"sub\":\"<REDACTED>\"}" grpc.request.content=
time="2025-05-14T16:18:37Z" level=info msg="finished call" grpc.code=OK grpc.component=server grpc.method=Version grpc.method_type=unary grpc.service=version.VersionService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=18.286 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="started call" grpc.component=server grpc.method=List grpc.method_type=unary grpc.service=cluster.ClusterService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=0.015 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=info msg="started call" grpc.component=server grpc.method=List grpc.method_type=unary grpc.service=application.ApplicationService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=0.017 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=error msg="finished call" grpc.code=Internal grpc.component=server grpc.error="rpc error: code = Internal desc = invalid argo claims" grpc.method=List grpc.method_type=unary grpc.service=cluster.ClusterService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=4.246 peer.address="[::1]:45690" protocol=grpc
time="2025-05-14T16:18:37Z" level=error msg="finished call" grpc.code=Internal grpc.component=server grpc.error="rpc error: code = Internal desc = invalid argo claims" grpc.method=List grpc.method_type=unary grpc.service=application.ApplicationService grpc.start_time="2025-05-14T16:18:37Z" grpc.time_ms=4.194 peer.address="[::1]:45690" protocol=grpc

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingcomponent:oidcmore-information-neededFurther information is requestedregressionBug is a regression, should be handled with high priority

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions