Auth0

User-definitions

User-definitions in Auth0 is out of scope for this guide. Add them directly in Auth0 database, use an enterprise registry, or “social login”. Note: all users have access to all Auth0 defined apps unless you restrict access via configuration - keep this in mind if argo is exposed on the internet or else anyone can login.

Registering the app with Auth0

Follow the register app instructions to create the argocd app in Auth0. In the app definition:

Any other settings are non-essential for the authentication to work.

Adding authorization rules to Auth0

Follow Auth0 authorization guide to setup authorization. The important part to note here is that group-membership is a non-standard claim, and hence is required to be put under a FQDN claim name, for instance http://your.domain/groups.

Configuring argo

Configure OIDC for ArgoCD

kubectl edit configmap argocd-cm

  1. ...
  2. data:
  3. application.instanceLabelKey: argocd.argoproj.io/instance
  4. oidc.config: |
  5. name: Auth0
  6. issuer: https://<yourtenant>.<eu|us>.auth0.com/
  7. clientID: <theClientId>
  8. clientSecret: <theClientSecret>
  9. requestedScopes:
  10. - openid
  11. - profile
  12. - email
  13. # not strictly necessary - but good practice:
  14. - 'http://your.domain/groups'
  15. ...

Configure RBAC for ArgoCD

kubectl edit configmap argocd-rbac-cm (or use helm values).

  1. ...
  2. data:
  3. policy.csv: |
  4. # let members with group someProjectGroup handle apps in someProject
  5. # this can also be defined in the UI in the group-definition to avoid doing it there in the configmap
  6. p, someProjectGroup, applications, *, someProject/*, allow
  7. # let the group membership argocd-admins from OIDC become role:admin - needs to go into the configmap
  8. g, argocd-global-admins, role:admin
  9. policy.default: role:readonly
  10. # essential to get argo to use groups for RBAC:
  11. scopes: '[http://your.domain/groups, email]'
  12. ...