diff --git a/server/server.go b/server/server.go index ccc486bb2c206..6582b2b2335a2 100644 --- a/server/server.go +++ b/server/server.go @@ -1583,14 +1583,15 @@ func (server *ArgoCDServer) getClaims(ctx context.Context) (jwt.Claims, string, } finalClaims := claims - if server.settings.IsSSOConfigured() { + oidcConfig := server.settings.OIDCConfig() + if oidcConfig != nil || server.settings.IsDexConfigured() { updatedClaims, err := server.ssoClientApp.SetGroupsFromUserInfo(ctx, claims, util_session.SessionManagerClaimsIssuer) if err != nil { return claims, "", status.Errorf(codes.Unauthenticated, "invalid session: %v", err) } finalClaims = updatedClaims // OIDC tokens are automatically refreshed here prior to expiration - refreshedToken, err := server.ssoClientApp.CheckAndRefreshToken(ctx, updatedClaims, server.settings.OIDCRefreshTokenThreshold) + refreshedToken, err := server.ssoClientApp.CheckAndRefreshToken(ctx, updatedClaims, server.settings.RefreshTokenThresholdWithConfig(oidcConfig)) if err != nil { log.Errorf("error checking and refreshing token: %v", err) } diff --git a/util/oidc/oidc.go b/util/oidc/oidc.go index ff52a6853a28f..a1f0b35f93a56 100644 --- a/util/oidc/oidc.go +++ b/util/oidc/oidc.go @@ -216,7 +216,7 @@ func NewClientApp(settings *settings.ArgoCDSettings, dexServerAddr string, dexTL clientCache: cacheClient, azure: azureApp{mtx: &sync.RWMutex{}}, domainHint: domainHint, - refreshTokenThreshold: settings.OIDCRefreshTokenThreshold, + refreshTokenThreshold: settings.RefreshTokenThreshold(), } log.Infof("Creating client app (%s)", a.clientID) u, err := url.Parse(settings.URL) diff --git a/util/settings/settings.go b/util/settings/settings.go index dd8c6c1b15b28..25d2a78b14933 100644 --- a/util/settings/settings.go +++ b/util/settings/settings.go @@ -136,9 +136,6 @@ type ArgoCDSettings struct { // token verification to pass despite the OIDC provider having an invalid certificate. Only set to `true` if you // understand the risks. OIDCTLSInsecureSkipVerify bool `json:"oidcTLSInsecureSkipVerify"` - // OIDCRefreshTokenThreshold sets the threshold for preemptive server-side token refresh. If set to 0, tokens - // will not be refreshed and will expire before client is redirected to login. - OIDCRefreshTokenThreshold time.Duration `json:"oidcRefreshTokenThreshold,omitempty"` // AppsInAnyNamespaceEnabled indicates whether applications are allowed to be created in any namespace AppsInAnyNamespaceEnabled bool `json:"appsInAnyNamespaceEnabled"` // ExtensionConfig configurations related to ArgoCD proxy extensions. The keys are the extension name. @@ -1484,7 +1481,6 @@ func getDownloadBinaryUrlsFromConfigMap(argoCDCM *corev1.ConfigMap) map[string]s func updateSettingsFromConfigMap(settings *ArgoCDSettings, argoCDCM *corev1.ConfigMap) { settings.DexConfig = argoCDCM.Data[settingDexConfigKey] settings.OIDCConfigRAW = argoCDCM.Data[settingsOIDCConfigKey] - settings.OIDCRefreshTokenThreshold = settings.RefreshTokenThreshold() settings.KustomizeBuildOptions = argoCDCM.Data[kustomizeBuildOptionsKey] settings.StatusBadgeEnabled = argoCDCM.Data[statusBadgeEnabledKey] == "true" settings.StatusBadgeRootUrl = argoCDCM.Data[statusBadgeRootURLKey] @@ -1937,7 +1933,12 @@ func (a *ArgoCDSettings) UserInfoCacheExpiration() time.Duration { // RefreshTokenThreshold returns the duration before token expiration that a token should be refreshed by the server func (a *ArgoCDSettings) RefreshTokenThreshold() time.Duration { - if oidcConfig := a.OIDCConfig(); oidcConfig != nil && oidcConfig.RefreshTokenThreshold != "" { + return a.RefreshTokenThresholdWithConfig(a.OIDCConfig()) +} + +// RefreshTokenThresholdWithConfig takes oidcConfig as param and returns the duration before token expiration that a token should be refreshed by the server +func (a *ArgoCDSettings) RefreshTokenThresholdWithConfig(oidcConfig *OIDCConfig) time.Duration { + if oidcConfig != nil && oidcConfig.RefreshTokenThreshold != "" { refreshTokenThreshold, err := time.ParseDuration(oidcConfig.RefreshTokenThreshold) if err != nil { log.Warnf("Failed to parse 'oidc.config.refreshTokenThreshold' key: %v", err)