From 0e62ad55961bca8b14a33d766cd4cd0f197c4a9c Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 21 Apr 2026 10:34:39 -0700
Subject: [PATCH] =?UTF-8?q?C0:=20argocd=20OIDC=20=E2=80=94=20switch=20to?=
 =?UTF-8?q?=20public=20client=20for=20CLI=20SSO?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changes argocd's Authentik OAuth2 client from confidential to public and
drops the clientSecret from argocd-cm. Public + PKCE works for both the
web UI (argocd-server backend) and the argocd CLI (`argocd login --sso`)
without a shared secret, matching OAuth 2.1 guidance.

Confidential → public was needed because the CLI can't hold a client
secret; Authentik's per-app issuer model made the alternative
("cliClientID" pattern with separate public client) awkward since it
requires a shared issuer across apps which Authentik doesn't serve.

Follow-up: deadcode AUTHENTIK_ARGOCD_CLIENT_SECRET env wiring and the
argocd-oidc-authentik ExternalSecret once verified.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 argocd/manifests/argocd/argocd-cm-patch.yaml        | 1 -
 argocd/manifests/authentik/configmap-blueprint.yaml | 3 +--
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/argocd/manifests/argocd/argocd-cm-patch.yaml b/argocd/manifests/argocd/argocd-cm-patch.yaml
index cb7e27f..54e4ede 100644
--- a/argocd/manifests/argocd/argocd-cm-patch.yaml
+++ b/argocd/manifests/argocd/argocd-cm-patch.yaml
@@ -16,7 +16,6 @@ data:
     name: Authentik
     issuer: https://authentik.ops.eblu.me/application/o/argocd/
     clientID: argocd
-    clientSecret: $argocd-oidc-authentik:client-secret
     requestedScopes:
       - openid
       - profile
diff --git a/argocd/manifests/authentik/configmap-blueprint.yaml b/argocd/manifests/authentik/configmap-blueprint.yaml
index aa6a07e..fcbb99b 100644
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@@ -262,9 +262,8 @@ data:
           name: ArgoCD
           authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
           invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-          client_type: confidential
+          client_type: public
           client_id: argocd
-          client_secret: !Env AUTHENTIK_ARGOCD_CLIENT_SECRET
           redirect_uris:
             - matching_mode: strict
               url: https://argocd.ops.eblu.me/auth/callback