From 225b0e700870725ef08c453cd879e5da06c69327 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 21 Apr 2026 10:18:08 -0700
Subject: [PATCH] C0: allow argocd CLI --sso localhost callback

Adds http://localhost:8085/auth/callback to the ArgoCD OAuth2 provider's
redirect_uris so `argocd login --sso` works. Loopback redirect is the
RFC 8252 pattern for native CLI apps; PKCE (already enabled) covers the
code-interception risk.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 argocd/manifests/authentik/configmap-blueprint.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/argocd/manifests/authentik/configmap-blueprint.yaml b/argocd/manifests/authentik/configmap-blueprint.yaml
index 27910ef..aa6a07e 100644
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@@ -270,6 +270,8 @@ data:
               url: https://argocd.ops.eblu.me/auth/callback
             - matching_mode: strict
               url: https://argocd.tail8d86e.ts.net/auth/callback
+            - matching_mode: strict
+              url: http://localhost:8085/auth/callback
           signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
           property_mappings:
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]