blumeops

History

Erich Blume 0e62ad5596 C0: argocd OIDC — switch to public client for CLI SSO Changes argocd's Authentik OAuth2 client from confidential to public and drops the clientSecret from argocd-cm. Public + PKCE works for both the web UI (argocd-server backend) and the argocd CLI (`argocd login --sso`) without a shared secret, matching OAuth 2.1 guidance. Confidential → public was needed because the CLI can't hold a client secret; Authentik's per-app issuer model made the alternative ("cliClientID" pattern with separate public client) awkward since it requires a shared issuer across apps which Authentik doesn't serve. Follow-up: deadcode AUTHENTIK_ARGOCD_CLIENT_SECRET env wiring and the argocd-oidc-authentik ExternalSecret once verified. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-21 10:34:39 -07:00
..
apps	Deploy Paperless-ngx document management (#328 )	2026-04-08 17:54:12 -07:00
manifests	C0: argocd OIDC — switch to public client for CLI SSO	2026-04-21 10:34:39 -07:00

Erich Blume 0e62ad5596 C0: argocd OIDC — switch to public client for CLI SSO

Changes argocd's Authentik OAuth2 client from confidential to public and
drops the clientSecret from argocd-cm. Public + PKCE works for both the
web UI (argocd-server backend) and the argocd CLI (`argocd login --sso`)
without a shared secret, matching OAuth 2.1 guidance.

Confidential → public was needed because the CLI can't hold a client
secret; Authentik's per-app issuer model made the alternative
("cliClientID" pattern with separate public client) awkward since it
requires a shared issuer across apps which Authentik doesn't serve.

Follow-up: deadcode AUTHENTIK_ARGOCD_CLIENT_SECRET env wiring and the
argocd-oidc-authentik ExternalSecret once verified.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-21 10:34:39 -07:00

apps

Deploy Paperless-ngx document management (#328 )

2026-04-08 17:54:12 -07:00

manifests

C0: argocd OIDC — switch to public client for CLI SSO

2026-04-21 10:34:39 -07:00