feat(server): Allow redirect_uri to be automatically resolved when us…

…ing sso (argoproj#6167)

docs/workflow-controller-configmap.yaml

@@ -293,9 +293,9 @@ data:
  clientSecret:
  name: client-secret-secret
  key: client-secret-key
- # This is the redirect URL supplied to the provider (required). It must
+ # This is the redirect URL supplied to the provider (optional). It must
  # be in the form <argo-server-root-url>/oauth2/callback. It must be
- # browser-accessible.
+ # browser-accessible. If omitted, will be automatically generated.
  redirectUrl: https://argo-server/oauth2/callback
  # Additional scopes to request. Typically needed for SSO RBAC. >= v2.12
  scopes:

server/auth/sso/sso.go

@@ -112,9 +112,6 @@ func newSso(
  if c.ClientSecret.Name == "" || c.ClientSecret.Key == "" {
  return nil, fmt.Errorf("clientSecret empty")
  }
- if c.RedirectURL == "" {
- return nil, fmt.Errorf("redirectUrl empty")
- }
  ctx := context.Background()
  clientSecretObj, err := secretsIf.Get(ctx, c.ClientSecret.Name, metav1.GetOptions{})
  if err != nil {
@@ -193,6 +190,7 @@ func newSso(
 func (s *sso) HandleRedirect(w http.ResponseWriter, r *http.Request) {
  redirectUrl := r.URL.Query().Get("redirect")
  state := pkgrand.RandString(10)
+ opts := []oauth2.AuthCodeOption{}
  http.SetCookie(w, &http.Cookie{
  Name: state,
  Value: redirectUrl,
@@ -201,7 +199,19 @@ func (s *sso) HandleRedirect(w http.ResponseWriter, r *http.Request) {
  SameSite: http.SameSiteLaxMode,
  Secure: s.secure,
  })
- http.Redirect(w, r, s.config.AuthCodeURL(state), http.StatusFound)
+
+ if s.config.RedirectURL == "" {
+ proto := "http"
+
+ if s.secure {
+ proto = "https"
+ }
+
+ oauthRedirectUri := fmt.Sprintf("%s:https://%s%soauth2/callback", proto, r.Host, s.baseHRef)
+ opts = append(opts, oauth2.SetAuthURLParam("redirect_uri", oauthRedirectUri))
+ }
+
+ http.Redirect(w, r, s.config.AuthCodeURL(state, opts...), http.StatusFound)
 }
 
 func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {