Skip to content

feat(auth): add PKCE authentication support to OIDC Single Sign-On (SSO)#16288

Open
ArjunPakhan wants to merge 2 commits into
argoproj:mainfrom
ArjunPakhan:feat/sso-pkce-support
Open

feat(auth): add PKCE authentication support to OIDC Single Sign-On (SSO)#16288
ArjunPakhan wants to merge 2 commits into
argoproj:mainfrom
ArjunPakhan:feat/sso-pkce-support

Conversation

@ArjunPakhan

Copy link
Copy Markdown

Description

This PR introduces support for Proof Key for Code Exchange (PKCE) (RFC 7636) within the Argo Workflows Single Sign-On (SSO) authentication pipeline.

By utilizing PKCE with the S256 challenge method, the authorization flow becomes resilient to authorization code interception attacks. This significantly strengthens security postures when utilizing public or loosely protected OpenID Connect (OIDC) / OAuth2 identity providers.

Key Changes

  • Configuration Toggle: Added the EnablePKCEAuthentication configuration flag in config/sso.go to safely opt-in to the PKCE pipeline.
  • Stateless Challenge Handling: Updated HandleRedirect inside server/auth/sso/sso.go to securely generate a high-entropy 43-character code_verifier, calculate its SHA-256 hash (code_challenge), and statefully append the verifier to the localized state cookie (verifier|finalRedirectURL).
  • Interception Verification: Updated HandleCallback to safely parse and extract the code_verifier back from the incoming state validation cookie, passing it directly into the downstream execution block for s.config.Exchange(...).
  • Backward Compatibility: Fully preserves original non-PKCE standard OAuth2 callback paths when EnablePKCEAuthentication is turned off.

Type of Change

  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Verification & Testing Results

Automated Tests

Ran internal SSO ecosystem test sweeps locally to ensure Zero-Regression across traditional state matching logic:

go test -v ./server/auth/sso/...
Adds EnablePKCEAuthentication config field and implements structural S256 code challenge generation and verifier extraction via stateless cookie tracking.
@ArjunPakhan ArjunPakhan requested a review from a team as a code owner June 19, 2026 16:49
@isubasinghe

Copy link
Copy Markdown
Member

Hey a few things that should be done in order to get this into a reviewable state.

Run make lint.
Ensure the UI tests are passing.
Add a markdown file to describe your feature here: https://github.com/argoproj/argo-workflows/tree/main/.features/pending
And finally sign off your commit with git commit -m {msg} --signoff

@MasonM MasonM left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this is duplicating the functionality of #16093, and has some of the same issues (e.g. code_challenge isn't encrypted).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants