argoproj/argo-cd
SSO and RBAC
Argo CD has two orthogonal authorization layers: the API authentication layer (who you are) and the RBAC layer (what you can do). They are wired together inside argocd-server.
Authentication
graph LR
User --> CLI[argocd CLI]
User --> Browser[Web UI]
CLI --> Login[argocd login - util/session]
Browser --> OIDC[OIDC flow - util/oidc]
OIDC --> Dex[Dex bridge - argocd-dex]
OIDC --> External[External IdP]
Login --> JWT[JWT signed with server secret]
OIDC --> JWT
JWT --> API[(argocd-server requests)]The API server accepts authentication in three modes:
- Local accounts. Defined in
argocd-cm(accounts.<name>: apiKey, login) with passwords inargocd-secret. The "admin" account is the bootstrap user. Code:server/account/,util/password/,util/session/. - OIDC SSO via Dex.
argocd-dexbrokers an external IdP. The API server's OIDC consumer isutil/oidc/oidc.go. Templates for consent/error pages live inutil/oidc/templates.go. - Direct OIDC (no Dex). Configure
oidc.configinargocd-cmand the API server will talk to the IdP directly. Both code paths shareutil/oidc/oidc.go. - Project tokens. JWTs scoped to an
AppProjectrole. Issued byargocd proj role create-token(cmd/argocd/commands/project_role.go).
Tokens are JWTs signed with a per-server secret; verification is in util/jwt/. Sessions and password handling are in util/session/ and util/password/.
RBAC
Argo CD uses Casbin as the policy engine. The integration code is util/rbac/rbac.go and the API-server-side enforcer is in server/rbacpolicy/.
The policy lives in argocd-rbac-cm and supports:
- Built-in roles (
role:admin,role:readonly,role:none). - Custom roles (
p, role:dev, applications, get, */*, allow). - Group bindings (
g, my-org:devs, role:dev). - Per-project roles (
p, role:my-project-role, applications, sync, my-project/*, allow).
The enforcer evaluates (subject, resource, action, object) tuples. The subject is derived from the JWT's sub and groups claims. Common resources: applications, applicationsets, projects, repositories, clusters, accounts, gpgkeys, certificates, logs, exec, extensions.
Project roles and AppProjects
AppProject adds a tenant boundary. Its spec includes:
sourceRepos— globs of allowed source URLs.destinations— allowed destination clusters/namespaces.clusterResourceWhitelist/namespaceResourceWhitelist— allowed Kubernetes resource kinds.roles[]— project-scoped Casbin policies with optional JWT tokens.
Code: pkg/apis/application/v1alpha1/app_project_types.go, server/project/, cmd/argocd/commands/project.go/project_role.go/projectwindows.go.
Sync windows
AppProject.spec.syncWindows lets operators pause/resume syncing on a schedule. Implementation: cmd/argocd/commands/projectwindows.go and the controller's sync evaluation in controller/sync.go and controller/state.go.
Application-level authentication
Applications themselves can carry an applicationset.spec.template.spec.destination.serviceAccountName (in v3) so the apply runs under a specific SA — see util/clusterauth/ and the argo.go resource-tracking helpers in util/argo/. Impersonation is implemented in util/settings/impersonation.go.
See also
- Dex bridge — OIDC bridge runtime.
- argocd-server — where auth+RBAC plug into the API.
- primitives/appproject — the multi-tenant primitive.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.