I've been struggling with Workflows SSO using Entra for a while now and have simplified my approach to using OIDC with a secret. Everything works fine until I hit the /oauth2/callback URL. At that point, my browser receives a 401 response, and the Argo server logs display an error: "failed to verify the id token issued" error="expected audience "xxx-xxxn" got ["xxx-xxx"]". It seems the audience is returning with a newline character, and the only place I can find this record is in the client-id secret that's part of the SSO configuration. Even though the ID is sent correctly during the issuer steps, I'm confused as to why this issue is happening. Am I alone in dealing with OIDC and Entra?
1 Answer
It sounds like the error is tied to how you've set up Argo. The expected audience doesn't match the ID token being issued, which usually suggests a stray newline character in your Argo configuration. I'd recommend checking your YAML files carefully—you might have added an extra line by accident. It’s a common mistake!
I really wish it was just a simple newline in the YAML! I've already checked every single file with `cat -e` and they all look standard. I even created a whole new Client ID secret and still ran into the same issue. No weird characters anywhere, it’s pretty puzzling. 🙁