Question: Can a machine authenticate to ArgoCD API using an external OIDC token (non-interactive)?

[uanid]

Context

I need headless (non-interactive) authentication to ArgoCD’s API and CLI from CI/CD pipelines.

According to the documentation, the supported authentication methods are:
• Argo CD–issued tokens (either account tokens or project role–based JWTs) used as Bearer tokens, and
• OIDC SSO login (argocd login --sso), which relies on an interactive browser flow.

This means machine or workload identities can’t use the same OIDC-based flow as human users.
Is this understanding correct?

Questions

1. External OIDC token as Bearer
   Is there a way for the ArgoCD API to directly accept an externally issued OIDC ID/Access token (for example, from Azure Entra ID, GitHub OIDC, or Keycloak) as a valid Bearer token for authentication?
2. Future or planned support
   If not currently possible, is there any plan to support one of the following patterns?

• Ex) Trusting external JWTs by configuring issuer, jwks_uri, and audience so Argo CD can validate them directly

[abourn]

There is an open PR which documents the process of using a GitHub Actions token to authenticate to ArgoCD as an argo-cd-cli user. This works by configuring a Dex Connector on ArgoCD. Hope this helps:

#22953