feat: Add generic JWT auth

[wrmedford]

Closes #14250

This allows for generic JWTs to be used for authentication that are minted outside of Argo. Argo currently mints its own JWTs for auth outside of Dex, and this extends its capabilities to utilize JWTs that originate from Identity Aware Proxies.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

❗ Preview Environment undeploy from Bunnyshell failed

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to try again to remove the environment

[codecov]

Codecov Report

Attention: Patch coverage is 40.49587% with 72 lines in your changes missing coverage. Please review.

Project coverage is 53.25%. Comparing base (8126508) to head (989a45d).

Files with missing lines	Patch %	Lines
util/oidc/provider.go	48.93%	32 Missing and 16 partials ⚠️
util/session/sessionmanager.go	5.88%	13 Missing and 3 partials ⚠️
util/settings/settings.go	20.00%	7 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #20928      +/-   ##
==========================================
- Coverage   55.19%   53.25%   -1.95%     
==========================================
  Files         337      337              
  Lines       57058    57177     +119     
==========================================
- Hits        31496    30451    -1045     
- Misses      22863    24049    +1186     
+ Partials     2699     2677      -22     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ChristianCiach]

That's cool, but shouldn't we at least verify a configurable aud claim? Otherwise an attacker could use any leaked JWT that happens to be signed by the right Identity Provider, even if it was intended to be used with a different Client. See https://stackoverflow.com/a/41237822/1507544

[wrmedford]

That's cool, but shouldn't we at least verify a configurable aud claim? Otherwise an attacker could use any leaked JWT that happens to be signed by the right Identity Provider, even if it was intended to be used with a different Client. See https://stackoverflow.com/a/41237822/1507544

Good call, and completely agree. Will add that as a config option.

[wrmedford]

That's cool, but shouldn't we at least verify a configurable aud claim? Otherwise an attacker could use any leaked JWT that happens to be signed by the right Identity Provider, even if it was intended to be used with a different Client. See https://stackoverflow.com/a/41237822/1507544

Added!

[kostyay]

Any update on this PR? Would love to see it merged.

[wrmedford]

Any update on this PR? Would love to see it merged.

I should be able to circle back around to this later this week. Sorry for the delay!

[wrmedford]

Converting to draft while I go through upgrade to v5. Will set as ready once it's ready.

[wrmedford]

I'm not entirely sure if those e2e tests are related to these changes. Still looking into it, but if they aren't, this is ready for review.

[alexander-applyinnovations]

Any update on this PR? I have a few projects that would benefit from this. Happy to help out if needed

[wrmedford]

Any update on this PR? I have a few projects that would benefit from this. Happy to help out if needed

I've been having some health issues recently, and I think this is mostly ready to go. Just needs some last mile work done (and I think those tests that are failing might need to be altered to account for this new setup).

I'm hoping to get back on this, but having to prioritize the job that gives me health insurance right now :)

[alexander-applyinnovations]

Sorry to hear, wish you all the best with those issues. I will see if I can help out on those tests

[alexander-applyinnovations]

@jsoref @andrii-korotkov-verkada @wrmedford I just created a new PR (#22901) with the merge conflicts resolved and this new PR passes all checks now

[wrmedford]

Thank you @alexander-applyinnovations ! I'll close this one once that's accepted

[agaudreault]

Thank you both for collaborating on this :) I will close this one so we focus the review and final changes on a single PR