argo scopes reduced

infrastructure/argocd/argocd-oauth.configmap.yaml

@@ -12,13 +12,11 @@ data:
     # If you want to store sensitive data in another Kubernetes Secret, instead of argocd-secret. ArgoCD knows to check the keys under data in your Kubernetes Secret for a corresponding key whenever a value in a configmap or secret starts with $, then your Kubernetes Secret name and : (colon).
     clientSecret: $argocd-oauth:client-secret
 
-    skipAudienceCheckWhenTokenHasNoAudience: true
 
     # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
     requestedScopes: ["openid", "profile", "email", "groups"]
 
     # Optional set of OIDC claims to request on the ID token.
     requestedIDTokenClaims: {"groups": {"essential": true}}
-    allowedAudiences:
-    - argocd
+
   

infrastructure/argocd/argocd-rbac.configmap.yaml

@@ -6,4 +6,6 @@ data:
   policy.csv: |
     # use oidc group apps_admin as admin group in argocd
     g, apps_admin, role:admin
-  policy.default: role:readonly
+    g, argocd, role:readonly
+  # all other user that might have entered via oidc, are blocked: deny everything
+  policy.default: deny