RBAC not active with direct SSO

[andreas-p]

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

I've installed argocd: v2.13.0+347f221 from Helm chart argo/argo-cd 7.7.0, and configured my local OIDC provider using minimal configuration according to https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#existing-oidc-provider:

 admin.enabled: false
 url: argocd.my-site.com
 oidc.config: |
    name: My OIDC
    issuer: https://oidc.my-site.com
    clientID: TheId
    clientSecret: TheSecret

This works fine, I can login, and the User Info shows my email address and all groups I'm in, but I have all privileges, although RBAC is configured like this:

apiVersion: v1
kind: ConfigMap
  name: argocd-rbac-cm
  namespace: argocd
metadata:
  labels:
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
data:
  policy.csv: ""
  policy.default: role:readonly
  policy.matchMode: glob
  scopes: '[groups]'

Updating the configmap with policy.default="" (argocd-server logs "RBAC ConfigMap 'argocd-rbac-cm' updated"), there should be no privileges at all, but I'm still admin-privileged, so apparently argocd-server thinks it hasn't any valid user configuration.

There's one anomaly that might be relevant: some group names provided by SSO include spaces. Still, all groups are listed correctly under User Info.