Add new optional OIDCDisableUserInfo setting for OIDC auth provider #19566
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
|
Hi @tgross! |
|
@eumikhailov I've been away for the holidays and haven't had a chance to review this yet. But I'll need you to sign the CLA before I can do so. |
|
@tgross happy new year! 😃 |
tgross
reviewed
Jan 2, 2024
There was a problem hiding this comment.
Hi @eumikhailov I've left a comment in #19318 (comment) which we should probably discuss further before spending more time on this PR.
tgross
reviewed
Jan 3, 2024
There was a problem hiding this comment.
@eumikhailov I don't have an environment I can test this in. Have you verified that this actually works with ADFS?
|
@tgross tested with Microsoft AD FS 4.0 and it's work!
home/wsl/nomad# ./nomad version
Nomad v1.7.3-dev
....
Revision 8b4301ddbb404b581a8ee536db9793360c45f8aa+CHANGES
home/wsl/nomad# ./nomad acl auth-method info microsoft-oidc
Name = microsoft-oidc
Type = OIDC
Locality = global
Max Token TTL = 1h0m0s
Token Name Format = ${auth_method_type}-${auth_method_name}
Default = false
Create Index = 34
Modify Index = 36
Auth Method Config
JWT Validation Public Keys = <none>
JWKS URL = <none>
OIDC Discovery URL = ***/adfs
OIDC Client ID = de2658c8-cfbc-4d65-9b5e-bc3e85d1552d
OIDC Client Secret = <none>
OIDC Disable UserInfo = true
OIDC Scopes = https://nomad.***/openid,openid
Bound audiences = de2658c8-cfbc-4d65-9b5e-bc3e85d1552d,https://nomad.***
Bound issuer = <none>
Allowed redirects URIs = http://localhost:4646/ui/settings/tokens
Discovery CA pem = <none>
JWKS CA cert = <none>
Signing algorithms = <none>
Expiration Leeway = 0s
NotBefore Leeway = 0s
ClockSkew Leeway = 0s
Claim mappings = {upn: upn}
List claim mappings = {roles: roles}
|
tgross
requested changes
Jan 9, 2024
There was a problem hiding this comment.
Ok @eumikhailov I've tested this out as described in #19318 (comment). I only need two more things from you:
- Can you rebase this on
mainto resolve the merge conflict? - Can you run
make clto add a changelog entry?
Once that's done, I'll merge this and get it backported. Thanks!
vercel
bot
requested a deployment
to
Preview – nomad-storybook-and-ui
|
@tgross OK, fixed! |
tgross
approved these changes
Jan 9, 2024
tgross
added
theme/auth
backport/1.5.x
This was referenced Jan 9, 2024
netdata-be
added a commit
to netdata-be/terraform-provider-nomad
that referenced
this pull request
Feb 7, 2024
In nomad 1.7.3 a new config has been [introduced](hashicorp/nomad#19566) Adding support for this config parameter
netdata-be
added a commit
to netdata-be/terraform-provider-nomad
that referenced
this pull request
Feb 7, 2024
In nomad 1.7.3 a new config has been [introduced](hashicorp/nomad#19566) Adding support for this config parameter
lgfa29
pushed a commit
to netdata-be/terraform-provider-nomad
that referenced
this pull request
Feb 8, 2024
In nomad 1.7.3 a new config has been [introduced](hashicorp/nomad#19566) Adding support for this config parameter
lgfa29
pushed a commit
to hashicorp/terraform-provider-nomad
that referenced
this pull request
Feb 8, 2024
In nomad 1.7.3 a new config has been [introduced](hashicorp/nomad#19566) Adding support for this config parameter
nvanthao
pushed a commit
to nvanthao/nomad
that referenced
this pull request
Mar 1, 2024
…ovider (hashicorp#19566) Add new optional `OIDCDisableUserInfo` setting for OIDC auth provider which disables a request to the identity provider to get OIDC UserInfo. This option is helpful when your identity provider doesn't send any additional claims from the UserInfo endpoint, such as Microsoft AD FS OIDC Provider: > The AD FS UserInfo endpoint always returns the subject claim as specified in the > OpenID standards. AD FS doesn't support additional claims requested via the > UserInfo endpoint Fixes hashicorp#19318
nvanthao
pushed a commit
to nvanthao/nomad
that referenced
this pull request
Mar 1, 2024
…ovider (hashicorp#19566) Add new optional `OIDCDisableUserInfo` setting for OIDC auth provider which disables a request to the identity provider to get OIDC UserInfo. This option is helpful when your identity provider doesn't send any additional claims from the UserInfo endpoint, such as Microsoft AD FS OIDC Provider: > The AD FS UserInfo endpoint always returns the subject claim as specified in the > OpenID standards. AD FS doesn't support additional claims requested via the > UserInfo endpoint Fixes hashicorp#19318
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add new optional OIDCDisableUserInfo setting for OIDC auth provider which disables a request to the identity provider to get OIDC UserInfo.
This options is helpful when your identity provider doesn't send any additional claims from the UserInfo endpoint, such as
Microsoft AD FS OIDC Provider:
Fixes #19318