-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC: add resource
url-parameter for self-hosted ADFS
#19318
Comments
Hi @eumikhailov! Just to clarify acronyms here, self-hosted ADFS is "OIDC for Microsoft Active Directory", right? Any chance you have a pointer to Microsoft documentation on this parameter? It looks like this is a non-standard part of the Auth Request, according to the specs linked from the A quick survey suggests that some OIDC libraries provide a way to add arbitrary query parameters. I imagine if there are other providers with non-standard parameters, we would want to add a |
resource
url-parameter for for self-hosted ADFS as OIDC providerresource
url-parameter for self-hosted ADFS
HI @tgross! Yes, self-hosted ADFS is OIDC for Microsoft Active Directory.
According MS docs If no On Nomad frontend
|
From the docs you linked:
You should be able to add an |
Hi @tgross! Thank You for feedback! We have found problem with our version of ADFS - https://serverfault.com/a/876784. You can close this issue. |
Thanks! |
Hi @tgross! New version of Microsoft ADFS have same problem - We got 401 error from ADFS:
And 500 error from Nomad
Can You explain me please why Line 2740 in 87e7bf4
|
If we use So I think option for disable |
Did you add an |
@tgross yes, I did and |
And if |
@eumikhailov can you share your auth config please? That'll help us narrow down what needs to be done here. |
@tgross yes, of course.
In
In |
@tgross Hi! I think there is only one way to fix this - disable UserInfo loading by ODIC option. DuendeArchive/IdentityServer4#812 (comment) Should we change issue title to feature request |
@eumikhailov let me review this and get back to you. |
Hi @tgross! |
@eumikhailov ok I've had a look through this and although disabling the
|
@tgross yes, disabling the I've tried both settings and there is no way to set up
By the way Microsoft OIDC provider returns only |
In both the examples you linked to, your audience was |
Yes, Nomad verifies |
Just a heads up that I've got someone configuring a ADFS install for me so that I can do some validation at my end here. |
@eumikhailov I'm still having some trouble getting my ADFS to issue me correct claims, but I'm not hitting the Does the Client Permissions tab of your Web API Properties include the checkbox for the |
It's by designed in Microsoft OIDC/ADFS - https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq#i-m-trying-to-get-more-claims-on-the-userinfo-endpoint--but-it-s-only-returning-subject--how-can-i-get-more-claims-
I've used following -
|
Ok, thanks so much for your patience with me on this @eumikhailov. With a lot of help from my colleague @Sokren, I've reproduced the bug and verified that your patch fixes it. I'll leave a couple minor comments there but I think we'll be able to wrap this up quickly now. Here's how I reproduced, which I'm documenting here so we can maybe come back and write up a ADFS tutorial in the future. In ADFS:
Whew! Now on to Nomad. First, create a policy file: // Grants read access to the namespace “default”.
namespace "default" {
policy = "read"
}
// Grants read access to Nomad nodes.
node {
policy = "read"
} Create the policy and a role that uses it:
Create the auth method configuration file. The Note the {
"OIDCDiscoveryURL": "https://adfs.example.com/adfs",
"OIDCClientID": "nomad.local",
"OIDCClientSecret": "RvFWUU2HHgl_REDACTED",
"BoundAudiences": ["nomad.local"],
"OIDCDisableUserInfo": true,
"OIDCScopes": ["openid", "profile", "allatclaims"],
"AllowedRedirectURIs": [
"http://localhost:4649/oidc/callback",
"http://localhost:4646/ui/settings/tokens"
],
"ListClaimMappings": {
"group": "roles"
}
} Create the binding rule that binds to this auth method.
And finally, login and see that we've successfully bound to the correct role!
|
…ovider (#19566) Add new optional `OIDCDisableUserInfo` setting for OIDC auth provider which disables a request to the identity provider to get OIDC UserInfo. This option is helpful when your identity provider doesn't send any additional claims from the UserInfo endpoint, such as Microsoft AD FS OIDC Provider: > The AD FS UserInfo endpoint always returns the subject claim as specified in the > OpenID standards. AD FS doesn't support additional claims requested via the > UserInfo endpoint Fixes #19318
#19566 has been merged and will ship in the next regular version of Nomad 1.7.x (with backports to 1.6.x and 1.5.x) |
I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. |
Hi there,
I encountered a problem when setting up OIDC auth provider over ADFS 2019, same as described here.
Nomad version
v1.6.x
Issue
There is no way to set up
resource
url-parameter for for self-hosted ADFS as OIDC provider.Proposals for implementation
It can be done via the optional parameter
OIDCResource
in the Nomad OIDC config and optional config methodWithResource
in cap module.The text was updated successfully, but these errors were encountered: