Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to set OIDCDisableUserInfo to true #20040

Closed
abpetrov opened this issue Feb 28, 2024 · 3 comments
Closed

Unable to set OIDCDisableUserInfo to true #20040

abpetrov opened this issue Feb 28, 2024 · 3 comments
Assignees
@tgross
Labels
stage/waiting-reply theme/auth type/bug

Comments

@abpetrov
Copy link

Issue

I am trying to set OIDCDisableUserInfo to true as per #19318, however the configuration is ignored and OIDCDisableUserInfo attribute is always reported as false and I cannot make SSO with ADFS work.

Reproduction steps

Create a policy file with the content below

{
  "OIDCDiscoveryURL": "https://adfs.local/adfs",
  "OIDCClientID": "<redacted1>",
  "OIDCClientSecret": "<redacted2>",
  "BoundAudiences": ["<redacted1>"],
  "OIDCDisableUserInfo": true,
  "OIDCScopes": ["openid"],
  "AllowedRedirectURIs": [
    "https://nomad.local:4646/ui/settings/tokens"
  ],
  "ListClaimMappings": {
    "role": "roles"
  }
}

Create the auth method:
nomad acl auth-method create -name adfs2 -token-locality=global -max-token-ttl="10m" -type=oidc -config @test.hcl

Expected Result

OIDC Disable UserInfo = true

Actual Result

OIDC Disable UserInfo = false

Nomad version is 1.7.5
@tgross
Copy link
Member

tgross commented Feb 28, 2024

Hi @abpetrov! I wasn't able to reproduce this. Using the exact same auth method config doc:

$ nomad acl auth-method create -type=OIDC \
    -name=ADFS \
    -default=true \
    -max-token-ttl=5m \
    -token-locality=global \
    -config=@config.json
Name              = ADFS
Type              = OIDC
Locality          = global
Max Token TTL     = 5m0s
Token Name Format = ${auth_method_type}-${auth_method_name}
Default           = true
Create Index      = 23
Modify Index      = 23

Auth Method Config

JWT Validation Public Keys = <none>
JWKS URL                   = <none>
OIDC Discovery URL         = https://adfs.local/adfs
OIDC Client ID             = <redacted1>
OIDC Client Secret         = <redacted2>
OIDC Disable UserInfo      = true
OIDC Scopes                = openid
Bound audiences            = <redacted1>
Bound issuer               = <none>
Allowed redirects URIs     = https://nomad.local:4646/ui/settings/tokens
Discovery CA pem           = <none>
JWKS CA cert               = <none>
Signing algorithms         = <none>
Expiration Leeway          = 0s
NotBefore Leeway           = 0s
ClockSkew Leeway           = 0s
Claim mappings             = <none>
List claim mappings        = {role: roles}

You said the Nomad version is 1.7.5, but are you sure the servers are all up-to-date with that? Check nomad server members.

@tgross tgross self-assigned this Feb 28, 2024
@abpetrov
Copy link
Author

Hi @tgross

You were right, server members were not restarted after the update, so they were still running older version.
Restarting them fixed the issue.
Thanks!

@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 31, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tgross tgross

Labels
stage/waiting-reply theme/auth type/bug
Projects
Nomad - Community Issues Triage
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tgross @abpetrov