Nomad
ACL OIDC HTTP API
The /acl/oidc endpoints are used to log in to Nomad via an OIDC provider.
Get an OIDC authentication URL
This endpoint creates a URL which will allow the caller to navigate to their OIDC provider and log in. The returned string is URL encoded.
| Method | Path | Produces |
|---|---|---|
POST | /v1/acl/oidc/auth-url | application/json |
The table below shows this endpoint's support for blocking queries and required ACLs.
| Blocking Queries | ACL Required |
|---|---|
NO | none |
Parameters
AuthMethodName(string: <required>)- The name of the ACL authentication method to use.RedirectURI(string: <required>)- The URI that the response will be sent to when authorization is finished. The value must be included within the auth method's allowed redirect URIs listing.ClientNonce(string: <required>)- A randomly generated string to prevent replay attacks.
Sample Payload
{
"AuthMethodName": "auth0",
"RedirectURI": "http://localhost:4649/oidc/callback",
"ClientNonce": "fpSPuaodKevKfDU3IeXb"
}
Sample Request
$ curl \
--request POST \
--data @payload.json \
https://localhost:4646/v1/acl/oidc/auth-url
Sample Response
{
"AuthURL": "https://some-domain.uk.auth0.com/authorize?client_id=4fOYtJiC5fo98EQj2TScs2someclient&nonce=fpSPuaodKevKfDU3IeXb&redirect_uri=http%3A%2F%2Flocalhost%3A4649%2Foidc%2Fcallback&response_type=code&scope=openid&state=st_4i68Nt7FcxDsomestate"
}
Complete OIDC Authentication
This endpoint creates an ACL Role. The request is always forwarded to the authoritative region.
| Method | Path | Produces |
|---|---|---|
POST | /v1/acl/oidc/complete-auth | application/json |
The table below shows this endpoint's support for blocking queries and required ACLs.
| Blocking Queries | ACL Required |
|---|---|
NO | none |
Parameters
AuthMethodName(string: <required>)- The name of the ACL authentication method to use and will match that used within the call to generate the URL.RedirectURI(string: <required>)- The URI that the response will be sent to when authorization is finished. The value must be included within the auth method's allowed redirect URIs listing.ClientNonce(string: <required>)- A randomly generated string to prevent replay attacks that will match that used within the call to generate the URL.State(string: <required>)- An opaque value used to maintain state between the request and the callback.Code(string: <required>)- The authorization code returned from the OIDC providers authorization endpoint.
Sample Payload
{
"AuthMethodName": "auth0",
"RedirectURI": "http://localhost:4649/oidc/callback",
"ClientNonce": "fpSPuaodKevKfDU3IeXb",
"State": "st_4i68Nt7FcxDsomestate",
"Code": "SplxlOBeZQQYbYS6WxSbIA"
}
Sample Request
$ curl \
--request POST \
--data @payload.json \
https://localhost:4646/v1/acl/oidc/complete-auth
Sample Response
{
"AccessorID": "cbbc7059-3acf-2ef5-378b-495f5f81f733",
"CreateIndex": 18,
"CreateTime": "2023-01-18T10:53:29.460987Z",
"ExpirationTTL": 600000000000,
"ExpirationTime": "2023-01-18T11:03:29.460987Z",
"Global": true,
"ModifyIndex": 18,
"Name": "OIDC-auth0",
"Policies": [],
"Roles": [
{
"ID": "10b1a678-f71d-d266-2888-8b3e47e317b8",
"Name": "engineering-read"
}
],
"SecretID": "1fce464c-06d1-4020-8564-631c25201ea7",
"Type": "client"
}