HashiDays One conference. Three cities. Find a city near you
Nomad
Nomad Home

ACL OIDC HTTP API

The /acl/oidc endpoints are used to log in to Nomad via an OIDC provider.

Get an OIDC authentication URL

This endpoint creates a URL which will allow the caller to navigate to their OIDC provider and log in. The returned string is URL encoded.

MethodPathProduces
POST/v1/acl/oidc/auth-urlapplication/json

The table below shows this endpoint's support for blocking queries and required ACLs.

Blocking QueriesACL Required
NOnone

Parameters

  • AuthMethodName (string: <required>) - The name of the ACL authentication method to use.

  • RedirectURI (string: <required>) - The URI that the response will be sent to when authorization is finished. The value must be included within the auth method's allowed redirect URIs listing.

  • ClientNonce (string: <required>) - A randomly generated string to prevent replay attacks.

Sample Payload

{  "AuthMethodName": "auth0",  "RedirectURI": "http://localhost:4649/oidc/callback",  "ClientNonce": "fpSPuaodKevKfDU3IeXb"}

Sample Request

$ curl \    --request POST \    --data @payload.json \    https://localhost:4646/v1/acl/oidc/auth-url

Sample Response

{  "AuthURL": "https://some-domain.uk.auth0.com/authorize?client_id=4fOYtJiC5fo98EQj2TScs2someclient&nonce=fpSPuaodKevKfDU3IeXb&redirect_uri=http%3A%2F%2Flocalhost%3A4649%2Foidc%2Fcallback&response_type=code&scope=openid&state=st_4i68Nt7FcxDsomestate"}

Complete OIDC Authentication

This endpoint creates an ACL Role. The request is always forwarded to the authoritative region.

MethodPathProduces
POST/v1/acl/oidc/complete-authapplication/json

The table below shows this endpoint's support for blocking queries and required ACLs.

Blocking QueriesACL Required
NOnone

Parameters

  • AuthMethodName (string: <required>) - The name of the ACL authentication method to use and will match that used within the call to generate the URL.

  • RedirectURI (string: <required>) - The URI that the response will be sent to when authorization is finished. The value must be included within the auth method's allowed redirect URIs listing.

  • ClientNonce (string: <required>) - A randomly generated string to prevent replay attacks that will match that used within the call to generate the URL.

  • State (string: <required>) - An opaque value used to maintain state between the request and the callback.

  • Code (string: <required>) - The authorization code returned from the OIDC providers authorization endpoint.

Sample Payload

{  "AuthMethodName": "auth0",  "RedirectURI": "http://localhost:4649/oidc/callback",  "ClientNonce": "fpSPuaodKevKfDU3IeXb",  "State": "st_4i68Nt7FcxDsomestate",  "Code": "SplxlOBeZQQYbYS6WxSbIA"}

Sample Request

$ curl \    --request POST \    --data @payload.json \    https://localhost:4646/v1/acl/oidc/complete-auth

Sample Response

{  "AccessorID": "cbbc7059-3acf-2ef5-378b-495f5f81f733",  "CreateIndex": 18,  "CreateTime": "2023-01-18T10:53:29.460987Z",  "ExpirationTTL": 600000000000,  "ExpirationTime": "2023-01-18T11:03:29.460987Z",  "Global": true,  "ModifyIndex": 18,  "Name": "OIDC-auth0",  "Policies": [],  "Roles": [    {      "ID": "10b1a678-f71d-d266-2888-8b3e47e317b8",      "Name": "engineering-read"    }  ],  "SecretID": "1fce464c-06d1-4020-8564-631c25201ea7",  "Type": "client"}
Edit this page on GitHub