Nomad OIDC Auth method name format error

vikas.saroha · February 23, 2024, 5:19am

Hi,

Thanks for adding Name formatting to OIDC auth method.

But I am not able to get it working beyond the default.

This works -
-token-name-format='${auth_method_type}-${auth_method_name}'

But this does not -
-token-name-format='${auth_method_type}-${auth_method_name}-${claims.user}-${timestamp}'

As per this PR - Allow setting a token name template on auth methods by jorgemarey · Pull Request #19135 · hashicorp/nomad · GitHub the second format should work too.

I looked at the code here too. It should interpolate the format -
-token-name-format='${auth_method_type}-${auth_method_name}-${value.user}

But I see the following error -
Error performing login: Unexpected response code: 500 (rpc error: failed to generate ACL token name: 1:43: unknown variable accessed: value.user) Nomad Auth Error: #<JSON::ParserError: unexpected token at ''> Variable not found

Any guidance please. The documentation doesn’t have much to go on.

PS: we are using Okta as the OIDC provider.

thanks.

abpetrov · February 23, 2024, 3:32pm

Do you have “ClaimMappings” for the Nomad OIDC auth method? The user value should be configured based on those mappings.

vikas.saroha · February 26, 2024, 12:01am

thanks @abpetrov

Adding this to the claimMappings fixed the issue.

"ClaimMappings": {
    "name": "name"
  }

brucelok · February 26, 2024, 4:16am

based on the you claimMapping, the format should be like this:

-token-name-format="\${auth_method_type}-\${auth_method_name}-\${value.name}"

system · April 28, 2024, 4:17am

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.