HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Nomad
Nomad Home

You are viewing documentation for version v1.9.x. View latest version.

ACL OIDC HTTP API

The /acl/oidc endpoints are used to log in to Nomad via an OIDC provider.

Get an OIDC authentication URL

This endpoint creates a URL which will allow the caller to navigate to their OIDC provider and log in. The returned string is URL encoded.

MethodPathProduces
POST/v1/acl/oidc/auth-urlapplication/json

The table below shows this endpoint's support for blocking queries and required ACLs.

Blocking QueriesACL Required
NOnone

Parameters

  • AuthMethodName (string: <required>) - The name of the ACL authentication method to use.

  • RedirectURI (string: <required>) - The URI that the response will be sent to when authorization is finished. The value must be included within the auth method's allowed redirect URIs listing.

  • ClientNonce (string: <required>) - A randomly generated string to prevent replay attacks.

Sample Payload

{
  "AuthMethodName": "auth0",
  "RedirectURI": "http://localhost:4649/oidc/callback",
  "ClientNonce": "fpSPuaodKevKfDU3IeXb"
}

Sample Request

$ curl \
    --request POST \
    --data @payload.json \
    https://localhost:4646/v1/acl/oidc/auth-url

Sample Response

{
  "AuthURL": "https://some-domain.uk.auth0.com/authorize?client_id=4fOYtJiC5fo98EQj2TScs2someclient&nonce=fpSPuaodKevKfDU3IeXb&redirect_uri=http%3A%2F%2Flocalhost%3A4649%2Foidc%2Fcallback&response_type=code&scope=openid&state=st_4i68Nt7FcxDsomestate"
}

Complete OIDC Authentication

This endpoint creates an ACL Role. The request is always forwarded to the authoritative region.

MethodPathProduces
POST/v1/acl/oidc/complete-authapplication/json

The table below shows this endpoint's support for blocking queries and required ACLs.

Blocking QueriesACL Required
NOnone

Parameters

  • AuthMethodName (string: <required>) - The name of the ACL authentication method to use and will match that used within the call to generate the URL.

  • RedirectURI (string: <required>) - The URI that the response will be sent to when authorization is finished. The value must be included within the auth method's allowed redirect URIs listing.

  • ClientNonce (string: <required>) - A randomly generated string to prevent replay attacks that will match that used within the call to generate the URL.

  • State (string: <required>) - An opaque value used to maintain state between the request and the callback.

  • Code (string: <required>) - The authorization code returned from the OIDC providers authorization endpoint.

Sample Payload

{
  "AuthMethodName": "auth0",
  "RedirectURI": "http://localhost:4649/oidc/callback",
  "ClientNonce": "fpSPuaodKevKfDU3IeXb",
  "State": "st_4i68Nt7FcxDsomestate",
  "Code": "SplxlOBeZQQYbYS6WxSbIA"
}

Sample Request

$ curl \
    --request POST \
    --data @payload.json \
    https://localhost:4646/v1/acl/oidc/complete-auth

Sample Response

{
  "AccessorID": "cbbc7059-3acf-2ef5-378b-495f5f81f733",
  "CreateIndex": 18,
  "CreateTime": "2023-01-18T10:53:29.460987Z",
  "ExpirationTTL": 600000000000,
  "ExpirationTime": "2023-01-18T11:03:29.460987Z",
  "Global": true,
  "ModifyIndex": 18,
  "Name": "OIDC-auth0",
  "Policies": [],
  "Roles": [
    {
      "ID": "10b1a678-f71d-d266-2888-8b3e47e317b8",
      "Name": "engineering-read"
    }
  ],
  "SecretID": "1fce464c-06d1-4020-8564-631c25201ea7",
  "Type": "client"
}