Skip to content

OIDC check for issuer in auth response #27168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

OIDC check for issuer in auth response #27168

wants to merge 3 commits into from
+145 −2

Conversation

@allisonlarson
Copy link
Contributor

@allisonlarson allisonlarson commented Nov 28, 2025
edited
Loading

Description

Adds support for RFC9207 (OAuth 2.0 Authorization Server Issuer Identification), by checking the OIDC authorization complete callback URL for the iss parameter, according to the OIDC provider's server metadata (authorization_response_iss_parameter_supported). If the provider requires the parameter and it is missing or does not match the provider's issuer url, the login request will fail.

Failure using the cli

$ nomad login
Error performing login: Unexpected response code: 500 (invalid or missing issuer parameter in callback)

Failure in the UI returns a generic error

Failed to sign in with SSO
Your OIDC provider has failed on sign in; please try again or contact your SSO administrator.

Testing & Reproduction steps

I was able to test this using Keycloak, following the Nomad SSO tutorial but stopping before enabling PCKE.

Keycloak supports this RFC by default, and will return the iss parameter in the callback, unless a specific Keycloak Client has adjusted the setting to omit it. Even in that case, the server metadata will still report that the iss parameter is required, and the requests will fail if it isn't supplied.

Requests will also fail if the iss value doesn't match the Issuer/OIDCDiscoveryURL that was used to create the auth method in Nomad.

Links

https://datatracker.ietf.org/doc/html/rfc9207

Contributor Checklist

  • Changelog Entry If this PR changes user-facing behavior, please generate and add a
    changelog entry using the make cl command.
  • Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
    ensure regressions will be caught.
  • Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
    and job configuration, please update the Nomad product documentation, which is stored in the
    web-unified-docs repo. Refer to the web-unified-docs contributor guide for docs guidelines.
    Please also consider whether the change requires notes within the upgrade
    guide    . If you would like help with the docs, tag the nomad-docs team in this PR.

Reviewer Checklist

  • Backport Labels Please add the correct backport labels as described by the internal
    backporting document.
  • Commit Type Ensure the correct merge method is selected which should be "squash and merge"
    in the majority of situations. The main exceptions are long-lived feature branches or merges where
    history should be preserved.
  • Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
    within the public repository.
  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

@allisonlarson allisonlarson force-pushed the f-add-oidc-auth-resp-iss branch from 7acf6e0 to 44ba606 Compare December 2, 2025 00:27
allisonlarson
allisonlarson commented Dec 2, 2025
View reviewed changes
nomad/acl_endpoint.go Outdated
}
if providerMetadata.AuthorizationResponseIssParameterSupported {
if args.Iss == "" || args.Iss != authMethod.Config.OIDCDiscoveryURL {
return errors.New("access denied: invalid issuer in callback")
Copy link
Contributor Author

@allisonlarson allisonlarson Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: Unsure if we want this to be a descriptive error, or if it should be more terse

Copy link
Collaborator

@dduzgun-security dduzgun-security Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and not too descriptive.
Small suggestions:

  • we could use the invalid request error message (ref) to align with the spec
  • could include the missing issuer bit in the error message: invalid or missing issuer parameter in callback

@allisonlarson allisonlarson force-pushed the f-add-oidc-auth-resp-iss branch from 1714344 to c33c597 Compare December 2, 2025 23:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dduzgun-security dduzgun-security dduzgun-security left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@allisonlarson @dduzgun-security