github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/website/content/api-docs/acl/auth-methods.mdx (about) 1 --- 2 layout: api 3 page_title: ACL Auth Methods - HTTP API 4 description: The /acl/auth-methods endpoints are used to configure and manage ACL auth methods. 5 --- 6 7 # ACL Auth Methods HTTP API 8 9 The `/acl/auth-methods` and `/acl/auth-method` endpoints are used to manage ACL Auth Methods. 10 11 ## Create Auth Method 12 13 This endpoint creates an ACL Auth Method. The request is always forwarded to the 14 authoritative region. 15 16 | Method | Path | Produces | 17 | ------ | ------------------ | ------------------ | 18 | `POST` | `/acl/auth-method` | `application/json` | 19 20 The table below shows this endpoint's support for 21 [blocking queries](/api-docs#blocking-queries) and 22 [required ACLs](/api-docs#acls). 23 24 | Blocking Queries | ACL Required | 25 | ---------------- | ------------ | 26 | `NO` | `management` | 27 28 ### Parameters 29 30 - `Name` `(string: <required>)` - Names is the identifier of the ACL Auth 31 Method. The name can contain alphanumeric characters, dashes, and underscores. 32 This name must be unique and must not exceed 128 characters. 33 34 - `Type` `(string: <required>)` - ACL Auth Role SSO identifier. Currently, the 35 only supported Type is "OIDC." 36 37 - `TokenLocality` `(string: <required>)` - Defines whether the ACL Auth Method 38 creates a local or global token when performing SSO login. This field must be 39 set to either "local" or "global" 40 41 - `MaxTokenTTL` `(duration: <required>)` - Defines the maximum life of a token created 42 by this method. When set, it will initialize the `ExpirationTime` field on all 43 tokens to a value of `Token.CreateTime + AuthMethod.MaxTokenTTL`. This field is 44 not persisted beyond its initial use. Can be specified in the form of `"60s"` or 45 `"5m"` (i.e., 60 seconds or 5 minutes, respectively). 46 47 - `Default` `(bool: false)` - Defines whether this ACL Auth Method is to be 48 set as default when running `nomad login` command. 49 50 - `Config` `(ACLAuthMethodConfig: <required>)` - The raw configuration to use for 51 the auth method. This parameter is part of the auth method configuration, not 52 specific to Nomad. 53 54 - `OIDCDiscoveryURL` `(string: <required>)` - The OIDC Discovery URL, without 55 any .well-known component (base path). 56 57 - `OIDCClientID` `(string: <required>)` - The OAuth Client ID configured with 58 your OIDC provider. 59 60 - `OIDCClientSecret` `(string: <required>)` - The OAuth Client Secret 61 configured with your OIDC provider. 62 63 - `BoundAudiences` `(array<string>)` - List of aud claims that are valid for 64 login; any match is sufficient. 65 66 - `AllowedRedirectURIs` `(array<string>)` - A list of allowed values for 67 redirect_uri. Must be non-empty. 68 69 - `DiscoveryCaPem` `(array<string>)` - PEM encoded CA certs for use by the TLS 70 client used to talk with the OIDC Discovery URL. If not set, system 71 certificates are used. 72 73 - `SigningAlgs` `(array<string>)` - A list of supported signing algorithms. 74 Defaults to `RS256`. 75 76 - `ClaimMappings` `(map[string]string)` - Mappings of claims (key) that will 77 be copied to a metadata field (value). Use this if the claim you are capturing 78 is singular (such as an attribute). 79 80 When mapped, the values in each list can be any of a number, string, or 81 boolean and will all be stringified when returned. 82 83 - `ListClaimMappings` `(map[string]string)` - Mappings of claims (key) will be 84 copied to a metadata field (value). Use this if the claim you are capturing is 85 list-like (such as groups). 86 87 ### Sample Payload 88 89 ```json 90 { 91 "Name": "example-acl-auth-method", 92 "Type": "OIDC", 93 "TokenLocality": "local", 94 "MaxTokenTTL": "1h0m0s", 95 "Default": false, 96 "Config": { 97 "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", 98 "OIDCClientID": "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt", 99 "OIDCClientSecret": "example-client-secret", 100 "BoundAudiences": [ 101 "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt" 102 ], 103 "AllowedRedirectURIs": [ 104 "http://localhost:4646/oidc/callback" 105 ], 106 "ClaimMappings": { 107 "http://example.com/first_name": "first_name", 108 "http://example.com/last_name": "last_name" 109 }, 110 "ListClaimMappings": { 111 "http://nomad.com/groups": "groups" 112 } 113 } 114 } 115 ``` 116 117 ### Sample Request 118 119 ```shell-session 120 $ curl \ 121 --request POST \ 122 --header "X-Nomad-Token: <NOMAD_TOKEN_SECRET_ID>" \ 123 --data @payload.json \ 124 https://localhost:4646/v1/acl/auth-method 125 ``` 126 127 ### Sample Response 128 129 ```json 130 { 131 "MaxTokenTTL": "1h0m0s", 132 "Name": "example-acl-auth-method", 133 "Type": "OIDC", 134 "TokenLocality": "local", 135 "Default": false, 136 "Config": { 137 "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", 138 "OIDCClientID": "v1rpi2myptmv1rpi2myptmv1rpi2mypt", 139 "OIDCClientSecret": "example-client-secret", 140 "BoundAudiences": [ 141 "v1rpi2myptmv1rpi2myptmv1rpi2mypt" 142 ], 143 "AllowedRedirectURIs": [ 144 "http://localhost:4646/oidc/callback" 145 ], 146 "DiscoveryCaPem": null, 147 "SigningAlgs": null, 148 "ClaimMappings": { 149 "http://example.com/first_name": "first_name", 150 "http://example.com/last_name": "last_name" 151 }, 152 "ListClaimMappings": { 153 "http://nomad.com/groups": "groups" 154 } 155 }, 156 "CreateTime": "2022-12-08T11:04:43.46206Z", 157 "ModifyTime": "2022-12-08T11:04:43.46206Z", 158 "CreateIndex": 12, 159 "ModifyIndex": 12 160 } 161 ``` 162 163 ## Update Auth Method 164 165 This endpoint updates an existing ACL Auth Method. The request is always 166 forwarded to the authoritative region. 167 168 | Method | Path | Produces | 169 | ------ | ------------------------------- | ------------------ | 170 | `POST` | `/acl/auth-method/:method_name` | `application/json` | 171 172 The table below shows this endpoint's support for [blocking 173 queries](/api-docs#blocking-queries) and [required ACLs](/api-docs#acls). 174 175 | Blocking Queries | ACL Required | 176 | ---------------- | ------------ | 177 | `NO` | `management` | 178 179 ### Parameters 180 181 - `Name` `(string: <required>)` - Names is the identifier of the ACL Auth 182 Method. The name can contain alphanumeric characters, dashes, and underscores. 183 This name must be unique and must not exceed 128 characters. 184 185 - `Type` `(string: <required>)` - ACL Auth Role SSO identifier. Currently, the 186 only supported Type is "OIDC." 187 188 - `TokenLocality` `(string: "")` - Defines whether the ACL Auth Method 189 creates a local or global token when performing SSO login. This field must be 190 set to either "local" or "global" 191 192 - `MaxTokenTTL` `(duration: <required>)` - Defines the maximum life of a token created 193 by this method. When set it will initialize the `ExpirationTime` field on all 194 tokens to a value of `Token.CreateTime + AuthMethod.MaxTokenTTL`. This field is 195 not persisted beyond its initial use. Can be specified in the form of `"60s"` or 196 `"5m"` (i.e., 60 seconds or 5 minutes, respectively). 197 198 - `Default` `(bool: false)` - Defines whether this ACL Auth Method is to be 199 set as default when running `nomad login` command. 200 201 - `Config` `(ACLAuthMethodConfig: nil)` - The raw configuration to use for 202 the auth method. This parameter is part of the auth method configuration, not 203 specific to Nomad. 204 205 - `OIDCDiscoveryURL` `(string: "")` - The OIDC Discovery URL, without 206 any .well-known component (base path). 207 208 - `OIDCClientID` `(string: "")` - The OAuth Client ID configured with 209 your OIDC provider. 210 211 - `OIDCClientSecret` `(string: "")` - The OAuth Client Secret 212 configured with your OIDC provider. 213 214 - `BoundAudiences` `(array<string>)` - List of aud claims that are valid for 215 login; any match is sufficient. 216 217 - `AllowedRedirectURIs` `(array<string>)` - A list of allowed values for 218 redirect_uri. Must be non-empty. 219 220 - `DiscoveryCaPem` `(array<string>)` - PEM encoded CA certs for use by the TLS 221 client used to talk with the OIDC Discovery URL. If not set, system 222 certificates are used. 223 224 - `SigningAlgs` `(array<string>)` - A list of supported signing algorithms. 225 Defaults to `RS256`. 226 227 - `ClaimMappings` `(map[string]string)` - Mappings of claims (key) that will 228 be copied to a metadata field (value). Use this if the claim you are capturing 229 is singular (such as an attribute). 230 231 When mapped, the values in each list can be any of a number, string, or 232 boolean and will all be stringified when returned. 233 234 - `ListClaimMappings` `(map[string]string)` - Mappings of claims (key) will be 235 copied to a metadata field (value). Use this if the claim you are capturing is 236 list-like (such as groups). 237 238 ### Sample Payload 239 240 ```json 241 { 242 "Name": "example-acl-auth-method", 243 "Type": "OIDC", 244 "Tokenlocality": "global", 245 "Maxtokenttl": "1h0m0s", 246 "Default": true, 247 "Config": { 248 "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", 249 "OIDCClientID": "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt", 250 "OIDCClientSecret": "example-client-secret", 251 "BoundAudiences": [ 252 "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt" 253 ], 254 "AllowedRedirectURIs": [ 255 "http://localhost:4646/oidc/callback" 256 ], 257 "ClaimMappings": { 258 "http://example.com/first_name": "first_name", 259 "http://example.com/last_name": "last_name" 260 }, 261 "ListClaimMappings": { 262 "http://nomad.com/groups": "groups" 263 } 264 } 265 } 266 ``` 267 268 ### Sample Request 269 270 ```shell-session 271 $ curl \ 272 --request POST \ 273 --header "X-Nomad-Token: <NOMAD_TOKEN_SECRET_ID>" \ 274 --data @payload.json \ 275 https://localhost:4646/v1/acl/auth-method/example-acl-auth-method 276 ``` 277 278 ### Sample Response 279 280 ```json 281 { 282 "MaxTokenTTL": "1h0m0s", 283 "Name": "example-acl-auth-method", 284 "Type": "OIDC", 285 "TokenLocality": "global", 286 "Default": true, 287 "Config": { 288 "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", 289 "OIDCClientID": "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt", 290 "OIDCClientSecret": "example-client-secret", 291 "BoundAudiences": [ 292 "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt" 293 ], 294 "AllowedRedirectURIs": [ 295 "http://localhost:4646/oidc/callback" 296 ], 297 "ClaimMappings": { 298 "http://example.com/first_name": "first_name", 299 "http://example.com/last_name": "last_name" 300 }, 301 "ListClaimMappings": { 302 "http://nomad.com/groups": "groups" 303 } 304 } 305 "CreateTime": "2022-12-08T11:04:43.46206Z", 306 "ModifyTime": "2022-12-08T11:04:43.46206Z", 307 "CreateIndex": 12, 308 "ModifyIndex": 32 309 } 310 ``` 311 312 ## List Auth Methods 313 314 This endpoint lists all ACL Auth Methods. This lists the auth methods that have 315 been replicated to the region, and may lag behind the authoritative region. 316 317 | Method | Path | Produces | 318 | ------ | ------------------- | ------------------ | 319 | `GET` | `/acl/auth-methods` | `application/json` | 320 321 The table below shows this endpoint's support for 322 [blocking queries](/api-docs#blocking-queries), 323 [consistency modes](/api-docs#consistency-modes) and 324 [required ACLs](/api-docs#acls). 325 326 | Blocking Queries | Consistency Modes | ACL Required | 327 | ---------------- | ----------------- | ---- | 328 | `YES` | `all` | None | 329 330 ### Sample Request 331 332 ```shell-session 333 $ curl \ 334 --header "X-Nomad-Token: <NOMAD_TOKEN_SECRET_ID>" \ 335 https://localhost:4646/v1/acl/auth-methods 336 ``` 337 338 ### Sample Response 339 340 ```json 341 [ 342 { 343 "CreateIndex": 12, 344 "Default": true, 345 "ModifyIndex": 32, 346 "Name": "example-acl-auth-method", 347 "Type": "OIDC" 348 } 349 ] 350 ``` 351 352 ## Read Auth Method by Name 353 354 This endpoint reads an ACL Auth Method with the given name. This queries the 355 auth method that has been replicated to the region, and may lag behind the 356 authoritative region. 357 358 | Method | Path | Produces | 359 | ------ | ------------------------------- | ------------------ | 360 | `GET` | `/acl/auth-method/:method_name` | `application/json` | 361 362 The table below shows this endpoint's support for 363 [blocking queries](/api-docs#blocking-queries), 364 [consistency modes](/api-docs#consistency-modes) and 365 [required ACLs](/api-docs#acls). 366 367 | Blocking Queries | Consistency Modes | ACL Required | 368 | ---------------- | ----------------- | ------------------ | 369 | `YES` | `all` | `management` token | 370 371 ### Parameters 372 373 - `:method_name` `(string: <required>)` - Specifies the name of the ACL Auth 374 Method. This is specified as part of the path. 375 376 ### Sample Request 377 378 ```shell-session 379 $ curl \ 380 --header "X-Nomad-Token: <NOMAD_TOKEN_SECRET_ID>" \ 381 https://localhost:4646/v1/acl/auth-method/example-acl-auth-method 382 ``` 383 384 ### Sample Response 385 386 ```json 387 { 388 "MaxTokenTTL": "1h0m0s", 389 "Name": "example-acl-auth-method", 390 "Type": "OIDC", 391 "TokenLocality": "global", 392 "Default": true, 393 "Config": { 394 "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", 395 "OIDCClientID": "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt", 396 "OIDCClientSecret": "example-client-secret", 397 "BoundAudiences": [ 398 "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt" 399 ], 400 "AllowedRedirectURIs": [ 401 "http://localhost:4646/oidc/callback" 402 ], 403 "ClaimMappings": { 404 "http://example.com/first_name": "first_name", 405 "http://example.com/last_name": "last_name" 406 }, 407 "ListClaimMappings": { 408 "http://nomad.com/groups": "groups" 409 } 410 }, 411 "CreateTime": "2022-12-08T11:04:43.46206Z", 412 "ModifyTime": "2022-12-08T11:04:43.46206Z", 413 "CreateIndex": 12, 414 "ModifyIndex": 32 415 } 416 ``` 417 418 ## Delete Auth Method 419 420 This endpoint deletes the ACL Auth Method as identified by its name. This 421 request is always forwarded to the authoritative region. 422 423 | Method | Path | Produces | 424 | -------- | ------------------------------- | -------------- | 425 | `DELETE` | `/acl/auth-method/:method_name` | `(empty body)` | 426 427 The table below shows this endpoint's support for 428 [blocking queries](/api-docs#blocking-queries) and 429 [required ACLs](/api-docs#acls). 430 431 | Blocking Queries | ACL Required | 432 | ---------------- | ------------ | 433 | `NO` | `management` | 434 435 ### Parameters 436 437 - `method_name` `(string: <required>)` - Specifies the name of auth method to 438 delete and is specified as part of the path. 439 440 ### Sample Request 441 442 ```shell-session 443 $ curl \ 444 --request DELETE \ 445 --header "X-Nomad-Token: <NOMAD_TOKEN_SECRET_ID>" \ 446 https://localhost:4646/v1/acl/auth-method/example-acl-auth-method 447 ```