Federated OIDC login on non-primary nomad server gives odd token errors (but works)

hashicorp / nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.

Other

14.88k stars 1.95k forks source link

Nomad version

Output from nomad version

Nomad v1.6.2
BuildDate 2023-09-13T16:47:25Z
Revision 73e372ad94033db2ceaf53468b270a31544c23fd

Operating system and Environment details

Issue

when logging in with OIDC on a federated multi-region nomad cluster. this is consistently happening, a popup in green and red.

Token Authenticated!
Your token is valid and authorized for the following policies.

Your token was not found
It may have expired, or been entered incorrectly.

Reproduction steps

on the non-primary site (Primary site works clean)
logout
login
get above error

Expected Result

clean login

Actual Result

messy output concerning token authentication and token not found. (see image)

Thanks for the report @dmclf.

It seems like these errors are conditionally rendered using a few non-mutually exclusive flags, and, if they are not set properly, it can lead to the scenario you described. https://github.com/hashicorp/nomad/blob/5f98e6473ccf2c5dd643fa6d79c43d113c56519b/ui/app/templates/settings/tokens.hbs#L55-L77

And the only place where we set tokenNotFound to true is when trying to fetch the token: https://github.com/hashicorp/nomad/blob/5f98e6473ccf2c5dd643fa6d79c43d113c56519b/ui/app/services/token.js#L43-L60

So I suspect we may be querying the wrong region for that, resulting in the ACL token not found error.

I have placed this in our board for further roadmapping.

Thanks again for the report!

hashicorp / nomad