Add new optional OIDCDisableUserInfo setting for OIDC auth provider

[eumikhailov]

Add new optional OIDCDisableUserInfo setting for OIDC auth provider which disables a request to the identity provider to get OIDC UserInfo.

This options is helpful when your identity provider doesn't send any additional claims from the UserInfo endpoint, such as
Microsoft AD FS OIDC Provider:

The AD FS UserInfo endpoint always returns the subject claim as specified in the OpenID standards. AD FS doesn't support additional claims requested via the UserInfo endpoint

Fixes #19318

[hashicorp-cla]

All committers have signed the CLA.

[eumikhailov]

Hi @tgross!
Please take a look :)

[tgross]

@eumikhailov I've been away for the holidays and haven't had a chance to review this yet. But I'll need you to sign the CLA before I can do so.

[eumikhailov]

@tgross happy new year! 😃
PS I've signed CLA

[tgross]

Hi @eumikhailov I've left a comment in #19318 (comment) which we should probably discuss further before spending more time on this PR.

[tgross]

@eumikhailov I don't have an environment I can test this in. Have you verified that this actually works with ADFS?

[eumikhailov]

@tgross tested with Microsoft AD FS 4.0 and it's work!

1. Build up Nomad

home/wsl/nomad# ./nomad version
Nomad v1.7.3-dev
....
Revision 8b4301ddbb404b581a8ee536db9793360c45f8aa+CHANGES

2. Setup oidc

home/wsl/nomad# ./nomad acl auth-method info microsoft-oidc
Name              = microsoft-oidc
Type              = OIDC
Locality          = global
Max Token TTL     = 1h0m0s
Token Name Format = ${auth_method_type}-${auth_method_name}
Default           = false
Create Index      = 34
Modify Index      = 36

Auth Method Config

JWT Validation Public Keys = <none>
JWKS URL                   = <none>
OIDC Discovery URL         = ***/adfs
OIDC Client ID             = de2658c8-cfbc-4d65-9b5e-bc3e85d1552d
OIDC Client Secret         = <none>
OIDC Disable UserInfo      = true
OIDC Scopes                = https://nomad.***/openid,openid
Bound audiences            = de2658c8-cfbc-4d65-9b5e-bc3e85d1552d,https://nomad.***
Bound issuer               = <none>
Allowed redirects URIs     = http://localhost:4646/ui/settings/tokens
Discovery CA pem           = <none>
JWKS CA cert               = <none>
Signing algorithms         = <none>
Expiration Leeway          = 0s
NotBefore Leeway           = 0s
ClockSkew Leeway           = 0s
Claim mappings             = {upn: upn}
List claim mappings        = {roles: roles}

3. Setup binding rule

home/wsl/nomad# ./nomad acl binding-rule info 743327e9-117a-3041-7e1c-718df4516900
ID           = 743327e9-117a-3041-7e1c-718df4516900
Description  = <none>
Auth Method  = microsoft-oidc
Selector     = "\"role-mgmt\" in list.roles"
Bind Type    = management
Bind Name    = <none>
Create Time  = ***
Modify Time  = ***
Create Index = 42
Modify Index = 42

4. Logon in UI works fine
   

[tgross]

Ok @eumikhailov I've tested this out as described in #19318 (comment). I only need two more things from you:

• Can you rebase this on main to resolve the merge conflict?
• Can you run make cl to add a changelog entry?

Once that's done, I'll merge this and get it backported. Thanks!

[eumikhailov]

@tgross OK, fixed!

[tgross]

LGTM! I'll merge once CI is green, and make sure the backports happen.