Skip to main content

How to update the OIDC config in Nomad?

· One min read
Stephan Hochdörfer
Stephan Hochdörfer
Head of IT Business Operations

In a previous post, I covered configuring Nomad to use OpenID Connect with Entra ID. However, when your OIDC secret expires, you'll need to refresh the OIDC config. But how do you do it?

Initially, I thought updating the OIDC config only required sending the changed properties, specifically the OIDCClientSecret property. Unfortunately, this approach didn't work as expected.

It turns out that even for an update, you need to send the complete OIDC config to Nomad again. This means creating a new OIDC config and updating your existing one to include the new secret.

Here's an example of what the updated config might look like:

{
  "OIDCDiscoveryURL": "https://login.microsoftonline.com/[TENANT_ID]]/v2.0",
  "OIDCClientID": "[CLIENT_ID]",
  "OIDCClientSecret": "[CLIENT_SECRET]",
  "BoundAudiences": ["[CLIENT_ID]"],
  "AllowedRedirectURIs": [
    "https://example.com/oidc/callback",
    "https://example.com/ui/settings/tokens"
  ],
  "ListClaimMappings": {
    "groups": "groups"
  }
}

Once you have your updated config, you can run the auth-method update command for the auth method oidc2 (or whatever name you chose when creating the auth method):

nomad acl auth-method update -config=@./config.json oidc2