How can I pass OIDC_CLAIM_EMAIL value to my applications?


I’m new to OOD and am working with an established system. We need to extend our config to pass the user’s email address on job submission. We know how to pass the value, but not how to set it in the first place.

I believe the value we want is populated by openid in the OIDC_CLAIM_EMAIL variable. How can we extract that value and pass it through to the applications, perhaps as an environment variable?

We thought we might be able to do this using the pun_custom_env section (or the pun_custom_env_declarations section) of the nginx_stage.yml file. However, it’s not clear whether the OIDC_CLAIM_EMAIL value is available there or, if so, how to reference it.

Alternatively, it seems we might be able to use the pun_pre_hook_root_cmd and pun_pre_hook_exports options to access OIDC_CLAIM_EMAIL, but it’s not clear how to then propagate the value to the applications.

Thanks for any guidance you can provide!


Hi and welcome. We don’t preserve any of those environment variables when we start the per user nginx (PUN). In fact we’ve made some effort to make sure we don’t leak any extra environment variables to the PUN.

That said - you seem to have found the path forward - the pun_pre_hook_root_cmd.

Use the pre-hook to write a file, say ~/.email (remember this is running as root, so it likely has to chown and maybe even chmod).

Then use a Ruby initializer to read the file and set the environment variable like so:

# /etc/ood/config/apps/dashboard/initializers/email.rb
require 'etc'

file_to_read = "#{Etc.getpwuid.dir}/.email"

if File.exists?(file_to_read) && File.readable?(file_to_read)
  contents =
  ENV['OIDC_CLAIM_EMAIL'] = contents

# I had this here just for testing.

Docs on initializers are sparse - but here’s an example doing something else


That’s just what I needed, thanks very much!

It’s working great, I just had to make a small change to your code above…I added .rstrip to this line:

ENV['OIDC_CLAIM_EMAIL'] = contents.rstrip

Here’s the pun_pre_hook_root_cmd script I wrote based on your description:


# script to be run via the OOD pun_pre_hook_root_cmd mechanism.

# for testing
#exit 0

if [ $# -ne 1 ]; then
    echo "usage: $0 --user <user-name>" >&2
    exit 1

# from
TARGET_DIR=$(/bin/getent passwd "$user" | /bin/cut -d: -f6)

# always wipe out the target file
/bin/rm "$TARGET_FILE"

if [ ! -z ${OOD_OIDC_CLAIM_EMAIL+x} ]; then
    # yes, it is set. create the target file.
    /bin/chown $user "$TARGET_FILE"
    /bin/chmod 755 "$TARGET_FILE"

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.