Vault
OIDC Provider Configuration
This page collects high-level setup steps on how to configure an OIDC application for various providers. For more general usage and operation information, see the Vault JWT/OIDC method documentation.
OIDC providers are often highly configurable and you should become familiar with their recommended settings and best practices. The instructions below are largely community-driven and intended to help you get started. Corrections and additions may be submitted via the Vault Github repository.
Azure Active Directory (AAD)
Note: Azure Active Directory Applications that have custom signing keys as a result of using the claims-mapping feature are currently not supported for OIDC authentication.
Reference: Azure Active Directory v2.0 and the OpenID Connect protocol
Choose your Azure tenant.
Go to Azure Active Directory and register an application for Vault.
Add Redirect URIs with the "Web" type. You may include two redirect URIs, one for CLI access another one for Vault UI access.
Record the "Application (client) ID" as you will need it as the
oidc_client_id
.Under Endpoints, copy the OpenID Connect metadata document URL, omitting the
/well-known...
portion.- The endpoint URL (
oidc_discovery_url
) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0
- The endpoint URL (
Under Certificates & secrets, add a client secret Record the secret's value as you will need it as the
oidc_client_secret
for Vault.
Connect AD group with Vault external group
Reference: Azure Active Directory with OIDC Auth Method and External Groups
To connect the AD group with a Vault external groups, you will need Azure AD v2.0 endpoints. You should set up a Vault policy for the Azure AD group to use.
Go to Azure Active Directory and choose your Vault application.
Go to Token configuration and Add groups claim. Select "All" or "SecurityGroup" based on which groups for a user you want returned in the claim.
In Vault, enable the OIDC auth method.
Configure the OIDC auth method with the
oidc_client_id
(application ID),oidc_client_secret
(client secret), andoidc_discovery_url
(endpoint URL) you recorded from Azure.vault write auth/oidc/config \ oidc_client_id="your_client_id" \ oidc_client_secret="your_client_secret" \ default_role="your_default_role" \ oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0"
Configure the OIDC Role with the following:
user_claim
should be"email"
.allowed_redirect_uris
should be the two redirect URIs for Vault CLI and UI access.groups_claim
should be set to"groups"
.oidc_scopes
should be set to"https://graph.microsoft.com/.default"
.
vault write auth/oidc/role/your_default_role \ user_claim="email" \ allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \ groups_claim="groups" \ oidc_scopes="https://graph.microsoft.com/.default" \ policies=default
In Vault, create the external group. Record the group ID as you will need it for the group alias.
From Vault, retrieve the OIDC accessor ID from the OIDC auth method as you will need it for the group alias's
mount_accessor
.Go to the Azure AD Group you want to attach to Vault's external group. Record the
objectId
as you will need it as the group alias name in Vault.In Vault, create a group alias for the external group and set the
objectId
as the group alias name.vault write identity/group-alias \ name="your_ad_group_object_id" \ mount_accessor="vault_oidc_accessor_id" \ canonical_id="vault_external_group_id"
Optional Azure-specific Configuration
If a user is a member of more than 200 groups (directly or indirectly), extra configuration is required so that Vault can fetch the groups properly.
In Azure, under the applications API Permissions, grant the following permissions:
- Microsoft Graph API permission Directory.Read.All
In Vault, set
"provider_config"
to Azure.vault write auth/oidc/config -<<"EOH" { "oidc_client_id": "your_client_id", "oidc_client_secret": "your_client_secret", "default_role": "your_default_role", "oidc_discovery_url": "https://login.microsoftonline.com/tenant_id/v2.0", "provider_config": { "provider": "azure" } } EOH
In Vault, add
"profile"
tooidc_scopes
so the user's id comes back on the JWT.vault write auth/oidc/role/your_default_role \ user_claim="email" \ allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \ groups_claim="groups" \ oidc_scopes="profile" \ policies="default"
Auth0
- Select Create Application (Regular Web App).
- Configure Allowed Callback URLs.
- Copy client ID and secret.
- If you see Vault errors involving signature, check the application's Advanced > OAuth settings and verify that signing algorithm is "RS256".
ForgeRock
- Navigate to Applications -> OAuth 2.0 -> Clients in ForgeRock Access Management.
- Create new client.
- Configure Client ID, Client Secret, Scopes and Redirection URIs.
client ID
client secret
allowed_redirect_uris
should be the two redirect URIs for Vault CLI and UI access.oidc_scopes
should be set to the OIDC scopes.
- Save Client ID and Client Secret.
Configuration
In Vault, enable the OIDC auth method.
Configure the OIDC auth method with the
oidc_client_id
(client ID),oidc_client_secret
(client secret), andoidc_discovery_url
(endpoint URL) from ForgeRock.vault write auth/oidc/config \ oidc_client_id="your_client_id" \ oidc_client_secret="your_client_secret" \ default_role="your_default_role" \ oidc_discovery_url="https://openam.example.com:8443/openam/oauth2"
Configure the OIDC Role with the following:
user_claim
should be"sub"
.allowed_redirect_uris
should be the two redirect URIs for Vault CLI and UI access.oidc_scopes
should be set to the OIDC scopes.
vault write auth/oidc/role/your_default_role \ user_claim="sub" \ allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \ oidc_scopes="your_oidc_scopes" \ policies=default
Gitlab
- Visit Settings > Applications.
- Fill out Name and Redirect URIs.
- Making sure to select the "openid" scope.
- Copy client ID and secret.
Main reference: Using OAuth 2.0 to Access Google APIs
- Visit the Google API Console.
- Create or a select a project.
- Create a new credential via Credentials > Create Credentials > OAuth Client ID.
- Configure the OAuth Consent Screen. Application Name is required. Save.
- Select application type: "Web Application".
- Configure Authorized Redirect URIs.
- Save client ID and secret.
Optional Google-specific Configuration
Google-specific configuration is available when using Google as an identity provider from the Vault JWT/OIDC auth method. The configuration allows Vault to obtain Google Workspace group membership and user information during the JWT/OIDC authentication flow. The group membership obtained from Google Workspace may be used for Identity group alias association. The user information obtained from Google Workspace can be used to copy claims data into resulting auth token and alias metadata via claim_mappings.
Setup
To set up the Google-specific handling, you'll need:
- A Google Workspace account with the super admin role for granting domain-wide delegation API client access.
- The ability to create a service account in Google Cloud Platform.
- To enable the Admin SDK API.
- An OAuth 2.0 application with an external user type.
The Google-specific handling that's used to fetch Google Workspace groups and user information in Vault uses Google Workspace Domain-Wide Delegation of Authority for authentication and authorization. You need to follow all steps in the guide to obtain the key file for a Google service account capable of making requests to the Google Workspace User Accounts and Groups APIs.
In step 5 within the section titled Delegate domain-wide authority to your service account, the only OAuth scopes that should be granted are:
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
This is an important security step in order to give the service account the least set of privileges that enable the feature.
The Google service account key file obtained from the steps in the guide must be made available on the host that Vault is running on.
Configuration
provider
(string: <required>)
- Name of the provider. Must be set to "gsuite".gsuite_service_account
(string: <required>)
- Either the path to or the contents of a Google service account key file in JSON format. If given as a file path, it must refer to a file that's readable on the host that Vault is running on. If given directly as JSON contents, the JSON must be properly escaped.gsuite_admin_impersonate
(string: <required>)
- Email address of a Google Workspace admin to impersonate.fetch_groups
(bool: false)
- If set to true, groups will be fetched from Google Workspace.fetch_user_info
(bool: false)
- If set to true, user info will be fetched from Google Workspace using the configured user_custom_schemas.groups_recurse_max_depth
(int: <optional>)
- Group membership recursion max depth. Defaults to 0, which means don't recurse.user_custom_schemas
(string: <optional>)
- Comma-separated list of Google Workspace custom schemas. Values set for Google Workspace users using custom schema fields will be fetched and made available as claims that can be used with claim_mappings. Required if fetch_user_info is set to true.
Example configuration:
vault write auth/oidc/config -<<EOF
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "your_client_id",
"oidc_client_secret": "your_client_secret",
"default_role": "your_default_role",
"provider_config": {
"provider": "gsuite",
"gsuite_service_account": "/path/to/service-account.json",
"gsuite_admin_impersonate": "admin@gsuitedomain.com",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5,
"user_custom_schemas": "Education,Preferences"
}
}
EOF
Role
The user_claim value of the role must be set to
one of either sub
or email
for the Google Workspace group and user information
queries to succeed.
Example role:
vault write auth/oidc/role/your_default_role \
allowed_redirect_uris="http://localhost:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
user_claim="sub" \
groups_claim="groups" \
claim_mappings="/Education/graduation_date"="graduation_date" \
claim_mappings="/Preferences/shirt_size"="shirt_size"
Keycloak
- Select/create a Realm and Client. Select a Client and visit Settings.
- Client Protocol: openid-connect
- Access Type: confidential
- Standard Flow Enabled: On
- Configure Valid Redirect URIs.
- Save.
- Visit Credentials. Select Client ID and Secret and note the generated secret.
Kubernetes
Kubernetes can function as an OIDC provider such that Vault can validate its service account tokens using JWT/OIDC auth.
Note: The JWT auth engine does not use Kubernetes' TokenReview
API
during authentication, and instead uses public key cryptography to verify the
contents of JWTs. This means tokens that have been revoked by Kubernetes will
still be considered valid by Vault until their expiry time. To mitigate this
risk, use short TTLs for service account tokens or use
Kubernetes auth which does use the TokenReview
API.
Using service account issuer discovery
When using service account issuer discovery, you only need to provide the JWT auth mount with an OIDC discovery URL, and sometimes a TLS certificate authority to trust. This makes it the most straightforward method to configure if your Kubernetes cluster meets the requirements.
Kubernetes cluster requirements:
ServiceAccountIssuerDiscovery
feature enabled.- Present from 1.18, defaults to enabled from 1.20.
- kube-apiserver's
--service-account-issuer
flag is set to a URL that is reachable from Vault. Public by default for most managed Kubernetes solutions. - Must use short-lived service account tokens when logging in.
- Tokens mounted into pods default to short-lived from 1.21.
Configuration steps:
Ensure OIDC discovery URLs do not require authentication, as detailed here:
kubectl create clusterrolebinding oidc-reviewer \ --clusterrole=system:service-account-issuer-discovery \ --group=system:unauthenticated
Find the issuer URL of the cluster.
ISSUER="$(kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer')"
Enable and configure JWT auth in Vault.
If Vault is running in Kubernetes:
kubectl exec vault-0 -- vault auth enable jwt kubectl exec vault-0 -- vault write auth/jwt/config \ oidc_discovery_url=https://kubernetes.default.svc.cluster.local \ oidc_discovery_ca_pem=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Alternatively, if Vault is not running in Kubernetes:
Note: When Vault is outside the cluster, the
$ISSUER
endpoint below may or may not be reachable. If not, you can configure JWT auth usingjwt_validation_pubkeys
instead.vault auth enable jwt vault write auth/jwt/config oidc_discovery_url="${ISSUER}"
Configure a role and log in as detailed below.
Using JWT validation public keys
This method can be useful if Kubernetes' API is not reachable from Vault or if you would like a single JWT auth mount to service multiple Kubernetes clusters by chaining their public signing keys.
Kubernetes cluster requirements:
ServiceAccountIssuerDiscovery
feature enabled.- Present from 1.18, defaults to enabled from 1.20.
- This requirement can be avoided if you can access the Kubernetes master
nodes to read the public signing key directly from disk at
/etc/kubernetes/pki/sa.pub
. In this case, you can skip the steps to retrieve and then convert the key as it will already be in PEM format.
- Must use short-lived service account tokens when logging in.
- Tokens mounted into pods default to short-lived from 1.21.
Configuration steps:
Fetch the service account signing public key from your cluster's JWKS URI.
# 1. Find the issuer URL of the cluster. ISSUER="$(kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer')" # 2. Query the jwks_uri specified in /.well-known/openid-configuration kubectl get --raw "$(kubectl get --raw /.well-known/openid-configuration | jq -r '.jwks_uri' | sed -r 's/.*\.[^/]+(.*)/\1/')"
Convert the keys from JWK format to PEM. You can use a CLI tool or an online converter such as this one.
Configure the JWT auth mount with those public keys.
vault write auth/jwt/config \ jwt_validation_pubkeys="-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9... -----END PUBLIC KEY-----","-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9... -----END PUBLIC KEY-----"
Configure a role and log in as detailed below.
Creating a role and logging in
Once your JWT auth mount is configured, you're ready to configure a role and log in.
Create a role for JWT auth that the
default
service account from thedefault
namespace can use. The audience of tokens defaults to the same as the issuer, but it is configurable.vault write auth/jwt/role/my-role \ role_type="jwt" \ bound_audiences="${ISSUER}" \ user_claim="sub" \ bound_subject="system:serviceaccount:default:default" \ policies="default" \ ttl="1h"
Pods or other clients with access to a service account JWT can then log in.
vault write auth/jwt/login \ role=my-role \ jwt=@/var/run/secrets/kubernetes.io/serviceaccount/token # OR equivalent to: curl \ --fail \ --request POST \ --header "X-Vault-Request: true" \ --data '{"jwt":"<JWT-TOKEN-HERE>","role":"my-role"}' \ "${VAULT_ADDR}/v1/auth/jwt/login"
Specifying TTL and audience
If you would like to specify a custom TTL or audience for service account tokens,
the following pod spec illustrates a volume mount that overrides the default
admission injected token. This is especially relevant if you are unable to
disable the --service-account-extend-token-expiration
flag for kube-apiserver
and want to use short TTLs.
When using the resulting token, you will need to set bound_audiences=vault
when creating roles in Vault's JWT auth mount.
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
# automountServiceAccountToken is redundant in this example because the
# mountPath overlapping with the default path below will already stop the
# default admission injected token from being created. Use this option if you
# choose a different mount path.
automountServiceAccountToken: false
containers:
- name: nginx
image: nginx
volumeMounts:
- name: custom-token
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
volumes:
- name: custom-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
path: token
expirationSeconds: 600 # 10 minutes is the minimum TTL
audience: vault
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
Okta
- Make sure an Authorization Server has been created. The "Issuer" field shown on the Setting page
will be used as the
oidc_discovery_url
. - Visit Applications > Add Application (Web).
- Configure Login redirect URIs. Save.
- Save client ID and secret.
Note your policy will need oidc_scopes
to include profile
to get a full profile ("Fat Token"). You will also need to configure bound audience along the lines of "bound_audiences": ["api://default", "0a4........."]
if you are using the default authorization server.