Vault
oidc-provider
Create or Update a Provider
This endpoint creates or updates a Provider.
| Method | Path |
|---|---|
POST | identity/oidc/provider/:name |
Parameters
name(string: <required>)– The name of the provider. This parameter is specified as part of the URL.issuer(string: <optional>)- Specifies what will be used as thescheme://host:portcomponent for theissclaim of ID tokens. This defaults to a URL with Vault'sapi_addras thescheme://host:portcomponent and/v1/:namespace/identity/oidc/provider/:nameas the path component. If provided explicitly, it must point to a Vault instance that is network reachable by clients for ID token validation.allowed_client_ids([]string: <optional>)– The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed.scopes_supported([]string: <optional>)– The scopes available for requesting on the provider.
Sample Payload
{
"allowed_client_ids": ["*"],
"scopes_supported": ["test-scope"]
}
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
Read Provider by Name
This endpoint queries the OIDC provider by its name.
| Method | Path |
|---|---|
GET | /identity/oidc/provider/:name |
Parameters
name(string: <required>)– The name of the provider.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
Sample Response
{
"data": {
"allowed_client_ids":["*"],
"issuer":"",
"scopes_supported":["test-scope"]
}
}
List Providers
This endpoint returns a list of all OIDC providers.
| Method | Path |
|---|---|
LIST | /identity/oidc/provider |
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/provider
Sample Response
{
"data": {
"keys":[
"test-provider"
]
}
}
Delete Provider by Name
This endpoint deletes an OIDC provider.
| Method | Path |
|---|---|
DELETE | /identity/oidc/provider/:name |
Parameters
name(string: <required>)– The name of the provider.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
Create or Update a Scope
This endpoint creates or updates a scope.
| Method | Path |
|---|---|
POST | identity/oidc/scope/:name |
Parameters
name(string: <required>)– The name of the scope. This parameter is specified as part of the URL. Theopenidscope name is reserved.template(string: <optional>)- The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.description(string: <optional>)– A description of the scope.
Sample Payload
{
"template":"{ \"groups\": {{identity.entity.groups.names}} }",
"description":"A simple scope example."
}
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
Read Scope by Name
This endpoint queries a scope by its name.
| Method | Path |
|---|---|
GET | /identity/oidc/scope/:name |
Parameters
name(string: <required>)– The name of the scope.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
Sample Response
{
"data": {
"description":"A simple scope example.",
"template":"{ \"groups\": {{identity.entity.groups.names}} }"
}
}
List Scopes
This endpoint returns a list of all configured scopes.
| Method | Path |
|---|---|
LIST | /identity/oidc/scope |
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/scope
Sample Response
{
"data": {
"keys":[
"test-scope"
]
}
}
Delete Scope by Name
This endpoint deletes a scope.
| Method | Path |
|---|---|
DELETE | /identity/oidc/scope/:name |
Parameters
name(string: <required>)– The name of the scope.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
Create or Update a Client
This endpoint creates or updates a client.
| Method | Path |
|---|---|
POST | identity/oidc/client/:name |
Parameters
name(string: <required>)– The name of the client. This parameter is specified as part of the URL.key(string: <required>)– A reference to a named key resource. This cannot be modified after creation.redirect_uris([]string: <optional>)- Redirection URI values used by the client. One of these values must exactly match theredirect_uriparameter value used in each authentication request.assignments([]string: <optional>)– A list of assignment resources associated with the client.id_token_ttl(int or duration: <optional>)– The time-to-live for ID tokens obtained by the client. This can be specified as a number of seconds or as a Go duration format string like"30m"or"6h". The value should be less than theverification_ttlon the key.access_token_ttl(int or duration: <optional>)– The time-to-live for access tokens obtained by the client. This can be specified as a number of seconds or as a Go duration format string like"30m"or"6h".
Sample Payload
{
"key":"test-key",
"access_token_ttl":"30m",
"id_token_ttl":"1h"
}
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
Read Client by Name
This endpoint queries a client by its name.
| Method | Path |
|---|---|
GET | /identity/oidc/client/:name |
Parameters
name(string: <required>)– The name of the client.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
Sample Response
{
"data":{
"access_token_ttl":1800,
"assignments":[],
"client_id":"014zXvcvbvIZWwD5NfD1Uzmv7c5JBRMb",
"client_secret":"hvo_secret_bZtgQPBZaJXK7F5vOI7JlvEuLOfOUS7DmwynFjE3xKcsen7TyowqPFfYFXG2tbWM",
"id_token_ttl":3600,
"key":"test-key",
"redirect_uris":[]
}
}
List Clients
This endpoint returns a list of all configured clients.
| Method | Path |
|---|---|
LIST | /identity/oidc/client |
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/client
Sample Response
{
"data": {
"keys":[
"test-client"
]
}
}
Delete Client by Name
This endpoint deletes a client.
| Method | Path |
|---|---|
DELETE | /identity/oidc/client/:name |
Parameters
name(string: <required>)– The name of the client.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
Create or Update an Assignment
This endpoint creates or updates an assignment.
| Method | Path |
|---|---|
POST | identity/oidc/assignment/:name |
Parameters
name(string: <required>)– The name of the assignment. This parameter is specified as part of the URL.entity_ids([]string: <optional>)- A list of Vault entity IDs.group_ids([]string: <optional>)– A list of Vault group IDs.
Sample Payload
{
"group_ids":["my-group"],
"entity_ids":["my-entity"]
}
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
Read Assignment by Name
This endpoint queries an assignment by its name.
| Method | Path |
|---|---|
GET | /identity/oidc/assignment/:name |
Parameters
name(string: <required>)– The name of the assignment.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
Sample Response
{
"data":{
"entity_ids":[
"my-entity"
],
"group_ids":[
"my-group"
]
}
}
List Assignments
This endpoint returns a list of all configured assignments.
| Method | Path |
|---|---|
LIST | /identity/oidc/assignment |
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/assignment
Sample Response
{
"data": {
"keys":[
"test-assignment"
]
}
}
Delete Assignment by Name
This endpoint deletes an assignment.
| Method | Path |
|---|---|
DELETE | /identity/oidc/assignment/:name |
Parameters
name(string: <required>)– The name of the assignment.
Sample Request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
Read Provider OpenID Configuration
Returns OpenID Connect Metadata for a named OIDC provider. The response is a compliant OpenID Provider Configuration Response.
| Method | Path |
|---|---|
GET | /identity/oidc/provider/:name/.well-known/openid-configuration |
Parameters
name(string: <required>)– The name of the provider. This parameter is specified as part of the URL.
Sample Request
$ curl \
--request GET \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/openid-configuration
Sample Response
{
"issuer": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider",
"jwks_uri": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/keys",
"authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/test-provider/authorize",
"token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token",
"userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo",
"request_uri_parameter_supported": false,
"id_token_signing_alg_values_supported": [
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"EdDSA"
],
"response_types_supported": [
"code"
],
"scopes_supported": [
"openid"
],
"subject_types_supported": [
"public"
],
"grant_types_supported": [
"authorization_code"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic"
]}
Read Provider Public Keys
Query this path to retrieve the public portion of keys for an OIDC provider. Clients can use them to validate the authenticity of an identity token.
| Method | Path |
|---|---|
GET | /identity/oidc/provider/:name/.well-known/keys |
Parameters
name(string: <required>)– The name of the provider. This parameter is specified as part of the URL.
Sample Request
$ curl \
--request GET \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/keys
Sample Response
{
"keys": [
{
"use": "sig",
"kty": "RSA",
"kid": "ee7c0920-fdb9-5c1a-9c69-6dab710d1a09",
"alg": "RS256",
"n": "zdFjUV9lBw5nQPvTtwH-gzKgRG7iepvYbFoc2hNB0-inJL25oh-mvNW3GS8jPY5XHLsiWa_1TKKE99JrKQgane2C96soFeOvR7SozbCeH8_FpZelH1Pym1NV038j05Vp87uB9FeKPsy1PNOLPTs_Fp42JIAenly7ojYwPp1s61p9V0U9rOhtldY7GkXHLN9s8v3aJjxqrTS3Puhs9MFS7EgRrEDAc69uiLXCoYXKygjXddvJi6j446XxnO2eTRMGl1f2t04s_vDgVnFQgjQSKYWPbOMhf2slkeR47fqE3qqUDzINxauqMbkW-PlLP9IN0crR2uC07cG2os4RxN4YHw",
"e": "AQAB"
},
{
"use": "sig",
"kty": "RSA",
"kid": "6e468221-b7c2-9d2d-744d-33b7ae0357cb",
"alg": "RS256",
"n": "rMaucILJKiFg_lkCE8ZEV_8jiYdaVDjKkc-8XPBW8S34wIRl1EbsgCYfMHtJnIJ_3eUgOVorW5KVeN9C8W16LR3lhqRWS9y4qlt0AcWpOvsmxr5q5dS_QqgCjeftCKwJzUsMi5bMW8wKjRZdd-qLz6X1rVSZWX82G0So8nRBg9d3MNJbKcdIJrRbrxWkm8U9xMqRouzbyQ2Hsp2rRVgGh7yjEA6daI5Ao8UsPdBmlCM9oKZ1_Kje5JTfZKeHlT-58vn_ylCjMVlapLuUsDN6He2kPVyOzGbie297VOfjmB7QX0ah1f7Ni1UJFJYHrVK9wMfCLTltSFZBcQ9--FlVdQ",
"e": "AQAB"
}
]}
Authorization Endpoint
Provides the Authorization Endpoint for an OIDC provider. This allows OIDC clients to request an authorization code to be used for the Authorization Code Flow.
| Method | Path |
|---|---|
GET/POST | /identity/oidc/provider/:name/authorize |
Parameters
name(string: <required>)- The name of the provider. This parameter is specified as part of the URL.scope(string: <required>)- A space-delimited list of scopes to be requested. Theopenidscope is required.response_type(string: <required>)- The OIDC authentication flow to be used. The following response types are supported:code.client_id(string: <required>)- The ID of the requesting client.redirect_uri(string: <required>)- The redirection URI to which the response will be sent.state(string: <required>)- A value used to maintain state between the authentication request and client.nonce(string: <required>)- A value that is returned in the ID token nonce claim. It is used to mitigate replay attacks.
Sample Request
$ curl \
--request GET \
--header "X-Vault-Token: ..." \
-G \
-d "response_type=code" \
-d "client_id=$CLIENT_ID" \
-d "state=af0ifjsldkj" \
-d "nonce=abcdefghijk" \
--data-urlencode "scope=openid" \
--data-urlencode "redirect_uri=http://127.0.0.1:8251/callback" \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/authorize
Sample Response
{
"code": "BDSc9kVYljxND93YpveBuJtSvguM3AWe",
"state": "af0ifjsldkj"
}
Token Endpoint
Provides the Token Endpoint for an OIDC provider.
| Method | Path |
|---|---|
POST | /identity/oidc/provider/:name/token |
Parameters
name(string: <required>)- The name of the provider. This parameter is specified as part of the URL.code(string: <required>)- The authorization code received from the provider's authorization endpoint.grant_type(string: <required>)- The authorization grant type. The following grant types are supported:authorization_code.redirect_uri(string: <required>)- The callback location where the authorization request was sent. This must match theredirect_uriused when the original authorization code was generated.
Headers
- Basic Auth
(string: <required>)- Authenticate the client using theclient_idandclient_secretas described in the client_secret_basic authentication method. The authentication method uses the HTTP Basic authentication scheme.
Sample Request
$ BASIC_AUTH_CREDS=$(printf "%s:%s" "$CLIENT_ID" "$CLIENT_SECRET" | base64)
$ curl \
--request POST \
--header "Authorization: Basic $BASIC_AUTH_CREDS" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d "code=4RL50r78p8HsNJY0GVUNGfjLHnpkRf3N" \
-d "grant_type=authorization_code" \
-d "redirect_uri=http://127.0.0.1:8251/callback" \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token
Sample Response
{
"access_token": "b.AAAAAQJEH5VXjfjUESCwySTKk2MS1MGVNc9oU-N2EyoLKVo9SYa-NnOWAXloYfrlO45UWC3R1PC5ZShl3JdmRJ0264julNnlBduSNXJkYjgCQsFQwXTKHcjhqdNsmJNMWiPaHPn5NLSpNQVtzAxfHADt4r9rmX-UEG5seOWbmK_Z5WwS_4a8-wcVPB7FpOGzfBydP7yMxHu-3H1TWyQvYVr28XUfYxcBbdlzxhJn0yqkWItgmZ25xEOp7SW7Pg4tYB7AXfk",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImEzMjk5ZWVmLTllNDEtOGNiYS1kNWExLTZmZWM2NjIyODRjYyJ9.eyJhdF9oYXNoIjoiMUdlQlEzUFdtUjJ2ajZVU2swSW42USIsImF1ZCI6InpTSktMVmk0R1BYS1o3TTZzUUEwY3FNc05VaHNPYkVTIiwiY19oYXNoIjoiN09SOUszNmhNdllENzJkUkFLUHhNdyIsImNvbnRhY3QiOnsiZW1haWwiOiJ2YXVsdEBoYXNoaWNvcnAuY29tIiwicGhvbmVfbnVtYmVyIjoiMTIzLTQ1Ni03ODkwIn0sImV4cCI6MTYzMzEwNjI5NCwiZ3JvdXBzIjpbImVuZ2luZWVyaW5nIl0sImlhdCI6MTYzMzEwNDQ5NCwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL2lkZW50aXR5L29pZGMvcHJvdmlkZXIvbXktcHJvdmlkZXIiLCJuYW1lc3BhY2UiOiJyb290Iiwibm9uY2UiOiJhYmNkZWZnaGlqayIsInN1YiI6IjUwMDA3OTZlLTM2ZGYtMGQ4Yy02NDYwLTgxODUzZDliMjY2NyIsInVzZXJuYW1lIjoiZW5kLXVzZXIifQ.ehdLj6jnrJvltar1kkVSyNK48w2M5vkh5DTFJFZDqatnDWhQbbKGLZnVgd3wD6KPboXRaUwhGe4jDiTIiSoJaovOhsia77NKukym_ROLvGZw-LG7xaYkzJLnmEfeQhelLxWe0DHPROB7VXcFqBx8vX5hkuoVyqrB87vwiobK42pDPZ9MRsmbM2yzBC3wrnT7RQFtT4q2Bbyt9YIAHUaq9rU0PwJRoNISw6of1uQHo3_UzLdpwth7PEOEcI47OBGFA5vR_Gw3ocREfSrUWfCWOInAKCT43cImvg4Bts6qiZYfv9n-iNBq4AihGqq_VEF-hB1Hrprn7VgnEZ1VjUHaQQ",
"token_type": "Bearer"
}
UserInfo Endpoint
Provides the UserInfo Endpoint for an OIDC provider. The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User.
| Method | Path |
|---|---|
POST | /identity/oidc/provider/:name/userinfo |
Parameters
name(string: <required>)- The name of the provider. This parameter is specified as part of the URL.
Headers
- Access Token
(string: <required>)- The access token provided by theAuthorization: Bearer <access_token>HTTP header acquired from the authorization endpoint.
Sample Request
$ curl \
-X GET \
--header "Authorization: Bearer $ACCESS_TOKEN" \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo
Sample Response
{
"contact": {
"email": "vault@hashicorp.com",
"phone_number": "123-456-7890"
},
"groups": [
"engineering"
],
"sub": "5000796e-36df-0d8c-6460-81853d9b2667",
"username": "end-user"}