OIDC Identity Provider

Note: This feature is currently a Tech Preview and not recommended for deployment in production.

Vault as an OIDC identity provider allows clients speaking the OIDC protocol to take advantage of Vault's various authentication methods and source of identity. Clients can configure their authentication logic to talk to Vault. Once enabled, Vault will act as the bridge to identity providers via its existing authentication methods. Clients will also obtain identity information for their end-users by leveraging custom templating of Vault identity information.

The Vault OIDC provider feature currently only supports the authorization code flow.

OIDC Provider Configuration

The Vault OIDC provider system is built on top of the identity secrets engine. This secrets engine is mounted by default and cannot be disabled or moved.

Most secrets engines must be configured in advance before they can perform their functions. These steps are usually completed by an operator or configuration management tool.

Create a key that will be used to sign/verify ID tokens:

$ vault write identity/oidc/key/my-key \
  allowed_client_ids="xxAQWBYzD2WXsB8GiZqwq4jsUwfG0hJV" \
  verification_ttl="1h" \
  rotation_period="1h" \
  algorithm="RS256"
Success! Data written to: identity/oidc/key/my-key

Create an assignment. This specifies which Vault entities and groups are authorized to use a specific OIDC client for authentication flows:

$ vault write identity/oidc/assignment/my-assignment \
  group_ids="b6ea7804-acbd-e866-7c51-0896456bd4bb" \
  entity_ids="aa786a7a-da2f-dca7-3680-0710771cca51"
Success! Data written to: identity/oidc/assignment/my-assignment

Create the 'user' custom scope:

$ TOKEN_TEMPLATE=$(cat << EOF
{
    "username": {{identity.entity.aliases.$MOUNT_ACCESSOR.name}},
    "contact": {
        "email": {{identity.entity.metadata.email}},
        "phone_number": {{identity.entity.metadata.phone_number}}
    },
    "groups": {{identity.entity.groups.names}}
}
EOF
)
$ vault write identity/oidc/scope/user \
  description="Scope for user metadata" \
  template="$(echo $TOKEN_TEMPLATE | base64 -)"
Success! Data written to: identity/oidc/scope/user

Create an OIDC client:

$ vault write identity/oidc/client/my-webapp \
  redirect_uris="http://127.0.0.1:8251/callback,http://127.0.0.1:8500/ui/oidc/callback" \
  assignments="my-assignment" \
  key="my-key" \
  id_token_ttl="30m" \
  access_token_ttl="1h"
Success! Data written to: identity/oidc/client/my-webapp

Create an OIDC provider:

$ vault write identity/oidc/provider/my-provider \
  allowed_client_ids="xxAQWBYzD2WXsB8GiZqwq4jsUwfG0hJV" \
  scopes_supported="user"
Success! Data written to: identity/oidc/provider/my-provider

Query the OIDC provider configuration:

$ curl -s http://127.0.0.1:8200/v1/identity/oidc/provider/my-provider/.well-known/openid-configuration
{
  "issuer": "http://127.0.0.1:8200/v1/identity/oidc/provider/my-provider",
  "jwks_uri": "http://127.0.0.1:8200/v1/identity/oidc/provider/my-provider/.well-known/keys",
  "authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/my-provider/authorize",
  "token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/my-provider/token",
  "userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/my-provider/userinfo",
  "request_uri_parameter_supported": false,
  "id_token_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "EdDSA"
  ],
  "response_types_supported": [
    "code"
  ],
  "scopes_supported": [
    "user",
    "openid"
  ],
  "subject_types_supported": [
    "public"
  ],
  "grant_types_supported": [
    "authorization_code"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ]
}

API

The Vault OIDC provider feature has a full HTTP API. Please see the OIDC identity provider API for more details.