OIDC Identity Provider
Note: This feature is currently a Tech Preview and not recommended for deployment in production.
Vault as an OIDC identity provider allows clients speaking the OIDC protocol to take advantage of Vault's various authentication methods and source of identity. Clients can configure their authentication logic to talk to Vault. Once enabled, Vault will act as the bridge to identity providers via its existing authentication methods. Clients will also obtain identity information for their end-users by leveraging custom templating of Vault identity information.
The Vault OIDC provider feature currently only supports the authorization code flow.
OIDC Provider Configuration
The Vault OIDC provider system is built on top of the identity secrets engine. This secrets engine is mounted by default and cannot be disabled or moved.
Most secrets engines must be configured in advance before they can perform their functions. These steps are usually completed by an operator or configuration management tool.
Create a key that will be used to sign/verify ID tokens:
Create an assignment. This specifies which Vault entities and groups are authorized to use a specific OIDC client for authentication flows:
Create the 'user' custom scope:
Create an OIDC client:
Create an OIDC provider:
Query the OIDC provider configuration:
API
The Vault OIDC provider feature has a full HTTP API. Please see the OIDC identity provider API for more details.