vault-guides/identity/oidc-auth: What's an JWT token and how to get it?

[brnl]

Hey guys,

Regarding: https://github.com/hashicorp/vault-guides/tree/master/identity/oidc-auth

The guide lacks to explain how and where I should get a JWT token from. Also after trying to replicate the situation in this guide, I'm stuck on the error message: "Authentication failed: role with oidc role_type is not allowed" when trying to login.

What am I missing? This might also be assumed basic knowledge, but it would be helpful if the guide (also at vault's own documentation) would point to that kind of basic knowledge.

Can't wait to hear from you! :-)

Edit: My goal is to translate this knowledge to Gitlab OpenID authentication but it's really a lot to get my head around.

[rpattcorner]

I'd find this useful too. It looks to me like the JWT token displayed in the Vault UI login screen after selecting the OIDC authentication method is pregenerated, and that Google (in this example) will handle authentication and redirect back to the vault server. However when selecting a role, such as the gmail role defined in the demo (or any other legal role), I too get the response (from my log and in the gui):

"response":{"data":{"error":"role with oidc role_type is not allowed"},"headers":null},"error":""}

I've checked my setup against the documented demo carefully without result. I see in the code that the JWT backend owns that message and disallows OIDC logins, which only adds to my confusion.

This looks like @brnl and I are missing something really obvious in the documentation -- could I trouble someone on the team to clarify?

[tranv94]

Hi @brnl @rpattcorner ! I was struggling with this too, then I found this resource. The initial question has a config that worked for me. https://groups.google.com/forum/#!msg/vault-tool/99FTm5-pZ2I/AZjpSotiBAAJ

Hope it works for you. Take note; the initial question's config isn't entirely correct (so change accordingly), you may need to add bound_audiences.

[raulkozy]

Hi @brnl @rpattcorner ,

Is your problem resolved ? if yes, Then let me know how ? I have facing a similar issue integrating Keycloak OIDC authentication for vault. which unfortunately leads to the same error mentioned by you guys.

please help me resolve this. Thanks in advance

[devopsdymyr]

Hi @brnl @rpattcorner ,

Is your problem resolved ? if yes, Then let me know how ? I have facing a similar issue integrating Keycloak OIDC authentication for vault. which unfortunately leads to the same error mentioned by you guys.

please help me resolve this. Thanks in advance

"can you add your steps for the reference, then it's easy to find your issue "

[jakeburden]

@brnl I was just documenting the steps to do OIDC auth with GitLab when I briefly got stuck with the same error message and found this issue.

I did manage to get around it by fixing these two things, so hopefully this helps:

1. Make sure to set the UI callback URL to http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback (note the repeated /oidc/oidc, thats the part I missed.)
2. Make sure the oidc_scopes you set includes "openid".

Entering the following worked for me:

   $ vault write auth/oidc/config \
        oidc_discovery_url="https://gitlab.com" \
        oidc_client_id="your_client_id" \
        oidc_client_secret="your_secret_id" \
        default_role="demo" \
        bound_issuer="localhost"

  $ vault write auth/oidc/role/demo \
        user_claim="sub" \
        allowed_redirect_uris="http://localhost:8250/oidc/callback,http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback" \
        bound_audiences="your_client_id" \
        role_type="oidc" \
        oidc_scopes="openid" \
        policies=demo \
        ttl=1h

You can see more of the steps I documented in rough draft here, but we're working on polishing them and making it easier to follow: https://gitlab.com/gitlab-org/gitlab/issues/9983#note_232130586

[brnl]

@rahulkohli23 @devopsdymyr I must admit that I have let it lay on the 'to do' pile for a while. @jekrb Thank you very much. I will look back into this shortly and update the issue when your solution works!

[stevegore]

Just noting I didn't need to set bound_issuer. I have:

vault auth enable oidc

vault write auth/oidc/config \
    oidc_discovery_url="https://accounts.google.com" \
    oidc_client_id="xxx.apps.googleusercontent.com" \
    oidc_client_secret="xxx" \
    default_role="gmail"

vault write auth/oidc/role/gmail \
    user_claim="sub" \
    bound_audiences="xxx.apps.googleusercontent.com" \
    allowed_redirect_uris="https://xxx/ui/vault/auth/oidc/oidc/callback" \
    role_type="oidc" \
    oidc_scopes="openid" \
    policies=default \
    ttl=4h