search

hashicorp / vault-plugin-auth-jwt

A Vault plugin to allow authentication via JWT (and OIDC) tokens
Mozilla Public License 2.0
99 stars 61 forks source link

OIDC should support Authorization,Token and Userinfo endpoints if well-known configuration endpoint is not present on provider #169

Open pbhalera opened 3 years ago

pbhalera commented 3 years ago

While configuring OIDC provider i encounter that provider it doesnt expose /.well-known/openid-configuration endpoint. But it has all Authorization endpoint ,Token endpoint and Userinfo endpoint. But current implementation doesn't support it.

Can you please support to overwrite these endpoint in vault auth configuration

ptrovatelli commented 7 months ago

I agree. It seems that many parameters are missing. According the the documentation, https://developer.hashicorp.com/vault/api-docs/auth/jwt#configure we can configure a jwt auth backend with one (and only one) of

When not using oidc_discovery_url, we need a way to provide all the needfull urls. I don't see how it could work right now although for now i'm stuck because of another issue when trying to configure oidc with jwks_url instead of oidc_discovery_url (https://github.com/hashicorp/vault-plugin-auth-jwt/issues/272)

Here's what a manual oidc configuration looks like when connecting from kibana to keycloak for example (it's with read only rest) : 

            buttonName: "..."
            type: "oidc"
            issuer: "..."
            authorizationURL: "..."
            tokenURL: '...'
            userInfoURL: '...'
            jwksURL: '...'
            clientID: '...'
            clientSecret: "..."
            scope: '...'
            usernameParameter: '...'
            groupsParameter: "..."
            protocol: '...'
            kibanaExternalHost: "..."
            logoutUrl: "..."

We need at least:

Field name suggestion Field name in well-known url Comment
issuer issuer Missing. Could be skipped if same as boundIssuer but right now it doesn't seem to be the case: vault seems to have a separate entity for issuer field than what is configured as bound_issuer. See https://discuss.hashicorp.com/t/unable-to-create-provider-oidc-issuer-did-not-match-the-issuer-returned-by-provider-with-keycloak-idp/61851
authorization_endpoint authorization_endpoint Missing
token_endpoint token_endpoint Missing
jwks_url jwks_uri OK
oidc_client_id - OK but should be allowed when jwks_url is present. see https://github.com/hashicorp/vault-plugin-auth-jwt/issues/272 )
oidc_client_secret - OK
end_session_endpoint end_session_endpoint Missing
userinfo_endpoint userinfo_endpoint Missing. Would be a must have (it's an optional endpoint in openid connect standard)

Oidc workflow reminder (vault is the relying party) openid connect